Photo (cc) by wseltzer
You’re going to see a lot of headlines about a nasty ransomware program named KeRanger that tries to extort Apple/Mac users by encrypting their files and charging ransom for the unscrambling key. Infected users must pay the virus creators today or risk losing use of their data. Here’s what you need to know: The threat to you is almost certainly quite small, unless you believe Mac users are immune from this kind of thing. If that’s the case, the threat to you today is still quite small, but tomorrow …. I’d be worried.
First, who has to worry about KeRanger? At the moment, it appears the only users at risk are BitTorrent users who downloaded (and later installed) the “Transmission” torrent client from its official website after 11 a.m. PST on Friday and before 7 p.m. PST on Saturday. Those who installed anytime recently from a third-party site are also at risk. If you are one of those people, you probably know who you are. (Here’s a link to the Palo Alto Networks information page with instructions on how to find and remove KeRanger.)
As a subgroup of a subgroup, the number of real infections is probably quite low, and statistics posted by F-Secure’s Mikko Hypponen bear that out. At the moment, KeRanger isn’t among the most populous ransomware programs detected by F-Secure.
What’s the real threat from KeRanger? Complacency.
Mac OS users — Apple product users in general — have for a long time enjoyed what was undoubtedly a safer, more protected platform than that provided by competitors like Microsoft or Google. Apple keeps tighter control of the software that can run on its products, which is both a blessing and a curse. Essentially, Apple must bless all software from third parties before it can be installed on Apple products. That’s great, until it’s not.
Two things happened to make KeRanger a reality. First, the attackers somehow intercepted users trying to install the Transmission app and substituted their own booby-trapped, look-alike software — probably by hacking the download site. Second, and much more important, the attackers somehow obtained a digital certificate issued by Apple — the blessing — that the rogue software was safe. Without that certificate, the software would not have been installed on victims’ computers.
Now that the malware has been discovered, Apple has revoked that certificate and the danger for new consumers has been mitigated, because the software generally can’t be installed.
But criminals were able to get around Apple’s certificate process, which is really important. It will happen again.
Mac and iPhone users have long enjoyed the comfort of knowing that software they install on their computers is (probably) safe, because Apple is watching out for them. That’s still true, but if your confidence is shaken by this story, good. Criminals are almost certainly coming for you, warns Hypponen.
“Mac finally seems to have large enough market share so that ransom malware gangs feel like it’s worth their time to target it,” he wrote about the attack.
Third-party verification is a critical element of software security; fake third-party verification is a critical trick in a hacker’s toolbox. Criminals who want to attack Mac users have now shown, in the real world, that they can create malicious software that Apple “blesses” for installation. Most Internet consumers are smart enough to avoid installing random software from random places no matter what platform they use. But to be attacked when installing software from a known source that is approved by Apple? Well, that’s a pretty effective attack.
It should be obvious that this is an unavoidable problem of having a central authority that approves software (or anything). One scary reality of TSA Pre-check at an airport, for example, is that it works great until someone who wants to do harm gets approved for travel by TSA Pre-check. That would give the attackers carte blanche at any airport security checkpoint.
Certificate-based attacks have been around for a long, long time. Here’s a 2002 story (that’s 14 years ago) about VeriSign being tricked into issuing certificates in the name of Microsoft.
More recently, it’s obvious criminals are sniffing around the Apple app certificate ecosystem; here’s word of an attack last fall that managed to install software on iPhones tricking Apple’s program that allows corporations to issue third-party certificates for apps.
It’s important to note that, by all accounts, Apple has cleaned up this mess with great speed and effectiveness. But heed Hypponen’s warnings, Mac users. The criminals are coming. And now we know they have some way of getting around Apple’s certificate process. Choose your downloads carefully.