MacNN Forums (http://forums.macnn.com/)
-   Mac News (http://forums.macnn.com/mac-news/)
-   -   New 'ransom' malware exploits JavaScript flaw to plague OS X users (http://forums.macnn.com/112/mac-news/502265/new-ransom-malware-exploits-javascript-flaw/)

 
NewsPoster Jul 16, 2013 12:49 AM
New 'ransom' malware exploits JavaScript flaw to plague OS X users
A new bit of "ransomware" that has long been a plague to Windows users has <a href="http://macnn.com/rd/289760==http://blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/" rel='nofollow'>been "ported"</a> to work on Mac browsers, taking advantage of a flaw in JavaScript (not to be confused with Java) to prevent it from being easily dismissed or gotten rid of. The exploit takes advantage of the "restore from crash" to keep bothering the user, and scares them into thinking they must surrender payment information in order to "unlock" their browser and use it normally again, often under threat of persecution. There is a relatively easy fix, though inconvenient.<br />
<br />
The ransomware page can be landed on or pushed to users who are using alternative search sites to look for certain kinds of keywords having to do with pirated software or pornography. The page appears to be from the US Federal Bureau of Investigation and claims that the user has been viewing or distributing illegal software or pornography, and that in order to "unlock" the computer they are obligated to pay a release fee of $300, using a fake URL that starts with "fbi.gov" to fool unsuspecting users.<br />
<br />
Closing the window or dismissing the warning creates another pop-up that also cannot be closed without re-spawning. Quitting or force-quitting the browser will return the user to the same page with the cycle beginning again. The code will actually allow the user to quit after 150 or so prompts, but few users are willing to go that far and are not aware that the JavaScript snippet will ever quit.<br />
<br />
Users can escape the scam by choosing to reset their browser. In Safari the command is located in the application menu and choosing all aspects of the reset. The action does not remove bookmarks but does clear out saved name and passwords as well as resetting any Top Sites that have been saved.<br />
<br />
Apple has <a href="http://macnn.com/rd/289761==http://www.macnn.com/articles/11/08/12/new.definitions.still.rare/" rel='nofollow'>built-in malware protection software</a> in Snow Leopard and later systems that was recently updated, but it's not yet known if it will successfully block this particular malware yet. Assuming it does not yet block the scam, the company is likely to update XProtect to avoid the problem in the near future. The hack does not yet appear to work on mobile browsers.<br />
<br />
<br />
<div align="center"><iframe width="500" height="375" src="//www.youtube-nocookie.com/embed/Ip6tvti4UjU?rel=0" frameborder="0" allowfullscreen></iframe></div>
 
curmi Jul 16, 2013 01:11 AM
Hold down the "Shift" key when you launch Safari, and it won't reload pages. No need to reset the browser.
 
The Vicar Jul 16, 2013 01:37 AM
Also: in Safari, at least, you can clear the page contents using a bookmarklet which will erase the document contents using "document.write" and then you can close the window without any hassle at all. (At least, I checked the URL they gave and it worked.) MacNN's comment system may eat this, but my bookmarklet was:

javascript:%20void(function(){document.write('%3Ch tml%3E%3Chead%3E%3Ctitle%3E%2D%2D%20Page%20has%20b een%20erased%20%2D%2D%3C%2Ftitle%3E%3C%2Fhead%3E%3 Cbody%20style%3D%22margin%3A0in%3Bpadding%3A25%25% 3B%22%3E%3Ch1%20style%3D%22size%3Axx%2Dlarge%3Btex t%2Dalign%3Acenter%3Bcolor%3Ared%3Bmargin%3A25%25% 3Bfont%2Dweight%3Abold%3B%22%3EThis%20page%20was%2 0erased%20using%20a%20bookmarklet%2E%3C%2Fh1%3E%3C p%20style%3D%22text%2Dalign%3Acenter%3B%22%3EThis% 20page%20has%20had%20its%20content%20replaced%20wi th%20this%20message%2E%20If%20you%20want%20the%20c ontent%20back%2C%20you%20will%20need%20to%20reload %20the%20page%2E%3C%2Fp%3E%3C%2Fbody%3E%3C%2Fhtml% 3E');}())
 
chas_m Jul 16, 2013 02:05 AM
Good tips, guys, but I think you're missing the point. Nerds like us (and typical MacNN readers) aren't going to be troubled with this. It's the people who don't know these sorts of things that are the most vulnerable. Luckily, Apple is probably already on top of this (or soon will be) and the anti-malware companies a lot of non-power users rely on will likely update definitions in no time as well, so we're hopeful that this problem doesn't get much traction in the Mac community.
 
The Vicar Jul 16, 2013 03:14 AM
@chas_m:

Actually, finding a painless and simple way out of this is a useful thing. Even if you aren't likely to trigger it yourself, you may well be called on to fix it for someone else at some point, and knowing how to do that would be useful.
 
Spheric Harlot Jul 16, 2013 07:26 AM
Quote, Originally Posted by chas_m (Post 4238817)
Good tips, guys, but I think you're missing the point. Nerds like us (and typical MacNN readers) aren't going to be troubled with this. It's the people who don't know these sorts of things that are the most vulnerable. Luckily, Apple is probably already on top of this (or soon will be) and the anti-malware companies a lot of non-power users rely on will likely update definitions in no time as well, so we're hopeful that this problem doesn't get much traction in the Mac community.
The point of the comment was that the article mentions a baby-and-bathwater solution that is just as unlikely to occur to a non-techie user, while simply holding shift is a usually completely painless and much simpler alternative.
 
chas_m Jul 16, 2013 05:05 PM
Point taken. Thanks, guys.
 
NoPiracy Jul 18, 2013 10:52 AM
Malware and ransomware are often a result of software piracy. Don't participate and don't allow corporations to get away with this crime – report software piracy to the BSA: http://nopiracy.net/13YiULF
 
Roehlstation Jul 18, 2013 02:59 PM
I'll be making all kinds of cash "fixing" this issue
 
The Vicar Jul 18, 2013 03:44 PM
Oh, or you can bring the window to the front of Safari and then run this AppleScript:

tell application "Safari"
tell document of window 1 to do JavaScript "document.write('');"
end tell
 
All times are GMT -4. The time now is 12:02 AM.

Copyright © 2005-2007 MacNN. All rights reserved.
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2014, vBulletin Solutions, Inc.


Content Relevant URLs by vBSEO 3.3.2