Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Mac ransomware derived from Linux trojan

BitDefender UK : 10 March, 2016  (Technical Article)
Bitdefender discovers the Linux.encoder trojan is the basis for the first piece of ransomware for Mac OS X devices
Mac ransomware derived from Linux trojan

Bitdefender has discovered that the world’s first piece of fully functional Mac OS X ransomware, dubbed KeRanger, is in fact a Mac version of the Linux.Encoder Trojan recently decrypted by Bitdefender’s security specialists. The infected Mac OS X torrent update, analysed by Bitdefender Labs, looks virtually identical to version 4 of the Linux.Encoder Trojan that has been infecting thousands of Linux servers thus far in 2016.

Mac OS X ships with a security feature called Gatekeeper, allowing users to restrict which sources they can install applications from in order to minimise the likelihood of deploying a tainted app. The default setting allows users to install applications from the Mac App Store and identified developers, namely applications that are digitally signed by a developer.

To circumvent Gatekeeper, the attackers have digitally signed the Transmission update package. According to Apple, a legitimate certificate issued by Apple was used. The developer listed this certificate as a Turkish company with the ID Z7276PX673, which was different from the developer ID used to sign previous versions of the Transmission installer. This is not the first time cyber-criminals have managed to circumvent Gatekeeper by misusing legitimate digital certificates. In 2013, (MAC.OSX.Backdoor.KitM.A) was found on computers belonging to Angolan civil rights activists.

“Once the infected installer is executed, the Trojan connects to the command and control centres via TOR and retrieves an encryption key,” states Catalin Cosoi, Chief Security Strategist at Bitdefender. “After encryption finishes, the KeRanger ransomware creates a file called README_FOR_DECRYPT.txt, which holds the information on how the victim should pay the ransom. The encryption functions are identical to those deployed by the Linux.Encoder Trojan and have the same names.”

Six months ago, ransomware was only a concern for Windows and Android users. However, in December last year, the world’s first piece of Linux ransomware was spotted in the wild after encrypting thousands of webservers. Fortunately, Bitdefender researchers could circumvent the encryption algorithm and provide decryption utilities for all four variants in the wild. It seems that the developers behind the Linux.Encoder malware have either expanded to Mac OS X or have licensed their code to a cybercrime group specialised in Mac OS X attacks.

“It is worth emphasising that nothing short of a fully-fledged, native Mac OS X security solution with real-time, behaviour-based detection techniques could have saved Mac OS X users from having their systems infected and their files encrypted. There is more, much more, to security than merely disallowing unsigned software,” Catalin Cosoi concludes.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo