Malware-infected Transmission 2.9 app threatened OS X users, stopped by XProtect

2»

Comments

  • Reply 21 of 35
    cnocbuicnocbui Posts: 3,613member
    heinlein said:
    I can't say I'm very sympathetic to people who get malware in the course of stealing other people's work. It's a bit like getting an STD from a sexual assault.
    And if it had been VLC, what would you say?
    6Sgoldfish
  • Reply 22 of 35
    thebmtthebmt Posts: 10member
    heinlein said:
    I can't say I'm very sympathetic to people who get malware in the course of stealing other people's work. It's a bit like getting an STD from a sexual assault.
    I only ever used Transmission to to download Linux distros for work in the past.
    Just because a program provides access to something that can be used for illegal purposes doesn't mean that's what everyone uses it for.

    Would you say the same thing if it was a web browser that had been infected instead? Because that can also be used for legitimate and illegitimate purposes.
    edited March 2016 nolamacguycnocbuitallest skil
  • Reply 23 of 35
    sandorsandor Posts: 670member
    i narrowly missed the bad version...

    i downloaded Transmission about 10 days ago to download a music album.

    interestingly enough, for you people still stuck on torrents of 5 years ago, distribution of large files via bittorrent is still great & now creator-approved!

    https://www.bittorrent.com
    https://bundles.bittorrent.com

  • Reply 24 of 35
    josujosu Posts: 217member
    heinlein said:
    I can't say I'm very sympathetic to people who get malware in the course of stealing other people's work. It's a bit like getting an STD from a sexual assault.
    You have an oversimplified vision of the issue. Broadcasters here in Spain broadcast US shows with a variable schedule and without any advice they can change the schedule, if you follow a show, or you wait till they make a rerun, who knows when, or you go to the torrents for that specific episode and follow from them, this season I had make that with Big Bang, 2 Broke Girls and Elementary, the first two because I was caught off guard, and the second because the channel reschedule the show to another day. Sorry, but they don't make any notice, you follow their schedule online or in the proper channel info and you get misguided, they don't give you any information of the episodes they will broadcast, and some shows run from 11:00 PM to 2:00 or 3:00 AM, hardly any human being can follow loyally that kind of schedule. SO there's only two ways, give up or go to the torrents for the day you get fooled by the channel.
    edited March 2016
  • Reply 25 of 35
    linkmanlinkman Posts: 1,046member
    focher said:
    sixcolors said:
    The issue appears to be that the hackers used the legitimate signing certificate. So the developers private key was compromised. 
    No, it wasn't. It was a valid developers certificate but not the Transmission dev's. It has already been revoked by Apple and the offending binary has been blacklisted by Apple in XProtect. 

    Updates weren't affected, only a full binary install for about a 24 hour period. 

    Time Machine under El Capitan would be pretty hard to hack as it's protected with SIP (System Integrity Protect). Not foolproof, but pretty hard. 
    The malware doesn't have to directly affect Time Machine. I just has to access the file/disk image/drive that TM is using for backups. Without hacking TM however would require the malware to "guess" as to which files comprise the backups. This probably isn't a big deal for ransomware as they only need the OS to work and give the user the message that they've been hacked and a way to pay the ransomers so they can use a shotgun approach to which files get encrypted. Note that they need to actually restore the files to paying customers only to retain credibility...
  • Reply 26 of 35
    thebmt said:
    heinlein said:
    I can't say I'm very sympathetic to people who get malware in the course of stealing other people's work. It's a bit like getting an STD from a sexual assault.
    I only ever used Transmission to to download Linux distros for work in the past.
    Just because a program provides access to something that can be used for illegal purposes doesn't mean that's what everyone uses it for.

    Would you say the same thing if it was a web browser that had been infected instead? Because that can also be used for legitimate and illegitimate purposes.


    Youre delusional if you think the majority of torrent users are using it for legitimate purposes.
  • Reply 27 of 35
    focherfocher Posts: 688member
    sixcolors said:
    focher said:
    No, it wasn't. It was a valid developers certificate but not the Transmission dev's. It has already been revoked by Apple and the offending binary has been blacklisted by Apple in XProtect. 

    Updates weren't affected, only a full binary install for about a 24 hour period. 

    Time Machine under El Capitan would be pretty hard to hack as it's protected with SIP (System Integrity Protect). Not foolproof, but pretty hard. 
    Where did you read what cert was used the dev has been pretty silent on details?
    It's in the analysis from Palo Alto Networks, who discovered the malware. http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/
  • Reply 28 of 35
    tallest skiltallest skil Posts: 43,388member
    josu said:
    Broadcasters here in Spain broadcast US shows with a variable schedule and without any advice they can change the schedule, if you follow a show, or you wait till they make a rerun
    You didn’t make any mention of Spanish law in regard to the viability of this action, but the US Copyright Act of 1976 gives a special status to “time-shifted” viewings of content to which you’re already legally entitled. This was done due to the advent of VHS and recording television, I believe.

    While it has not been successfully argued in court as such (only due to lack of attempts, I believe), I’ve always thought that downloading a television show could be legally identical to this (provided, of course, that you do it in the strictest sense–without seeding, only downloading).

    Not that it matters to me; I don’t watch television.
    edited March 2016
  • Reply 29 of 35
    xixoxixo Posts: 451member
    The real price of "free" software and music files. 
    apple inc would not exist if not for piracy

    jobs and Wozniak sold phone phreaking blue boxes to college students so they could make long distance calls for free

    http://www.todayifoundout.com/index.php/2012/10/steve-jobs-first-business-was-selling-blue-boxes-that-allowed-users-to-get-free-phone-service-illegally/
    cnocbuigatorguy
  • Reply 30 of 35
    jonyojonyo Posts: 119member
    rols said:
    jonyo said:


    All it took was 3 things:
    1. Access to the source code to be altered and recompiled
    2. Access to the distribution server to upload the infected version
    3. A valid dev cert to use in the recompile, whether the actual dev's cert, or some other one

    Beyond that, I'm not knowledgeable enough about this stuff to say how Apple can change things in the future to avoid this sort of thing from happening.
    No they didn't have access to the source code nor was it altered nor recompiled. All they did was take the installer package, unpack it, pack it up again adding a couple of extra binaries which were the hack and ensure they were installed along with the real, unmodified app. 

    The other two things they did have, they accessed the distribution server and replaced one package with another, and they had a valid dev certificate, not to recompile anything, but just to re-sign the installer they'd added new payload to. 

    2. is the lapse from the developer. Anyone can get the installer package and modify it, anyone with a dev cert can re-sign the modified installer, but the important bit is putting it on the dev's website to replace a legitimate version. 
    Ah, I see. I stand corrected on those points. So, even easier for the bad guys, since no access to the app itself beyond the normal compiled distribution was needed, so that part would not be an problem for any would-be ransomware/malware person.

    I'm still interested to know if Apple will do anything about the known entity that owns the dev cert that WAS used. Were they the perpetrator? Or were they simply compromised as well by someone else?
  • Reply 31 of 35
    cnocbuicnocbui Posts: 3,613member
    xixo said:
    The real price of "free" software and music files. 
    apple inc would not exist if not for piracy

    jobs and Wozniak sold phone phreaking blue boxes to college students so they could make long distance calls for free

    http://www.todayifoundout.com/index.php/2012/10/steve-jobs-first-business-was-selling-blue-boxes-that-allowed-users-to-get-free-phone-service-illegally/
    And in the early days of the iPod, piracy was about the only way you could get content to put on them.
    gatorguy
  • Reply 32 of 35
    jonyojonyo Posts: 119member
    cnocbui said:
    xixo said:
    apple inc would not exist if not for piracy

    jobs and Wozniak sold phone phreaking blue boxes to college students so they could make long distance calls for free

    http://www.todayifoundout.com/index.php/2012/10/steve-jobs-first-business-was-selling-blue-boxes-that-allowed-users-to-get-free-phone-service-illegally/
    And in the early days of the iPod, piracy was about the only way you could get content to put on them.
    I can't agree with that. I had an iPod from day 1 back in 2001, and started ripping my own CDs using that early version of iTunes. It's not like the old iPod models could only use iTunes-store-purchased music.
  • Reply 33 of 35
    maltzmaltz Posts: 497member
    jonyo said:
    rols said:
    No they didn't have access to the source code nor was it altered nor recompiled. All they did was take the installer package, unpack it, pack it up again adding a couple of extra binaries which were the hack and ensure they were installed along with the real, unmodified app. 

    The other two things they did have, they accessed the distribution server and replaced one package with another, and they had a valid dev certificate, not to recompile anything, but just to re-sign the installer they'd added new payload to. 

    2. is the lapse from the developer. Anyone can get the installer package and modify it, anyone with a dev cert can re-sign the modified installer, but the important bit is putting it on the dev's website to replace a legitimate version. 
    Ah, I see. I stand corrected on those points. So, even easier for the bad guys, since no access to the app itself beyond the normal compiled distribution was needed, so that part would not be an problem for any would-be ransomware/malware person.

    I'm still interested to know if Apple will do anything about the known entity that owns the dev cert that WAS used. Were they the perpetrator? Or were they simply compromised as well by someone else?
    Of course they recompiled it.  You can't just throw random ".rtf" files inside an app's resource folder and expect it to execute them.  But getting access to the source code isn't hard - it's an open source app.  You can download the source code on the same page you download the app itself.

    As for the cert, my guess would be that it was stolen in a hack of that developer's systems.  I doubt that they are the actual perpetrators, but it's not impossible.  It's not difficult to get a certificate, but it does make things like that both easy to shut down and easy to track.
  • Reply 34 of 35
    maltzmaltz Posts: 497member

    thebmt said:
    I only ever used Transmission to to download Linux distros for work in the past.
    Just because a program provides access to something that can be used for illegal purposes doesn't mean that's what everyone uses it for.

    Would you say the same thing if it was a web browser that had been infected instead? Because that can also be used for legitimate and illegitimate purposes.


    Youre delusional if you think the majority of torrent users are using it for legitimate purposes.

    Yeah.  And?

    So you have little sympathy for people who use this software for piracy.  Fine, but kind of irrelevant.  Would you say the same thing if it were VLC, because a lot of people use it to watch pirated content?  Or heck, even internet users as a whole.  After all, illegal torrent activity makes up a huge chunk of internet bandwidth.  So if you use the internet, you're more likely a pirate than not.  Right?

    Even if that were true (and maybe it is, for all I know/care) you're misplacing your animosity.  If you hate pirates, then hate pirates - don't go painting all Transmission users with the pirate label.  While obviously not the dominant use, there are plenty of above-board uses for torrent software.
    gatorguy
  • Reply 35 of 35
    maltz said:



    Youre delusional if you think the majority of torrent users are using it for legitimate purposes.

    Yeah.  And?

    So you have little sympathy for people who use this software for piracy.  Fine, but kind of irrelevant.  Would you say the same thing if it were VLC, because a lot of people use it to watch pirated content?  Or heck, even internet users as a whole.  After all, illegal torrent activity makes up a huge chunk of internet bandwidth.  So if you use the internet, you're more likely a pirate than not.  Right?

    Even if that were true (and maybe it is, for all I know/care) you're misplacing your animosity.  If you hate pirates, then hate pirates - don't go painting all Transmission users with the pirate label.  While obviously not the dominant use, there are plenty of above-board uses for torrent software.
    VLC doesn't track down copies of things and download them to your computer.
    As for hating pirates, it looks like his painting users of Transmission with the pirate label is 99.99% correct. Sorry for the .01% of legit users, maybe you should try a different way of getting your freeware.
Sign In or Register to comment.