Malware-infected Transmission 2.9 app threatened OS X users, stopped by XProtect

Posted:
in Mac Software
Users who downloaded the Transmission BitTorrent client on Friday or Saturday are being warned to update to the latest 2.92 version to avoid being targeted by a ransomware that infiltrated an earlier version of the open source software.




Claud Xiao and Jin Chen of Palo Alto Networks reported on the threat earlier today, noting that "attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4."

KeRanger is the name given to what is believed to be the "first fully functional" ransomware on the OS X platform. When incorporated into an app, the malware connects to a remote server via the Tor anonymizing service, then "begins encrypting certain types of document and data files on the system."

The malware then "demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files." Researchers say the malicious code is "under active development" and seems to be trying to also encrypt users' Time Machine backups to also prevent them from being able to recover their backed up data.

Mac OS X's GateKeeper, XProtect spring into action



The same day that Palo Alto Networks discovered the threat--which was distributed with the Transmission app in a DMG package signed by a valid developer ID--Apple revoked the signing certificate involved to prevent new installations of the infected version via the Mac's iOS-like GateKeeper signed-app security system.

Apple also began automatic distribution of an OS X XProtect antivirus signature to flag and quarantine existing compromised downloads.

The security firm noted that anyone who directly installed Transmission between March 4th and March 5th may be infected with the KeRanger malware, and outlined steps to identify and remove the malware if it has already been installed.




Because Apple has already revoked the certificate and distributed an XProtect update, anyone attempting to open a known-infected version of the Transmission app will now be given a warning dialog box that notes "Transmission.app will damage your computer. You should move it to the Trash," or "Transmission can't be opened. You should eject the disk image."

A clean, updated 2.91 version of the Transmission app can be downloaded from the app developer's website.
«1

Comments

  • Reply 1 of 35
    Non-issue.  This has already been addressed by Apple and it's a little irresponsible of the media to put so much focus on this when there's Windows and Android malware that they could be reporting on instead.
    mac_dogMacPro
  • Reply 2 of 35
    robin huberrobin huber Posts: 3,247member
    The real price of "free" software and music files. 
    lolliverMacProbaconstang
  • Reply 3 of 35
    What I want to know is what happens to all these ASSHOLES who are using Apple developer certificates to try and get malware onto Macs or iOS devices? We've heard of many of them getting revoked (especially the enterprise certificates that allow side loading of iOS Apps), but we never hear about the consequences for those caught.

    People don't just "sign up" to be an Apple Developer and get certificates. For example, to become an Apple Enterprise Developer you need to prove to Apple you are a legal entity. If there's a legal entity behind the certificate, then there's someone who can be sued for fraudulently obtaining a certificate for the purposes of spreading malware.
    anantksundaramcornchipSir_Turkeywebweasel
  • Reply 4 of 35
    I'd like to hear more from the dev about how this happened.
    tallest skilkpluckbobschlobbdkennedy1002Rayz2016baconstang
  • Reply 5 of 35
    sixcolors said:
    I'd like to hear more from the dev about how this happened.
    It appears that their website was hijacked and replaced with an HTTP version, with the infected file offered for download on the bogus site. 
  • Reply 6 of 35
    I can't say I'm very sympathetic to people who get malware in the course of stealing other people's work. It's a bit like getting an STD from a sexual assault.
    williamhbaconstang
  • Reply 7 of 35
    heinlein said:
    I can't say I'm very sympathetic to people who get malware in the course of stealing other people's work. It's a bit like getting an STD from a sexual assault.
    Not all torrents are illegitimate, just 99% or so. But there's a fair smattering of open source software that can be grabbed through torrent. 
    cornchip
  • Reply 8 of 35
    I'm not trusting the developer right now. I think I'm going to need to know what happened before I install this again.
  • Reply 9 of 35
    tallest skiltallest skil Posts: 43,399member
    It appears that their website was hijacked and replaced with an HTTP version, with the infected file offered for download on the bogus site. 
    So direct updates from within the software itself wouldn’t be affected, I assume.
    focher
  • Reply 10 of 35
    isteelersisteelers Posts: 738member
    What I want to know is what happens to all these ASSHOLES who are using Apple developer certificates to try and get malware onto Macs or iOS devices? We've heard of many of them getting revoked (especially the enterprise certificates that allow side loading of iOS Apps), but we never hear about the consequences for those caught.

    People don't just "sign up" to be an Apple Developer and get certificates. For example, to become an Apple Enterprise Developer you need to prove to Apple you are a legal entity. If there's a legal entity behind the certificate, then there's someone who can be sued for fraudulently obtaining a certificate for the purposes of spreading malware.
    They go to work for the NSA
  • Reply 11 of 35
    cornchipcornchip Posts: 1,252member
    A: Transmission was the worst of the BT clients back when I would torrent stuff. To my credit it was mostly obscure, hard to find shit you can't just go out and buy.

    B: I wouldn't recommend BTing any longer. The (c) trolls are on the rise.
  • Reply 12 of 35
    sixcolors said:
    I'd like to hear more from the dev about how this happened.
    It appears that their website was hijacked and replaced with an HTTP version, with the infected file offered for download on the bogus site. 
    The issue appears to be that the hackers used the legitimate signing certificate. So the developers private key was compromised. 
  • Reply 13 of 35
    apple ][apple ][ Posts: 8,436member
    No worries here. I don't do torrents. :#
    baconstang
  • Reply 14 of 35
    sevenfeetsevenfeet Posts: 394member
    It's a pretty big deal where I sit.  I saw the update to Transmission when it was announced and just downloaded it without thinking.  When I read this story, my blood ran cold.  After checking my machine against the security researcher's web site it looks like I avoided the hack but I'd rather not be that close to having my machine ransomed.  The information that the hack is trying to compromise Time Machine shares is also not encouraging...hopefully Apple has that process locked down but I'm sure their people are looking at this again.

    In the future, I'm thinking of just using programs like this in virtualized environments.  There's no need to expose them to my entire machine and its critical data.  And I'll probably start using Little Snitch to catch any programs trying to access the Tor network without permission.
  • Reply 15 of 35
    focherfocher Posts: 640member
    sixcolors said:
    It appears that their website was hijacked and replaced with an HTTP version, with the infected file offered for download on the bogus site. 
    The issue appears to be that the hackers used the legitimate signing certificate. So the developers private key was compromised. 
    No, it wasn't. It was a valid developers certificate but not the Transmission dev's. It has already been revoked by Apple and the offending binary has been blacklisted by Apple in XProtect. 

    Updates weren't affected, only a full binary install for about a 24 hour period. 

    Time Machine under El Capitan would be pretty hard to hack as it's protected with SIP (System Integrity Protect). Not foolproof, but pretty hard. 
  • Reply 16 of 35
    BlasterBlaster Posts: 97member
    I would like OS X to provide more visible details of when XProtect has been updated on a user's system, such as displaying the date/time of the latest update in Security Preferences (and option to force update if necessary), rather than expecting people to just take Apple's word that their Macs have been updated.
    edited March 2016 damonf
  • Reply 17 of 35
    jonyojonyo Posts: 115member
    I think it's pretty short-sighted to say things like "oh they get what they deserve if they're illegally downloading torrents" or "I used reputable software, I don't have to worry about this". This could have easily happened with some other piece of mainstream software. Pretty much any software where someone could recompile it with the added malware and also somehow get upload access to the primarily used download server for the software could be compromised like this.

    All it took was 3 things:
    1. Access to the source code to be altered and recompiled
    2. Access to the distribution server to upload the infected version
    3. A valid dev cert to use in the recompile, whether the actual dev's cert, or some other one

    Beyond that, I'm not knowledgeable enough about this stuff to say how Apple can change things in the future to avoid this sort of thing from happening.
    nolamacguy
  • Reply 18 of 35
    thebmtthebmt Posts: 10member
    It appears that their website was hijacked and replaced with an HTTP version, with the infected file offered for download on the bogus site. 
    So direct updates from within the software itself wouldn’t be affected, I assume.
    While I can't say it's the case for everyone, the version of 2.9 I got via auto-updated did not seem to be compromised. No dodgy processes running etc. and Little Snitch would have asked me to authorize any new connections.

    Either way, I've removed Transmission from my Mac now anyway as I never use it any more so I'm not sure why I bothered to update it in the first place.
  • Reply 19 of 35
    focher said:
    sixcolors said:
    The issue appears to be that the hackers used the legitimate signing certificate. So the developers private key was compromised. 
    No, it wasn't. It was a valid developers certificate but not the Transmission dev's. It has already been revoked by Apple and the offending binary has been blacklisted by Apple in XProtect. 

    Updates weren't affected, only a full binary install for about a 24 hour period. 

    Time Machine under El Capitan would be pretty hard to hack as it's protected with SIP (System Integrity Protect). Not foolproof, but pretty hard. 
    Where did you read what cert was used the dev has been pretty silent on details?
    edited March 2016
  • Reply 20 of 35
    rolsrols Posts: 52member
    jonyo said:


    All it took was 3 things:
    1. Access to the source code to be altered and recompiled
    2. Access to the distribution server to upload the infected version
    3. A valid dev cert to use in the recompile, whether the actual dev's cert, or some other one

    Beyond that, I'm not knowledgeable enough about this stuff to say how Apple can change things in the future to avoid this sort of thing from happening.
    No they didn't have access to the source code nor was it altered nor recompiled. All they did was take the installer package, unpack it, pack it up again adding a couple of extra binaries which were the hack and ensure they were installed along with the real, unmodified app. 

    The other two things they did have, they accessed the distribution server and replaced one package with another, and they had a valid dev certificate, not to recompile anything, but just to re-sign the installer they'd added new payload to. 

    2. is the lapse from the developer. Anyone can get the installer package and modify it, anyone with a dev cert can re-sign the modified installer, but the important bit is putting it on the dev's website to replace a legitimate version. 
    nolamacguydjpinter
Sign In or Register to comment.