[conspire] (forw) Re: [Felton LUG] Fwd: Apple Users Targeted in First Known Mac Ransomware Campaign

Rick Moen rick at linuxmafia.com
Mon Mar 7 18:03:35 PST 2016


----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Mon, 7 Mar 2016 17:53:20 -0800
From: Rick Moen <rick at linuxmafia.com>
To: felton-lug at googlegroups.com
Subject: Re: [Felton LUG] Fwd: Apple Users Targeted in First Known Mac
	Ransomware Campaign
Organization: If you lived here, you'd be $HOME already.

Quoting Robert Lewis (bob.l.lewis at gmail.com):

> http://readersupportednews.org/news-section2/318-66/35602-apple-users-targeted-in-first-known-mac-ransomware-campaign

The interesting question in any malware story is 'How does it get run?' 
To his great credit, Reuters author Jim Finkle, quoting Palo Alto Threat
Intelligence Director Ryan Olson, actually addressed that:

  Hackers infected Macs through a tainted copy of a popular program
  known as Transmission, which is used to transfer data through the
  BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog
  posted on Sunday afternoon.

I can't tell you how unusual it for _any_ malware story to meaningfully
address that question even that much.  Normally, that is the biggest
single reason why IT coverage of computer security sucks.  (And why does
that suckage happen?  Because IT coverage of malware stories copies and
pastes from antivirus firms' press releases, and they don't want to tell
you 'How does it get run?' because people with the answer to that
question don't need antivirus firms.)


One might then ask, how did this trojan evade detection by code-signing
and checksums?

Discussion at https://forum.transmissionbt.com/viewtopic.php?f=4&t=17834 
reveals the answer to be 'It didn't, really.'

  I checked the signature against the one posted on the web-page, and of
  course it was wrong:
  $ openssl sha1 Transmission-2.90.dmg 
  SHA1(Transmission-2.90.dmg)= 5f8ae46ae82e346000f366c3eabdafbec76e99e9

A Macintoy 'dmg' file is a disk image, which upon download gets
loopback-mounted as a volume.  Macintoy users tend to mindlessly just
download any old dmg and clicky-clicky the thing.  Not bothering to
check posted checksums and gpg signatures is a serious mistake.

(That is a lesson to Linux users, guys.)

Palo Alto Networks elaborates about the trojaned dmg file, at
http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/ :

  The KeRanger application was signed with a valid Mac app development
  certificate; therefore, it was able to bypass Apple's Gatekeeper
  protection.

In order to partially protect hapless Macintoy users who will reliably
just download any old dmg and clicky-clicky, OS X checks any executable
arriving from the Internet and vets it against a code-signing keyring
('Apple's Gatekeeper').  Of course, relying on that, and not bothering
_even_ so much as to recalculate a posted sha1sum, is a huge user
mistake.  Avoiding that mistake, in this case, kept users out of
trouble.

Unanswered question #1:  How did the criminals sign their trojaned copy
of KeRanger with a valid Mac app development certificate?  Whose
certificate?  (Forum posting says 'The bad guy had a valid Apple
Developer certificate, so Gatekeeper had no reason to complain. His
certificate has since been revoked.')

Unanswered question #2:  How did intruders break into
https://www.transmissionbt.com/ and replace Transmission 2.90 with a
forgery?  Has Transmission Project fixed its lax site security?
(Forum posting says 'A statement will be forthcoming, I'm told.')

Unanswered question #3:  When is Transmission Project going to wise up
and PGP-sign its checksums, preferably using a signing key able to be 
vetted through the PGP chain of trust?  This has been the standard of 
due care for decades (but not, of course, among Macintosh users).



Short version:  Checksums are your friend.  Verifiably signed checksums
are your BFF.

----- End forwarded message -----




More information about the conspire mailing list