This last month we have seen a new ransomware for Mac. Written in Swift, it is distributed on BitTorrent distribution site as “Patcher” for pirating popular software.
Files with the.readme extension are text documents employed to provide users with helpful information and specific details about certain applications installed in the system. Software that open readme file - README text document Programs supporting the exension readme on the main platforms Windows, Mac, Linux or mobile. Click on the link to get more information about listed programs for open readme file action. Readme.txt technote.txt unrar whatsnew.txt Alex. However, WinRar on the Mac is available for the command line only- there's no GUI interface.
Crypto-ransomware has been very popular lately amongst cybercriminals. While most of it targets the Windows desktop, we’ve also seen machines running Linux or macOS being compromised by ransomware in 2016 with, for example, KillDisk affecting Linux and KeRanger attacking OS X.
Early last week, we have seen a new ransomware campaign for Mac. This new ransomware, written in Swift, is distributed via BitTorrent distribution sites and calls itself “Patcher”, ostensibly an application for pirating popular software.
Figure 1 – BitTorrent site distributing Torrent files containing OSX/Filecoder.E
The Torrent contains a single ZIP file – an application bundle. We saw two different fake application “Patchers”: one for Adobe Premiere Pro and one for Microsoft Office for Mac. Mind you, our search was not exhaustive; there might be more out there.
Figure 2 – Icons of the “Patchers” as seen in Finder
The application is generally poorly coded. The window has a transparent background, which can be quite distracting or confusing (see Figure3), and it’s impossible to reopen the window if it is closed.
The application has the bundle identifier NULL.prova and is signed with a key that has not been signed by Apple.
2 4 6 8 10 | Executable=Office2016Patcher.app/Contents/MacOS/Office2016Patcher Format=app bundle with Mach-Othin(x86_64) CodeDirectoryv=20100size=507flags=0x2(adhoc)hashes=11+3location=embedded Info.plist entries=22 Sealed Resources version=2rules=12files=14 |
Figure 3 – The main window of the ransomware
Clicking the start button – shown in Figure 3 – launches the encryption process. It copies a file called README!.txt all around the user’s directories such as “Documents” and “Photos”. Its content is shown later in the article.
Then the ransomware generates a random 25-character string to use as the key to encrypt the files. The same key is used for all the files, which are enumerated with the find command line tool; the zip tool is then used to store the file in an encrypted archive.
Finally, the original file is deleted with rm and the encrypted file’s modified time is set to midnight, February 13th 2010 with the touch command. The reason for changing the file’s modified time is unclear. After the /Users directory is taken care of, it does the same thing to all mounted external and network storage found under /Volumes.
Once all the files are encrypted there is code to try to null all free space on the root partition with diskutil, but the path to the tool in the malware is wrong. It tries to execute /usr/bin/diskutil, however the path to diskutil in macOS is /usr/sbin/diskutil.
Figure 4 – Encrypted document and README!.txt as they appear in Finder
The instructions left for the victims in the README!.txt files are hardcoded inside the Filecoder, which means that the Bitcoin address and email address are always the same for every victim running the same sample. The message and contact details were the same in both samples we analyzed.
2 4 6 8 10 12 14 16 | All of your files were protectedbyastrong encryption method. What doIdo? So,there are two ways you can choose:wait foramiracle orstart obtaining BITCOIN NOW!,andrestore YOUR DATA the easy way IfYou have really valuable DATA,you better NOTWASTE YOUR TIME,because there isNO other way toget your files,except makeaPAYMENT FOLLOW THESE STEPS: 1)learn how tobuy bitcoin https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version) 2)send0.25BTC to1EZrvz1kL7SqfemkH3P1VMtomYZbfhznkb 3)send your btc address andyour ip(you can get your ip here https://www.whatismyip.com) via mail to [email protected] 4)leave your computer on andconnected tothe internet forthe next24hours after payment,your files will be unlocked.(Ifyou can notwait24hours makeapayment of0.45BTC your files will be unlocked inmax10minutes) KEEP INMIND THAT YOUR DECRYPTION KEY WILL NOTBE STORED ON MY SERVER FORMORE THAN1WEEK SINCE YOUR FILE GET CRYPTED,THENTHERE WON'T BE ANY METHOD TO RECOVER YOUR FILES, DON'TWASTE YOUR TIME! |
So far, there is no transaction related to the Bitcoin wallet. Which mean the authors have not made a dime from this ransomware. Hopefully this post will raise awareness and keep the wallet’s balance at zero.
There is one big problem with this ransomware: it doesn’t have any code to communicate with any C&C server. This means that there is no way the key that was used to encrypt the files can be sent to the malware operators.
This also means that there is no way for them to provide a way to decrypt a victim’s files. Paying the ransom in this case will not bring you back your files. That’s one of the reasons we advise that victims never pay the ransom when hit by ransomware.
Alas, the random ZIP password is generated with arc4random_uniform which is considered a secure random number generator. The key is also too long to brute force in a reasonable amount of time.
Interestingly, the email address is an address provided by Mailinator. Mailinator provides a free inbox to anyone without requiring them to register or authenticate. This means it is possible to see the inbox used to communicate with the malware author. We’ve been monitoring this inbox for the last week and didn’t see any messages. However, it’s possible the messages get deleted really fast and we simply missed them.
This new crypto-ransomware, designed specifically for macOS, is surely not a masterpiece. Unfortunately, it’s still effective enough to prevent the victims accessing their own files and could cause serious damage.
There is an increased risk when downloading pirated software that someone is using a dubious channel for acquiring software in order to make you execute malware. ESET recommends that you have a security product installed but the most important precaution in case you encounter crypto-ransomware is to have a current, offline, backup of all your important data.
ESET products detect this threat as OSX/Filecoder.E.
SHA-1 | Filename | Type | ESET detection name |
---|---|---|---|
1b7380d283ceebcabb683464ba0bb6dd73d6e886 | Office 2016 Patcher.zip | ZIP of App bundle | OSX/Filecoder.E |
a91a529f89b1ab8792c345f823e101b55d656a08 | Adobe Premiere Pro CC 2017 Patcher.zip | ZIP of App bundle | OSX/Filecoder.E |
e55fe159e6e3a8459e9363401fcc864335fee321 | Office 2016 Patcher | Mach-O | OSX/Filecoder.E |
3820b23c1057f8c3522c47737f25183a3c15e4db | Adobe Premiere Pro CC 2017 Patcher | Mach-O | OSX/Filecoder.E |
Discussion
United States Department of the Interior
U.S. GEOLOGICAL SURVEY DIGITAL DATA SERIES DDS-33
3-D Reservoir Characterization of the House Creek Oil Field, Powder River Basin, Wyoming, V1.00
READ ME FIRST
Click on highlighted (generally underlined) text and images to open large-scale views, access other graphics or HTML-format text files, or jump to the labeled section of the document.Table of contents | Glossary | The geologic history of the Sussex 'B' sandstone is detailed in the following: Geology | Depositional model | Sandstone heterogeneity | Diagenetic history | Petroleum geology
This readme file contains the following information:
- QUICK INSTRUCTIONS -A) Software needed to open, link, run, and view the text and images on this CD-ROM, B) Software needed to run the movies located in the movies subdirectory, and C) How to open this CD-ROM.
- BACKGROUND INFORMATION ON THIS PUBLICATION
- REQUIREMENTS FOR PC/DOS AND WINDOWS SYSTEMS
- REQUIREMENTS FOR MACINTOSH SYSTEMS
- INSTALLING MOSAIC FOR PC/WINDOWS
- INSTALLING MOSAIC FOR MACINTOSH
- INSTALLING MOSAIC FOR UNIX
- COMPUTER PROGRAMS LOCATED IN THE 'MAC,' 'PCWINDOW,' AND 'UNIX' SUBDIRECTORIES OF THE 'SOFTWARE' FOLDER (Software functions are explained in readme files associated with software programs and summarized at the end of this readme file). The text and HTML files containing the detailed list and subdirectory location of software are named software (software.txt, software.htm).
- mac directory for Macintosh computers
- 1) NCSA Mosaic 1.0.3, and 2) Mosaic 2.0.1 for A) Power Macintosh computers and B) Macintosh computers with 68K series processors.
- GIFConverter 2.3.7
- GraphicConverter 2.2 (US)
- JPEGView 3.3.1
- StuffIt Expander 3.5.2
- pcwindow directory for PC computers
- NCSA Mosaic for Microsoft Windows v3.1, for Windows95 and Windows 3.1 and 3.2
- LView Pro 1.B and LView Pro 1.C
- StuffIt Expander for Windows
- unix directory for UNIX computers
- NCSA Mosaic 2.6 - for 11 different computer platforms
QUICK INSTRUCTIONS
A) Mosaic, Netscape, or other World Wide Web (WWW) network browser software is necessary to view and link the HTML (Hypertext Markup Language) text and GIF (Graphic Interchange Format) images located on this CD-ROM. All computer software on this CD-ROM are present in the 'software' directory. Mosaic software are located in the 'Mosaic' folder in each of the 'mac' (Macintosh), 'pcwindows' (PC Windows systems), and 'unix' (UNIX) folders. Please refer to the readme files in these folders for information on how to load the software onto your system. Image viewer (such as Lview and JPEGView) software can be used to display the large-scale images. These software programs are commonly accessed by the network browsing software using text and image hooks, an invisible process to users.
B) Movie player software (MoviePlayer, SimplePlayer, Fast Player, Sparkle, and others) is required to open and animate the single-fork stand-alone movies located in the movies directory. Our efforts to get license releases for Apple Computer, Inc. freeware came to naught. Apple QuickTime software for Macintosh and PC/Windows computers is necessary to animate movies. The QuickTime package, which includes MoviePlayer software, is located at the following Web site: http://quicktime.apple.com . An ftp.support.apple.com location is for those of you using File Transfer Protocol. Should these sites change, try searching the WWW using 'quicktime software,' or similar phrase. Instructions for copying the software from this and other sites are also explained. We recommend copying the packages during evenings or the weekend because of a very limited number of seats. Other movie player software are also available on the WWW. Try searching the web using 'movie software' , movieplayer, or other text strings.
Software present on this CD ROM needs to be decompressed, generally by double clicking on the .HQX or .zip file. C) The home page (homepage.htm) for this document is located in both the root ('USGS_3D') directory and text ('ssx_txt') subdirectory. All HTML text files have '.htm' endings. Non-HTML text files display '.txt' endings.
- Some WWW-software is opened simply by double-clicking with the mouse on the homepage or other HTML file located on this CD-ROM. If your software does not have this capability then,
- Open Mosaic or other WWW browsing software,
- Select 'open local' or 'open file' under the 'file' heading (generally a menu bar along the top of the open window); access the 'USGS_3D' folder located on the CD-ROM; select and open homepage.htm.
- The home page banner includes the following 'To Start Click Here...' highlighted phrase. Clicking on this will access the tour by opening the Table of Contents (3dstart.htm), which displays chapter names, HTML file names, and descriptions of the contents of this CD-ROM. This is a point-and-click type of publication; text and graphics hooks are highlighted.
BACKGROUND INFORMATION ON THIS PUBLICATION
This CD-ROM publication contains raw and interpreted data, maps, and other graphic displays linked to the geological history and characteristics of the Upper Cretaceous-age Sussex Sandstone of the House Creek oil field, Powder River Basin, Wyoming. Data were statistically analyzed and mapped in 2-D and 3-D, and included as ASCII-formatted, space-delimited data files. Files included on this CD-ROM can be retrieved for use in other applications, including graphics editing and display, mapping, and statistical programs. Graphics are stored as Graphics Interchange Format (GIF) and TARGA (TGA) images (see glossary for explanations of acronyms and words).
World Wide Web (WWW) network browsing software is required to integrate the graphics images and text located on this CD-ROM. While included HTML (Hypertext Markup Language) documents (in the 'ssx_txt' directory) can be viewed with standard word-processing software, the interactive capabilities of Web browsing software link text, images, movies, and data. Numerous graphics software programs can view and edit individual GIF and TARGA files which are located in the 'ssx_gif,' 'ssx_tga,' and several other directories.
This CD-ROM was produced in accordance with both the ISO 9660 and Macintosh HFS standards. Contained data and text files can be read by platforms supporting either of those standards. Also required is a CD-ROM drive and associated software. Provided graphics and movies are designed for use under DOS/Windows on IBM or 100 percent compatible personal computers (PC's) and the Apple Macintosh family. The stand-alone EarthVision faces file is a 3-D model intended for use on Silicon Graphics Corporation IRIS workstations. This ssxporos.faces file displays porosity distribution and sand-ridge boundaries for the House Creek field. The ssxporos.demo.Z and evview.Z compressed files are located in the 'IRIS' subdirectory; these files are intended primarily for archive, but they can be loaded onto an IRIS workstation to create a stand-alone EarthVision 3-D model.
All brand and product names are trademarks or registered trademarks of their respective companies. The tm notation is not appended to these product names, largely because the HTML superscript notation did not work with all World Wide Web (WWW) browsers. The authors primarily use Mosaic as the reference for accessing the information on this CD-ROM. The Mosaic programs located on this CD-ROM are software that are written and upgraded at the National Center for Supercomputer Applications (NCSA) at the University of Illinois in Urbana-Champaign. Included with computer programs located in the 'software' directory are general directions to copy Mosaic and other applications for your platform. Other network browsing programs are available and have been used to view this publication.
Mosaic and associated software are available through anonymous FTP (file-transfer protocol) from NCSA. The ftp location is ftp.ncsa.uiuc.edu. Due to the number of people that use, and overload, the network, you may need to make several attempts to access and copy the files from NCSA. We recommend linking with the NCSA network early or late in the day. You are utilizing FTP on UNIX computers; remember that UNIX is case sensitive.
The file-naming convention on this publication is primarily eight dot three. This indicates the file has a maximum of eight characters to the left of and three to the right of the '.'. An asterisk (*) is used in this publication as a symbol to match all characters. It commonly indicates a longer file name, for example Mosa*.hqx would access all .hqx files that start with Mosa and end with .hqx, such as Mosaic.hqx.
While this is dependent upon your system and software, stand-alone movies located in the 'movie' directory can be opened by 1) starting your movie viewer and opening the movie file, 2) double-clicking on individual movie names or icons, or 3) accessing the movies with imbedded links in the HTML documents, which is the slowest option of the three. The *.MOV movies are designed to run on Macintosh and PC/Windows computers. The movies were created using the QuickTime and GraphicConverter software programs on a Macintosh IIsi. Our experiments with MPEG formatted movies produced lower quality images and are not included with this publication. File names displayed on each movie image are saved as separate GIF and (or) TARGA files; single 3-D images can also be displayed from the '3-D images and movies' subsections of the table of contents.
- Note: The price of this CD-ROM does not include costs of the software located on the disc. Please consider the usage requests of the software authors and companies. Instructions for how to use programs and where to contact the companies are in text files, generally associated with the software programs.
REQUIREMENTS FOR PC/DOS AND WINDOWS SYSTEMS
- IBM or 100-percent compatible personal computer, with a minimum of an 80386 microprocessor. A math co-processor or 80486 or better microprocessor is recommended
- Microsoft or PC-DOS version 3.1 or later
- Microsoft Windows version 3.1 or later
- Microsoft compatible mouse
- Although 4 megabytes (MB) of RAM work, we recommend 8 MB or greater
- An extended-VGA video board with a minimum screen resolution of 640 by 480 pixels and 256 colors.
- A hard disk drive with a minimum of 10 MB free disk space
- CD-ROM drive and software supporting ISO 9660 standards
- WWW browser, image viewer, and QuickTime viewer are required to link HTML text and graphics images.
REQUIREMENTS FOR MACINTOSH SYSTEMS
- Operating System 7.0 or greaterFiles located on this CD-ROM are accessed locally and linked by the WWW browsing software using the File command heading and Open File or Open Local subheadings (generally). For that reason, MacTCP software is not required to view the files. MacTCP v. 2.0.2 (or later) Apple software is needed to connect to a remote host (also known as cruising the Web). MacTCP now comes bundled with System 7.5. Your software needs may be different, depending upon the network browser software utilized.
- Minimum of 4 MB RAM; 8 MB or greater is recommended
- Should you load Mosaic or other WWW software on your hard disk, suggested minimum disk space is 3 MB.
- This program requires a Macintosh with a 13' or larger color monitor and CD-ROM drive. The drive and software should support ISO 9660 or HFS standards.
- QuickTime software was used to display the GIF movies and images located on this CD-ROM. QuickTime needs to be installed in the Extensions folder within your System folder. QuickTime will run on all Macs with 68020, 68030, 68040, or PowerPC processors (essentially everything but Mac Pluses, SE s, and PowerBook 100 s).
INSTALLING MOSAIC FOR PC/WINDOWS
- Create a directory for NCSA Mosaic and copy into it the Microsoft Windows ZIP file that is specific for your Windows version.
- Follow the procedures that are specified in the readme.txt text file located in '../software/pcwindow/mosaic.' Note that the executable version of Mosaic for Windows95 (Win95x20.exe) includes a 32-bit driver. Installation of the executable for Windows3.1 and 3.2 (Win31x20.exe) requires incorporating 32-bit drivers; this software is available as Win32s with OLE v1.30a from NCSA. The NCSA program is also located in the 'software' directory and is named w32sOLE.exe.
- A program element can be inserted for Mosaic by choosing New under the File menu. Refer to your computer system documentation for the icon creation procedure. Mosaic.EXE is the executable file for Mosaic.
INSTALLING MOSAIC FOR MACINTOSH
- Copy the compressed version of the NCSA Mosaic for Macintosh 2.0.1 software to your hard drive. Mosai68K.HQX is the compressed Mosaic file name for Macintoshes that have 68020, 68030, or 68040 processors (this excludes Power Macintoshes, Mac Pluses, SE s, and PowerBook 100 s). Mosai68K.HQX is located in 'software/mac/mosaic/Mosai68K.' Mosaic for Power Macintoshes is named MosaiPPC.HQX and is located in the 'software/mac/mosaic/MosaiPPC' subdirectory. Decompressed versions of this software are also located in the subdirectories. Once you have copied the NCSA Mosaic .HQX file from this CD-ROM to your computer, open it using decompression software. One of these is StuffIt Expander software, which is located in the '/software/mac/stuffit' and '/software/pcwindow/stuffit' subdirectories on this CD-ROM.
- Decompressing the .HQX and resulting .sit file creates the Mosaic executable program. Following decompression, the .SIT and .HQX files can be deleted as they are of no further use. Double clicking on the resulting file (name or icon) will start Mosaic. This 3-D tour is started by opening the homepage.htm file. This is accomplished by choosing 'open file,' 'open local,' or similar command under the 'File' heading on the WWW browsing software.
INSTALLING MOSAIC FOR UNIX
NCSA Mosaic for the X Window System version 2.6 can be used on most UNIX-based workstations. External viewing programs, such as Ghostview and xv, are recommended for linking images and text.- First copy the compressed Mosaic binary file that is specific for your computer platform to your hard drive. These are located in '/software/unixzip/mosaic.' Uncompress the downloaded Mosaic binary (an example for a Silicon Graphics Corporation, Indigo computer is: 'uncompress Mosaic-indy.Z').
- Create the binary executable using the 'chmod' command (for example, type 'chmod 755 Mosaic-indy' ).
- Execute the resulting binary file, thereby opening Mosaic.
COMPUTER PROGRAMS LOCATED IN THE 'MAC,' 'PCWINDOW,' AND 'UNIX' SUBDIRECTORIES OF THE 'SOFTWARE' FOLDER
Each of the below software programs has its own folder(s) within the 'mac,' 'pcwindow,' and (or) 'unix' subdirectories. Due to the eight-dot-three file-naming convention, most names were shortened. File and software names, and directory locations are listed below. Please refer to the readme files associated with most of the software for information on how to load the programs onto your computer. We recommend opening the readme files using word-processing programs, however, should you access readme files through the below links, return by using arrows, back, or other options on your network browsing software.
mac directory
GIFConverter 2.3.7 (486 KB) (shareware) - GIFConverter is used to open and read numerous graphic file formats. Formats include GIF, TIFF, RIFF, PICT, JPEG (JFIF), MacPaint and Thunderscan. It can write these formats, as well as black-and-white EPS (encapsulated PostScript). GIFConverter is used to convert files for use in other programs, to view files, and to print them out. The README.txt file is saved in the 'GIFConv' subdirectory as readme.txt. The compressed application program is named GIFConv.SEA .
- NCSA Mosaic 1.0.3 - Mosaic version 1.0.3 for Macintosh computers is named MosaiMac.HQX and is located in 'software/mac/mosaic/mosaicv1.'
- NCSA Mosaic 2.0.1 (PPC) - version of Mosaic for Power Macintosh computers is named MosaiPPC.HQX and is located in 'software/mac/mosaic/mosaippc'.
- NCSA Mosaic 2.0.1 (68K) - version of Mosaic for Macintoshes with 68 processors is named Mosaic68.HQX and is located in 'software/mac/mosaic/mosai68k'.
pcwindow directory
unix directory
Readme Txt Download Mac
NCSA Mosaic for the X Window System v 2.6 - World-Wide-Web browsing software programs. Compressed binary versions of Mosaic for eleven different UNIX platforms are located in the '../USGS_3D/software/unix/mosaic' subdirectory. Please refer to the readme.txt and readme.sol(aris) readme files for additional information.Readme.txt Mac
- Start this 3-D program tour by opening the home page (homepage.htm).
- Access the table of contents (3dstart.htm)