Two in-progress apps, Santa and Little Flocker

Two in-progress apps, Santa and Little Flocker

I was researching ransom ware recently, and one of the solutions that both academic researchers and people working in anti-malware product labs told me would help prevent such attacks was a way to prevent unknown software from launching on your computer.

Ransomware works in “userspace,” or the set of documents and applications that a user has permission to run and modify, rather than requiring special permission to dig down into the system level like more insidious hijacking malware. It doesn’t even typically require remote interaction. Once the payload is installed through some subterfuge—as simple as convincing someone to install a Trojan Horse—ransomware starts encrypting user files. Double-click an encrypted file, and you’re told how to pay a ransom to get the decryption key.

 ransomware_locked_computer_stock_image_cropped-100664749-orig.jpg (1999×1331)

There are millions of variants of ransomware derived from many dozens of distinct code families, because the malware is so easy to obtain, modify, and distribute. Some changes merely tell someone to pay (via Bitcoin) to a different address, while others may contain different code.

But what everyone I spoke to suggested is that a desktop operating system shouldn’t simply run any application that launches without alerting the user, nor any additional behind-the-scene programs—Unix utilities and the like—that it might spawn. (Another way to discover ransomware at work is to monitor for specific unusual file behavior, like a single program opening massive numbers of files with disparate file types.)

Most people only routinely run certain applications on a regular basis. Something new only comes when you install new software or upgrade an operating system. Apple cryptographically signs its apps and lets developers sign theirs, distributed through the Mac App Store or directly to users. Those signatures both verify an app and identify it uniquely behind its visible name.

While OS X almost always requires that you enter an administrative password to use a software installer, apps that can be dragged from a disk image or download directly and launched only alert you that they haven’t been run before or if the app hasn’t been signed by Apple-provided developer certificate. (See this recent column for more details on signed apps.)

Without using parental controls on an account, there’s no way to keep any arbitrary app from launching, especially when the software separately launches command-line utilities or scripts invisibly. This is why Santa coming to town could be a big help in layering in additional protection.

Related Articles

Twitter Launches Apple TV App

In addition to NFL content, there will be live streams of videos from MLB Advanced Media, NBA, Pac 12 Networks,

Fixing a Slow Mac: Discover The Ultimate Solution

No matter how good a Mac is, there Eft Crop  will come a time when it gets sluggish. When this happens,

The Short Awkward Life of Mac Remora

So they sat there in the front of Fortricks the Education Center, it was Saturday, sat there in the shade under