Mac Ransomware Deviating from the (java)script

Written by

Jerome Segura has blogged for Malwarebytes about a ransomware attack of sorts that poses a potential problem for OS X users. We’ve become all too familiar with malware that targets Windows users, telling them they have to pay the FBI or the police a fine for some infraction, often involving pornography. In fact, to some extent this type of malware has replaced fake anti-virus. We’re less accustomed to seeing it as a problem for Mac users, though.

In fact, what Segura is reporting isn’t actually a malicious binary in the same sense as MacDefender and its siblings of a couple of years ago. It’s malicious javascript that tries to persuade the victim that their system has been locked by the FBI because of one of several offences against legislation relating to copyright violation, child abuse pornography, or “neglectful use of personal computer”.  Apparently, despite the heavy jail sentences allegedly incurred, a first offender is able “To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $300.”

Well, some security administrators might feel that they would quite like it if they could enforce a fine of $100,000 or 4–9 years imprisonment for users who let malware infect their systems, but I don’t think US legislation is quite that draconian. I wouldn’t altogether hate seeing some of the guys who’ve leeched my own intellectual property sweating at the prospect of serving a stiff prison sentence, either, but I’m not holding my breath for that one. On the other hand, I’m not sure many people in or out of law enforcement would be happy to see a purveyor of child abuse pornography getting away with a $300 fine for a first offence.
But, of course, this scam has nothing to do with the real legislation and penalty tariffs relating to copyright violation and pornography in the US. The aim is simply to frighten the victim into paying a relatively small sum. (I call scams like these mosaic scams – sums small enough not to interest law enforcement much, but large enough and easy enough to implement to make a sizeable illicit income.) Firstly, of course, in the hope of regaining access to his system and data, but even a totally law-abiding person might find the thought of investigation by law enforcement frightening, if they don’t realize that the message they’re seeing is a fake and has nothing to do with any legitimate agency. 
So if there’s no malicious executable, how does it deprive the victim of the use of his system? By sleight of hand: a pop-up tells him that his browser is locked and that ‘ALL PC DATA WILL BE DETAINED AND CRIMINAL PROCEDURES WILL BE INITIATED AGAINST YOU IF THE FINE WILL NOT BE PAID.’ So the whole system isn’t locked: however, the javascript makes it next to impossible to quit Safari. Even forcing the application to quit via Command-Option-Escape doesn’t solve the issue, as Safari’s ‘restore from crash’ feature means that the malicious page will be reloaded when the application restarts.
According to The Safe Mac, this restore can prevented by holding down the shift key when the app reloads.   Segura tells us that Reset Safari from the Safari menu, ticking all options, also eliminates the problem. 

What’s hot on Infosecurity Magazine?