Researcher releases Free Ransomware Detection Tool for Mac OS X Users

 IN BRIEF:

Introducing RansomWhere, a free generic ransomware detection tool for Mac OS X users that can identify ransomware-like behavior by continually monitoring the file-system for the creation of encrypted files by suspicious processes.

This ransomware detection tool helps to block the suspicious processes and waits for the user to decide whether to allow or stop the process.

Ransomware has risen dramatically since last few years... so rapidly that it might have already hit someone you know.

With hundred of thousands of ransomware samples emerging every day, it is quite difficult for traditional signature-based antivirus products to keep their signature database up-to-date.

So, if signature-based techniques are not enough to detect ransomware infection, then what else can we do?

Some Antivirus companies have already upgraded their security solutions that detect suspicious behaviors like the sequential accessing of a large number of files, using encryption algorithms and key exchange mechanisms.

Here’s the latest ransomware detection tool for Mac OS X users:

RansomWhere? – a smart application that can identify ransomware-like behavior by detecting untrusted processes rapidly encrypting files, stop that suspicious process, and then alert the user.

How RansomWhere tool works

Patrick Wardle, a former NSA staffer who now leads research at bug hunting outfit Synack, has developed the RansomWhere tool, which aims at detecting and blocking generic ransomware on Mac OS X by regularly monitoring the user's local filesystem for the creation of encrypted files by any process.

"The ransomware will likely encrypt a few files (ideally only two or three), before being detected and blocked," Wardle wrote in a blog post.

This ransomware detection tool, by default, scans Mac apps and binaries that are signed with an Apple Developer ID and not by official Apple certificates.

If the tool detects any untrusted process, it suspends the suspicious process and alerts the user by showing a pop-up asking user to continue or terminate the process in question.

Wardle successfully tested RansomWhere against KeRanger as well as Gopher ransomware proof-of-concept, which was developed by a pro-Apple Mac hacker, Pedro Vilaca, last year.



Though Wardle admitted that his tool does not guarantee 100 percent result and that it could be circumvented by malicious hackers who can discover a way to bypass RansomWhere and avoid detection, it is always better to be somewhat safer than completely vulnerable.

Some known Limitations of RansomWhere tool:

• RansomWhere would not be able to help if any Ransomware malware abuses Apple-signed file or app.
• RansomWhere detects ransomware infections after they have already encrypted some of your important files.
• Files outside of your home directory are not protected by RansomWhere. So sophisticated ransomware could shift all your files outside home directory and lock them up.

Since hackers are always a step ahead of researchers, the RansomWhere tool has already been bypassed. Vilaca had tweaked his Gopher ransomware to bypass RansomWhere in a matter of minutes.

As mentioned in the limitations, Vilaca added just ten lines of code in its ransomware proof-of-concept to take the victim's files outside of the home directory and lock them up. You can watch the video above showing his hack.

Read more

Apple's Mac OS X Still Open to Malware, Thanks Gatekeeper

 

Apple Mac Computers are considered to be much safer than Windows computers at keeping out the viruses and malware, but the new Exploit discovered by researchers again proves it indeed quite false.

Last year, The Hacker News reported a deadly simple exploit that completely bypassed one of the core security features in Mac OS X known as Gatekeeper.

Apple released a patch in November, but now the same security researcher who discovered the original Gatekeeper bypass vulnerability said he found an equally obvious workaround.

Patrick Wardle, ex-NSA staffer and head of research at security intelligence firm Synack, said the security patch released by Apple was "incredibly weak" and that the update was "easy to bypass" in minutes.

Gatekeeper's Failure Once Again

Introduced in July of 2012, Gatekeeper is Apple's anti-malware feature designed to block untrusted, dodgy apps from running, keeping Mac OS X systems safe from malware.

However, the reality is slightly different, according to Wardle. Hackers can install malicious software on Mac computers, even when Gatekeeper is set to its most restrictive setting.

"Even on a fully-patched OS X 10.11.2 system, Gatekeeper is trivial to bypass," Wardle wrote in a blog post. "So hackers can (re)start their trojan distributions while nation states can get back to MitM’ing HTTP downloads from the internet."

In September, Wardle realized that before allowing any apps to execute on an OS X machine, Gatekeeper performs a number of checks, such as:

• Checking the initial digital certificate of a downloaded app
• Ensuring the app has been signed with an Apple-recognized developer certificate
• Ensuring the app has been originated from the official App Store

But, what Gatekeeper fails to check is – whether the app already trusted by OS X runs or loads other files from the same folder.

However, in the name of a security patch, all Apple did was simply blacklist the signed apps Wardle was abusing to bypass Gatekeeper, rather than fixing the underlying problem.

How to Bypass Gatekeeper in OS X?

This was not effective in preventing attacks. Wardle found a new Apple-signed file that allow him to do the same. Notably, the file was offered by the popular anti-virus firm Kaspersky Labs.

All Wardle has done is:

• Identified an already-signed binary file (Binary A) that runs a separate app (Binary B) located in the same folder
• Renamed Binary A
• Swapped out the legitimate Binary B with a malicious one
• Then bundled malicious file in the same folder under the same file name, Binary B

Now, Binary B needs no digital certificate or Apple developer certificate to run, so it can be used to install anything the attacker wants, completely bypassing Gatekeeper.

Wardle notified Apple about his latest finding, and the company rolled out an update blocking the new files Wardle privately reported it, which is not a right approach. Apple should come up with a more comprehensive fix to address the issue.

How to Protect Yourself?

In the meantime, Wardle suggested Mac users to only download software from the Mac App Store and be more careful while downloading apps from the internet.

Wardle will be presenting his findings at the Shmoocon conference in Washington D.C this weekend. He also released a complementary tool for Gatekeeper on Friday, a free tool dubbed Ostiarius, that checks all file executions and blocks untrusted, unsigned code originating from the Web.

Alternatively, otherwise, it might be time to fire Gatekeeper, and hire a new one.

Read more

How to Run Multiple Android apps on Windows and Mac OS X Simultaneously

Bluestacks, the first app player for running Android apps on Windows, has launched the latest version of its Android emulator platform with one major upgrade:

• The Ability to Run Multiple Android apps Simultaneously.

BlueStacks 2 Released

Bluestacks previously only run a single app at a time. However, with the launch of BlueStacks 2, the app adds a tabbed interface that allows you to jump between multiple Android apps in the same window.

This is great for you to run gaming and messaging apps, or news and messaging apps at the same time.

The update also adds a toolbar that allows you to quickly tell the Android emulator to simulate rotating the device screen or to perform other functions, such as copying and pasting.

In BlueStacks 2, players now have options to marry gameplay and app discovery, meaning when they click an advertisement, a new tab will appear so that the players can continue playing their games without being interrupted.

How to Run Multiple Android apps Using BlueStacks 2:

BlueStacks 2 is currently available only on Windows, but will soon debut on Macs in July.

Follow these simple steps to go:

Step 1: To use and run multiple Android apps simultaneously, you need to first Download BlueStacks 2, which is free.

Step 2: Install BlueStacks 2 software on your Windows computer.

Step 3: Once installed, you will land on the Welcome Tab. Just Move to 'Android' tab.

Step 4: Software will ask you for One-time Google Account Setup, just like an Android device ask for.

Step 5: Login with your Google account to complete the Setup and you are ready!

Step 6: From 'Android' tab select multiple apps you want to run in parallel. BlueStacks 2 will open each app in a new Tab within the software interface.

New Milestone Achieved 

With the seventh-largest Android user base in the world, Bluestacks has crossed more than 109 Million app downloads, engaging more than 1.1 Billion Android apps every month.

"When we started, mobile apps, with their crisp resolution looked and sounded gorgeous on PC and TV," said Shashi Kant Sharma, Product Manager at BlueStacks.

"What we’ve learned is that the wider visual space lends itself more naturally to app discovery. Once someone discovers apps on PC or TV, they tend to use them across all of their devices, giving the BlueStacks platform powerful reach for developers."

Read more