Back in the mid-1990s, when Apple was unquestionably doomed, I would joke that the near-complete lack of viruses for its computers represented yet another example of developers unfairly ignoring the Mac in favor of Windows.
These days, nobody would get that joke. Apple is printing money, and the Mac now has its share of malware. The latest case: A bit of ransomware, discovered last weekend, which used a form of identity theft to fool OS X’s security system.
How this happened
This crime had two victims. One was the well-regarded BitTorrent client Transmission, which was hijacked by some still-unknown attackers. The other: Transmission users who downloaded what they thought was a minor update and instead saw their files encrypted by its malicious code until they paid a ransom of 1 bitcoin (about $411 at current exchange rates).
Windows users are all too familiar with the ransomware routine, in which malicious code silently encrypts files on your computer and its attached drives and then gives you a few days to pay for a key to unlock them. If you don’t knuckle under in time, the attackers delete the key, and your data’s gone.
The ransom often “only” costs from one to three bitcoin. But this winter, the Hollywood Presbyterian Medical Center in Los Angeles paid a ransom of 40 bitcoin — about $17,000 — after unspecified ransomware infected its network.
In the Transmission case (which was first reported by Palo Alto Networks), the attackers hacked the developers’ site and posted a compromised version of that app containing code that Palo Alto christened “KeRanger.”
By default, OS X’s Gatekeeper security only allows apps signed by their developers with digital certificates issued by Apple to run. (It’s possible for users to circumvent that system with a right-click, which is both easy and sometimes necessary in order to run apps from small shops.) But whoever posted the poisoned version of Transmission was able to sign it anyway by using another developer’s certificate.
“We’re not commenting on the avenue the attackers used to compromise the Web server, but to be clear: the certificate used to sign the compromised binary was not our certificate,” Transmission’s John Clay said in an e-mail. “It was a certificate obtained through Apple by another party, perhaps fraudulently.”
After Palo Alto Networks informed Transmission and Apple, the former removed the KeRanger-infected download and the latter revoked that certificate.
(Apple PR declined to answer an e-mail sent Monday asking for comment.)
Why it will probably happen again
An attack like this works because it takes advantage of a key rule for staying safe online: Don’t talk to strangers. Because we don’t have time to run a background check on every app developer, we count on systems like Gatekeeper to filter out the evil ones. (Historically, Google’s Android worked in a similar way, but in the last couple of years it’s added automated and human malware screening.)
If that line of defense leaks, good luck spotting anything awry.
“The only way for a user to notice this is to notice something fishy about the owner of the certificate when they install,” wrote Steve Kelly, president of the Mac-security firm Intego. “That’s quite likely to squeak by a lot of users.”
(Ryan Olson, director of threat intelligence at Palo Alto Networks, said a firewall configured to block the anonymous and encrypted Tor network that KeRanger employed to get its encryption key would also have worked. We all totally know how to do that, right?)
Online thieves will keep trying this tactic because it works. As Olson wrote in an e-mail: “Attackers know that being embedded in legitimate software helps them infect more people.”
For example, a few weeks ago attackers uploaded a compromised download of an entire operating system — Linux Mint, a beginner-friendly version of the open-source Linux software — and hacked the real thing’s site to point to the poisoned version.
The way anybody can inspect and edit the code of open-source projects like Transmission and Linux Mint may make them easier targets, Intego’s Kelly said. As somebody who frequently uses and endorses open-source software — I rely on one such tool to encrypt and decrypt some e-mail messages — I did not find that comforting.
But last September, hundreds of iOS apps were compromised with malware when attackers somehow got developers to use an infected version of Apple’s XCode software-development toolkit.
As that example should illustrate, retreating inside the walls of app stores cannot guarantee security either. And in OS X, Apple’s Mac App Store makes an even less likely refuge.
As my colleague Dan Miller wrote in December, the limits Apple imposes on other people’s apps but not its own, combined with a slow and arbitrary review process that holds up even bug fixes, is pushing developers away from that outlet.
You can, I guess, wait to install each app’s latest update until other people have vouched for it as safe. But what if that update’s advertised feature is itself a security fix that will close a critical vulnerability in the current version?
I don’t have a good answer for that — and I don’t like that at all.