SIP and Gatekeeper are not good enough…

The Ransomware in the Transmission v2.90 DMG found by Unit 42 certainly proves one thing, and that is that Gatekeeper and SIP in it’s current incarnation, are not good enough. Yes. SIP protects a lot of files, but not all of them. And sure. With Gatekeeper activated it won’t have been installed, but many people – I presume – have changed their Gatekeeper preference so that they can install software from anywhere. Not just the Mac App Store.

Some people even disable (parts of) SIP and this particular case shows us that disabling file system protection is not a smart thing to do. Not that it would protect you against this specific malware, but still.

Apple should also make it possible to add restrictions, yourself, and perhaps back-port some of the SIP changes it made for OS X 10.12 into the next release of El Capitan so that this is a none issue for future attacks.

Please note that the in-app update of Transmission are not affected, suggesting that (some of the) server(s) are/were hacked, or otherwise compromised, and that the developer certificate to sign the version of Transmission that included the malware, was that of a Turkish company (already revoked by Apple). Not the usual certificate from the Transmission developers. I don’t know if the company self was somehow involved, or someone from that company, but their certificate was used by some shady people.

And if only Gatekeeper would have checked the (origin) of the certificate, as it should IMHO, and showed you a warning that the certificate had changed, then at least some folks (not all) would have known about this malware long before it was widespread – the DMG with the ransomware was available for quite some time, but since you had to download the DMG yourself, it may be limited.

In short. It is time for Apple to act… or perhaps people like Craig Federighi should be careful with comments like: “That’s why my team works so hard to stay ahead.“. I mean. Torrent apps like Transmission won’t get accepted by Apple – for the App Store – so they basically expose people to attacks that could have been avoided. Don’t you agree?

Note: Transmission v2.92 will automatically remove the “kernel_service”

7 thoughts on “SIP and Gatekeeper are not good enough…

    • SIP has already changed a couple of times, and got more meticulous with every release, which is good IMHO, but don’t be surprised when Apple will close a few more doors.

  1. SIP is more of a system protection against stupid people and scripts trying to wipe bits from the OS itself. Or so I always thought. If a user installs a program which wipes bits from his home directory under his permissions, there’s little one can do.

    The ultimate thing Apple can do is put the OS onto a checksummed, encrypted, read-only disk image, and unionfs the actual root fs over it. All with some devilish kind of SecureBoot flavor of a bootloader that checks signatures. That would make “factory resets” trivial, and tinkering next to impossible.

  2. From my perspective its a problem hard to come by with, without sacrificing easy of use and functionality of the OS.
    SIP is for protecting crucial files and data the OS needs.
    Gatekeeper is a safeguard to contain and prevent further spreading of malicious applications
    Finally there is Sandboxing for Apps from the AppStore (which of course in the case of Transmission was not used.)
    As the ransomeware in this case encrypts users data to take it hostage, neither SIP nor Gatekeeper would be helpful for actually infected users and their machines.

    But also Sandboxing (in case Transmission would be available inthe AppStore – of course it is not) would not be entirely safe in my opinion. Most certainly to make it useful it would use Entitlements ( Probably the following;
    – Read/write access to the user’s Downloads folder
    and possibly also (hey its a torrent app !):
    – Read/write access to the user’s Movies folder and iTunes movies
    – Read/write access to the user’s Music folder
    – Read/write access to the user’s Pictures folder

    That means in case an App from the AppStore turns out to be malicious, it would also be able to mess up (critical) user data.
    Of course an App on the AppStore is less likely to be compromised by a malicious attacker, as it was the case in Transmission (I read their Download was exchanged by a rogue DMG file). Still as we have seen in the past, also the AppStore is not entirely safe – remember the XCode Ghost attack ( ?

    So theoretically someone could modify XCode to add ransomeware to alot of Apps. Not sure if Apple closed this hole already ie. with checking that only an official version of Xcode is allowed to send apps to the AppStore. Another scenario is that a developer with bad intend directly adds the ransomewhere to his app (with an official Xcode) and lets it activate later as part of a “time bomb”.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s