I recently brought a new Mac Book Pro and will be using it as my primary machine. I had to set up Ruby on it. This included Ruby, Rubygems, and RVM. While Mac 10.5 OSX and higher come with Ruby 1.8.7 pre-installed I wanted a later version. I also installed the Rails Framework and encountered a problem when I tried to run my first Ruby on Rails App. What you might be interested to know is that Ruby comes preinstalled on your Mac. Don't believe me? Open the Terminal and type: ruby -v. Likely, the version number will return 1.8.7. While you might be tempted to stick with that, you probably shouldn't for a couple reasons: Old versions of the OS shipped with a buggy version of Ruby. Feb 14, 2010 Installing RDoc documentation for rubygems-update-1.3.5. Could not find main page README Could not find main page README Could not find main page README Could not find main page README Updating version of RubyGems to 1.3.5 Installing RubyGems 1.3.5 RubyGems 1.3.5 installed 1.3.5 / 2009-07-21 Bug fixes:. Fix use of prerelease gems. @evanphx I seem to have gotten it working without an openssl update on Mac OSX 10.5.8. My openssl is still the stock OSX 10.5.8, openssl 0.9.7. I can't explain exactly what I did to do so, it involved lots of hacking with lots of dead ends.
Ruby developers beware: a would-be cryptocurrency thief is out to get at your digital wallet, and they’re using typosquatting code to do it.
Typosquatters use misspellings of popular names to misdirect victims into using the wrong thing. It’s been a problem for websites for years, but it’s becoming an increasing issue for software developers too. Rather than reinventing the wheel by writing their own code to handle common tasks, they write it once as a software package and upload it to repositories. These repositories contain thousands of packages for developers to download. The upside is that it accelerates software development. The downside? Developers don’t often known exactly what those packages are doing.
See Full List On Bundler.io
Security researchers at threat detection company Reversing Labs found typosquatters had uploaded a malicious package in RubyGems, which is a repository serving the Ruby programming language.
You can install a RubyGems package – known as a Gem – by typing gem install followed by the package’s name on the command line. Attackers take advantage of this by copying a legitimate package, inserting some malicious code, and then uploading it again with a similar name to target fat-fingered programmers. In this case, the author had engineered the package to steal victims’ cryptocurrency.
Reversing Labs is no stranger to malicious packages, although they’ve tended to be in the Python package repository PyPi and the NPM Node.js repository. It found a typosquatting package after analysing the entire PyPi repository in July 2019. It also found a password stealer in the NPM repository last year after a similar scan.
This time it honed its approach by finding the most popular Ruby gems and then monitoring the RubyGems repository file for new files that used misspellings of the legitimate packages, it flagged those for further analysis and dug into their code. It found over 700 packages containing a file with executable code using the same name: aaa.png. This was suspicious, because .png extensions indicate image files, not executable ones.
The most downloaded Gem in this group was atlas-client, which had been downloaded about a third as much as the legitimate atlas_client Gem.
The booby-trapped Gem includes a script that activates if it’s running on Windows. If so, the script renames the file aaa.png to a.exe and runs it.
The a.exemalware file monitors the Windows clipboard for text that looks like a cryptocurrency address, something that is very likely to appear in the clipboard via Ctrl-C just before the user performs an online cryptocurrency transaction.
Cached
The sniffed-out cryptocoin address is then replaced in the clipboard itself with one belonging to the attackers, so that if a user subsequently pastes the address into the “send the money here” field on a cryptocurrency transaction page, then the crooks will receive the payment instead.
The malware also adds an entry to the Windows registry to make sure it gets reloaded when Windows starts up, for what’s known as persistence, meaning that the malware survives a logout or a reboot.
Although we’ve seen cryptocurrency crimes carried out via the clipboard before, this attack is pretty niche, according to Reversing Labs. It only works against Ruby developers using Windows machines making bitcoin transactions. Perhaps that’s why the address used in the attack had no transactions at the time of writing.
The attacker is persistent, though. Judging by the use of just two user accounts in RubyGems and the common filename, they were probably responsible for most of the malicious gems, said Reversing Labs. It also noted that the file names had turned up in other attacks on RubyGems in the past.
The RubyGems security team has removed all the affected packages from its repository, but Ruby developers should check the list of malicious packages to ensure that they’re not running dodgy code.
These supply chain attacks have been a perennial problem for other repositories too. Another researcher also discovered a cryptocurrency-stealing package that used typosquatting in the Python PyPi repository in October 2018, and ten packages cropped up in 2017. Attackers have also targeted NPM repeatedly over the years, most recently in January.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.