Malware

Mac OS X Ransomware Threat: Nothing to Worry About Yet

Posted on March 16th, 2010 by

Two blogs are talking about a potential Mac ransomware threat: ZDNet’s Zero Day blog, and Threat Researcher. It turns out that there is a proof-of-concept ransomware floating around in cyberspace, which, while not yet a danger to Macs, raises a number of questions.

First, if you’re not familiar with the term ransomware, it’s a type of malware that has proven very lucrative on Windows PCs. Delivered by a Trojan horse, the ransomware “locks” files, usually by encrypting them with password protection, then informs the infected user that if they want access to their files, they must pay up; hence the term “ransom”. Ransomware has been around for the past five years or so (though proof-of-concept forms of this type of malware are much older), and has turned into a serious problem for Windows users.

So the question here is whether this Mac threat is serious or not. So far, it is simply a proof-of-concept of the actual encryption part of the malware; it still needs to be bundled with a well-disguised Trojan horse that will effectively deliver the payload. We know that many Mac users have been taken in by Trojan horses in the past couple of years, so the threat is certainly real, but there is no reason to fear this new malware as of yet.

Here’s an example of a dialog from this proof-of-concept, asking users to enter a code to unlock their Mac:



When Intego’s Virus Monitoring Center took a close look at this code, its researchers discovered something interesting. The actual code used for this proof-of-concept is something that Apple provides as part of its developer software. Apple has an API that developers can use to create kiosks. A kiosk is a software tool that allows one:

to lock the user into a certain application or disable certain functionality normally available in the operating system.

Apple describes this system in a technical note. What the proof-of-concept is showing is nothing more than a front-end to this kiosk feature. No files are being encrypted, nothing is done to the actual operating system other than launching an application that implements this kiosk system. This does not exclude, of course, that a future version of this ransomware may exist using this kiosk tool in conjunction with other code that could, say, encrypt files. But for now, this proof-of-concept is simply a clever tool by a developer who’s read Apple’s developer documentation.

Nevertheless, the fact that this issue is being discussed is a serious reminder that Macs will eventually be targeted by such threats. As we have seen in recent years, malware writers port some of their threats from Windows to Mac. Ransomware is something that we have not seen in the wild yet, but with the current discussions on certain forums it is highly likely that we see some in the near future.

Ransomware is a particularly dangerous form of malware. It is not something that infects for fun, or that hides in the background, but rather pure extortion. Intego’s Virus Monitoring Center is following this closely to make sure that, should any Mac ransomware be found in the wild, VirusBarrier X6 will be updated immediately to protect from this type of threat.

Note: Intego has known about this proof-of-concept for a while. We didn’t talk about it when we discovered it because there was no real threat. However, the blog posts linked above have brought this out into the public eye, so we felt it was best to explain exactly what is happening.