back to article You think your day was bad? OS X malware hackers just swiped a Mac dev's app source

The head of a Mac-centric software studio is coming clean today after a malware infection on his OS X machine last week resulted in the loss of source code for several products. Steven Frank, founder of Portland, Oregon-based Panic Inc, said he fell victim to a poisoned download of the Handbrake video transcoder that resulted …

  1. southpacificpom
    Linux

    An Apple a Day

    "This hack hasn't slowed us down. That source is already missing a ton of fixes and improvements we committed over the last week alone, and six months from now it will be missing major critical new features. In short: it's old and getting older," he argues.

    That's what he said, as he pleaded with Tim Cook.

    Perhaps he means the criminals will submit code improvements back to Apple?

    1. Anonymous Coward
      Anonymous Coward

      Re: An Apple a Day

      They felt "free" when they "considered" releasing the source code themselves.

      It's almost like the hipsters want to redefine words like "free" and "freedom".

      Imagine how many billions of dollars Stallman and Torvalds would be rolling in today if they had merely "considered" releasing the source code for the GNU tools and Linux, and said "wow, I feel free!" And then said, "screw it - I'm grabbing all the cash".

  2. cb7 Bronze badge

    Deathly silence

    From all the Apple fanbois who like to boast how Macs don't get viruses

    1. LaeMing
      Boffin

      Re: Deathly silence

      Technically, it was a Trojan Horse. Entirely different attack vector. (Which doesn't mean MacOS doesn't have virus vulnerabilities, but this case wasn't exploiting one.)

      Also, I haven't heard any Mac user claim "Macs don't get viruses" since the '90s. That decade might call and want you back.

      1. cb7 Bronze badge

        Re: Deathly silence

        "Also, I haven't heard any Mac user claim "Macs don't get viruses" since the '90s."

        I heard a number of IT bods & other "experts" dialling in to a radio show after the recent "Cyber attck" on the NHS claiming just that.

        When Joe public hear that, coupled with default admin access on most new Winblows machines that can lead to easy infections, what impression do you think they'll walk away with?

        1. Hey Nonny Nonny Mouse

          Re: Deathly silence

          @cb7

          It was amusing to say the least, one 'businessman' suggesting he could save the NHS millions by formatting them all and installing Mint because 'it's free and I run my computers on it', another saying he'd had a ransomware infection but fixed it in 25 minutes by calling the ISP and telling them to turn it off.

          The most prominent thing to come out of all the talking heads who were adding their 'expert opinion' was that almost none of them have a clue about what they were talking about.

          1. 's water music Silver badge

            Re: Deathly silence

            The most prominent thing to come out of all the talking heads who were adding their 'expert opinion' was that almost none of them have a clue about what they were talking about.

            Dunno about the first 'businessman' but the second was on Any Answers, a comedy gold source of mission posters and local-news-letter-writing nutters straight out of central casting. I don't know if the program researchers have to filter out the straights or if everyone just understands the requirements and plays along by now. Having said that I didn't hear any better informed media comment elsewhere either

            1. Hey Nonny Nonny Mouse

              Re: Deathly silence

              @ 's water music

              Both on Any Answers, it does sometimes feel like they pick the loons for comedic value.

          2. Anonymous Coward
            Anonymous Coward

            Re: Deathly silence

            "ransomware infection but fixed it in 25 minutes by calling the ISP and telling them to turn it off."

            Well, that's the route I'll take if needed. So much simpler than all the hoops our company has been jumping through to protect our systems.

        2. Anonymous Coward
          Anonymous Coward

          Re: Deathly silence

          In the hands of idiots, Mac is just as vulnerable as windows.

          About the only thing truly idiot proof is a Chromebook. Due to the unique way it works, You can't really get infected however hard you try. Many have tried, all have failed...

          1. Hey Nonny Nonny Mouse

            Re: Deathly silence

            And when you tell a Mac user their machine is invulnerable they stop thinking about it, thereby making themselves more vulnerable.

          2. Tim99 Silver badge

            Re: Deathly silence

            "About the only thing truly idiot proof is a Chromebook."

            Yes, I can see that. However the popular Chrome Browser (particularly on Windows) seems to be where most of crap lurks on the machines of the retirees that I help (I'm retired too, so any help is pro bono). My personal record is an elderly gentleman who complained that browsing on his 1 year old Windows 10 laptop was slow and unreliable - MalwareBytes found 704 PUPs.

            I don't necessarily recommend MalwareBytes (not with real-time protection turned on) but occasionally running it manually is quite instructive. Generally Microsoft's in-built protection seems to be as good as anything at the download/file level, but can let many unsavoury trackers through. I am surprised that Google does not clean it up, as their business model relies on THEM tracking you in exchange for an easy and "efficient" user experience.

            Warning - Potential Bias Alert: After I retired from writing software for many platforms, I thought "sod it", got rid of my 5 Windows machines, and now use an Apple Mac - My life is much easier - If I really have to run Windows for a couple of ex-colleagues I run it in a simple window in a Parallels VM.

      2. DJ Smiley

        Re: Deathly silence

        You might want to check out apples latest advertising then...

        Claims doesn't get viruses, malware, is uber secure, etc.

        No '*' saying '*may depend on user actions' either!

      3. Anonymous Coward
        Anonymous Coward

        Re: Deathly silence

        You're joking right?

        I hear them every bloody week, boasting how their machines are virus, hacker, failure proof, how it pisses rainbows and glitter into their lives every time they feel honoured enough to be using it.

      4. Anonymous Coward
        Anonymous Coward

        Re: Deathly silence

        @LaeMing - "Also, I haven't heard any Mac user claim "Macs don't get viruses" since the '90s."

        You must be only speaking to the reasonable and knowledgeable Mac users...

        1. LaeMing

          Re: Deathly silence

          @LaeMing - "Also, I haven't heard any Mac user claim "Macs don't get viruses" since the '90s."

          @ Andy Prough - "You must be only speaking to the reasonable and knowledgeable Mac users..."

          Apparently so :-/

    2. JLV
      Paris Hilton

      Re: Deathly silence

      You know, this hack was in my mind as I downloaded Sublime Text 3 today from their site. Sublime doesnt publish hashes but I did a shashum of the download anyway. iTerm then allowed me to google up the hash and a hit came back from an AV vendor that that hash was associated with my particular build of Sublime.

      As to you, think before inserting hoof in mouth. If you download malware and sudo up your full admin credentials to confirm its installation, that's going to be very hard for the OS to keep from blowing up, innit? True on Linux, Windows and, yes, OSX.

      1. cb7 Bronze badge

        Re: Deathly silence

        I know that. The hoof's in your mouth, because there are plenty of plebs out there who still think their Mac is impervious to malware.

        1. Anonymous Coward
          Anonymous Coward

          Re: Deathly silence

          Every man and his dog is a bedroom security expert it seems. Our security "expert" still believes NHS got hacked because they mostly still ran XP, and that windows 10 was never at risk (neither statement is true).

          When your company security "expert" gets his "information" from some random internet clickbait article, then there is no hope really.

    3. Charlie Clark Silver badge

      Re: Deathly silence

      Actually, it's a salutary reminder to all of us that even sophisticated developers can be fooled into installing dangerous software.

      Kudos to Panic for admitting to the mistake and its provenance.

    4. fruitoftheloon
      Happy

      @cb7: Re: Deathly silence

      Cb,

      I take it that you didn't actually rtfa???

      Are you old enough to use a computer without adult supervision???

      /sighs

    5. DerekCurrie
      Angel

      Re: Deathly silence

      I'd appreciate it if you'd shame name the Apple fanbois who boast that Macs don't get malware in order for me to slap them up the side of their heads. There is nothing perfect about macOS. It just happens to be one of the safest operating systems available, along side iOS and every other form of BSD Unix.

      Note that the term is 'malware'. Viruses are one form of malware. Semantically speaking, there are no 'viruses' for Mac. But there are several malware for Mac. Four are currently active in the wild, although they have been blocked by Apple's integrated XProtect system in recent versions of macOS. Nearly all Mac malware are Trojan horses, requiring social engineering in order to convince the victim to install them manually.

      My Mac-Security blog:

      https://Mac-Security.blogspot.com

      1. Anonymous Coward
        Anonymous Coward

        Re: Deathly silence

        @ DerekCurrie

        Wish I could, naming most would cost me my job, I get them in all shapes and sizes, CEOs, CTOs, Partners, office workers, NHS staff, mechanics, neighbors, the whole gamut, I've given up trying to have the conversation so I just tell them I really like Macs and wish I could afford one, that usually sends them off in a self satisfied haze of smugness.

        Thing is, I *know* Macs are in general more secure (and I would quite like one) , they're far from perfect though and I'm damn sure the NSA has a massive array of tools to target all flavors of PC OS so it's only a matter of time...

      2. Anonymous Coward
        Anonymous Coward

        Re: Deathly silence

        "I'd appreciate it if you'd shame name the Apple fanbois who boast that Macs don't get malware in order for me to slap them up the side of their heads."

        I hope your hand is ready for a lot of slapping. The idiot mac-wielding devs at my work place still don't think mac's can get malware, even after they have managed to completely screw up their machine and bring it to me for help.

        Me - You had malware/spyware/virus on your machine (delete as appropriate)

        Devs - Mac don't get virus's

        Me - They do when you keep turning off the anti-virus/malware protection and download random things from the internet.

        Devs - Macs don't need anti-virus, it just a waste of resources.

        Me - There is a definite waste of resources here, but it isn't the anti-virus.

  3. Anthropornis
    Facepalm

    Lost ?

    So he didn't have backups ?

    1. LaeMing

      Re: Lost ?

      "Only wimps use [...] backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it" - Linus Torvalds

      Since this code was on a [non-public, in this case] GIT server, I assume it was backed up somewhere.

      1. Fazal Majid

        Re: Lost ?

        Every git checkout is a full backup of the code repository, including his colleagues/employees, so in the worst case they'd lose a few days' work that hadn't been pushed to the Git server and pulled by the other devs.

        1. Paul Crawford Silver badge

          Re: Lost ?

          Biggest risk really is malicious GIT commits using the compromised credentials - they need to be sure the developers check all "their" stuff since the incident until they found out to see that it really was work they did.

          1. DJ Smiley

            Re: Lost ?

            Also there seems to be no warning to all the people who are now using what basically amounts to 'infected' apps. As there was time when these apps source code was accessible, and could have been changed - if there's been any release or update in that time, bad times!

            1. snozdop

              Re: Lost ?

              > "all the people who are now using [...] 'infected' apps"

              The git repositories were only cloned, nothing was checked in, so no malicious code was added.

        2. tiggity Silver badge

          Re: Lost ?

          It did mention their Git credentials nabbed by the bad guys... So bad guys had control over the Git repository (so could copy and remove the code in there).

          .. Though you would assume backups would be easily available from the GIT repository cloudy company (esp if feds getting involved)

    2. Christian Berger

      Apparently they do have backups

      Otherwise it wouldn't "slow them down"...

      However it seems as if their Apps must really be horrible, otherwise they wouldn't be afraid of the source code leaking.

      1. Orv

        Re: Apparently they do have backups

        In app markets it's really common for people to make clones of popular apps, give them confusing names, and use them to install malware. Then the original publisher gets the heat.

        Most apps also end up with about 20 similar knock-offs. If source code is available that becomes trivial instead of something involving at least a little development work.

    3. Doctor Syntax Silver badge

      Re: Lost ?

      Lost absolute control until he could change the credentials. And lost control of a copy of how it was at the time the repository was cloned.

      And the moral of this story is that you should use a password manager although that still won't protect against a key logger.

  4. Tom Paine Silver badge

    ...we even half-seriously considered releasing the source code ourselves – and when that idea was floated, and we realized there wouldn't be any fallout (other than a lot of code questions!), that's when we truly felt free."

    Do I need to make any further comment? No, I don't think so.

  5. DerekCurrie
    Devil

    OSX.RAT.Proton.A-B

    The relevant malware that was buried inside the fake Handbrake installation archive is called the Proton RAT, or remote access Trojan. There are currently two known varieties in the wild. The RAT is available for purchase via the usual nefarious sources.

    http://securityaffairs.co/wordpress/57109/malware/macos-proton-rat.html

  6. gnasher729 Silver badge

    Here's the reality check: The miscreant got a copy of his source code. Source code consists of the actual text, and the copyright. The miscreants have an _illegal_ copy of his source code, that is a copy without any rights. The company itself has (probably several) copies of the source code, and they have the copyright. In my case, source code for my apps in the app store is on git hub, on Mac #1, on Mac #2, on the backup of Mac #1, and on both backups of Mac #2. That's not just source code, but also full revision history. So even if they copied the code from GitHub, destroyed the repository there, and destroyed one Mac with all its backups, I would still have at least two copies with the full version history.

    What can they do with the source code? They can publish it. And then someone tries to use it and release an app on the app store. And then I send a DMCA notice to Apple, and the app is gone within two seconds, and at the same time I call the lawyers. Nobody in that situation would send any ransom, instead I would hope and pray that some idiot is stupid enough to use the code and get his arse sued of.

    1. Orv

      But information wants to be free, man! *tokes up*

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020