BitTorrent app Transmission once again source of macOS malware

Posted:
in General Discussion
Once again, BitTorrent client Transmission has distributed malware to some users through an altered installer, with downloaders of the software on Aug. 28 and 29 probably infected by the "Keydnap" package.




The previous version of Keydnap required users to click on a maliciously formed file, which then opened the installer in Terminal. The malware then waited to install until the next app was launched, and popped up a dialog box asking for authentication.

When packaged with Transmission, the malware needed no second app to execute, nor did it require further user authentication beyond what was needed to install Transmission. Additionally, since the Transmission app was properly signed, Gatekeeper allowed the execution of the malware installation without complaint.

After being granted root access, the updated Keydnap can then be used by the owners of the improved command and control server to hunt down the decryption key for the user's Keychain, and upload the stored passwords. Keychain-stored passwords include system passwords, as well as login information for Internet-based services, such as banking credentials, Gmail passwords, Amazon login information, and others.

The signature included in the bogus Transmission installer does not belong to the legitimate developers. Apple has been informed about the bad signature, and it is unknown if the key has been revoked at this time.

Transmission's developers immediately pulled the infected download after being informed of the issue.

ESET Research recommends that users who installed Transmission between Aug. 28 and Aug. 29 look for any of the following files or directories:

  • /Applications/Transmission.app/Contents/Resources/License.rtf
  • /Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
  • $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd
  • $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id
  • $HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
  • /Library/Application Support/com.apple.iCloud.sync.daemon/
  • $HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist


To supplement Gatekeeper, an internet connection monitoring application like Little Snitch can be used to examine incoming and outgoing Internet transmissions, and block undesirable ones, such as the broadcast of pilfered data with this implementation of Keydnap. Utilities similar to BlockBlock can continuously monitor for installation of persistent components vital for malware installers.

Originally, ESET had no idea how Keydnap was spread, and suspected that security researchers were the prime target. The latest inclusion in Transmission is the first wide vector of attack for the malware.

For two days in March, users who downloaded Transmission 2.90 were subject to the KeRanger malware. When incorporated into an app, KeRanger connected to a remote server through the Tor anonymizing service, then began encrypting stored documents and data before asking for a one bitcoin ransom.
«1

Comments

  • Reply 1 of 36
    Besides thieves who download music/movies, who else uses BT?
    redraider11indyfxronnmknelsonjony0
  • Reply 2 of 36
    volcanvolcan Posts: 1,799member
    Besides thieves who download music/movies, who else uses BT?
    Most of the major Linux distros who use it for downloading OS updates. All the mirrors, even those at universities offer BT versions of Linux.
    edited August 2016 elijahgtdknoxEsquireCatsTurboPGT
  • Reply 3 of 36
    Besides thieves who download music/movies, who else uses BT?
    Kanye West
    revenantmknelson
  • Reply 4 of 36
    If they're trying to get their app banned from torrent sites, they're doing a good job.
  • Reply 5 of 36
    indyfxindyfx Posts: 321member
    volcan said:
    Besides thieves who download music/movies, who else uses BT?
    Most of the major Linux distros who use it for downloading OS updates. All the mirrors, even those at universities offer BT versions of Linux.
    Functionally (but not completely) false

    All those who defend the torrent, usually cite these kinds of uses (though you didn't mention that the torrent is a option for any distro that I have ever seen (with mirrors being by far the preferred method) But... what you fail to disclose is that the overwhelming bulk of torrent traffic IS wares, video (copyrighted) and music (copyrighted) You can pretend that it has legitimate uses (and perhaps it COULD) but for now it is (almost completely) a channel for pirated goods.
    mknelsonericthehalfbeechiacommand_f
  • Reply 6 of 36
    indyfxindyfx Posts: 321member
    volcan said:
    Besides thieves who download music/movies, who else uses BT?
    Most of the major Linux distros who use it for downloading OS updates. All the mirrors, even those at universities offer BT versions of Linux.
    Functionally (but not completely) false All those who defend the torrent, usually cite these kinds of uses (though you didn't mention that the torrent is a option for any distro that I have ever seen (with mirrors being by far the preferred method) But... what you fail to disclose is that the overwhelming bulk of torrent traffic IS wares, video (copyrighted) and music (copyrighted) You can pretend that it has legitimate uses (and perhaps it COULD) but for now it is (almost completely) a channel for pirated goods.
  • Reply 7 of 36
    volcanvolcan Posts: 1,799member
    indyfx said:

    All those who defend the torrent, usually cite these kinds of uses (though you didn't mention that the torrent is a option for any distro that I have ever seen (with mirrors being by far the preferred method) But... what you fail to disclose is that the overwhelming bulk of torrent traffic IS wares, video (copyrighted) and music (copyrighted) You can pretend that it has legitimate uses (and perhaps it COULD) but for now it is (almost completely) a channel for pirated goods.
    I'm not defending anything, just answered the question. Those legitimate mirrors where I get my Linux versions do offer torrents which is the only place I have seen a torrent because I don't download anything that doesn't come from legit sites. I don't even own a BT client.
    edited August 2016 ZooMigochiaEsquireCats
  • Reply 8 of 36
    SoliSoli Posts: 10,033member
    Besides thieves who download music/movies, who else uses BT?
    Business use BitTorrent Sync to get files to remote employees with ease. It's secure since the creator of the torrent will need to send you a specific hash which links you to the files being synced. I use this extensively to keep several large databases of files up to date for work. Previously, they would periodically mail us optical discs. Having about 2TiB of data on an external drive is a huge advantage.
  • Reply 9 of 36
    SoliSoli Posts: 10,033member

    indyfx said:
    volcan said:
    Most of the major Linux distros who use it for downloading OS updates. All the mirrors, even those at universities offer BT versions of Linux.
    Functionally (but not completely) false All those who defend the torrent, usually cite these kinds of uses (though you didn't mention that the torrent is a option for any distro that I have ever seen (with mirrors being by far the preferred method) But... what you fail to disclose is that the overwhelming bulk of torrent traffic IS wares, video (copyrighted) and music (copyrighted) You can pretend that it has legitimate uses (and perhaps it COULD) but for now it is (almost completely) a channel for pirated goods.
    I'm not sure what you're arguing. If you're saying that the the BitTorrent technology should be outlawed because it can be used for illegal reasons, then you can say the same for any OS, web browser, or search engine.
  • Reply 10 of 36
    Besides thieves who download music/movies, who else uses BT?
    Sony. They use BT protocol to distribute their PlayStation software updates. 
  • Reply 11 of 36
    Soli said:

    indyfx said:
    volcan said:
    Most of the major Linux distros who use it for downloading OS updates. All the mirrors, even those at universities offer BT versions of Linux.
    Functionally (but not completely) false All those who defend the torrent, usually cite these kinds of uses (though you didn't mention that the torrent is a option for any distro that I have ever seen (with mirrors being by far the preferred method) But... what you fail to disclose is that the overwhelming bulk of torrent traffic IS wares, video (copyrighted) and music (copyrighted) You can pretend that it has legitimate uses (and perhaps it COULD) but for now it is (almost completely) a channel for pirated goods.
    I'm not sure what you're arguing. If you're saying that the the BitTorrent technology should be outlawed because it can be used for illegal reasons, then you can say the same for any OS, web browser, or search engine.

    BitTorrent technology is useful. Many companies use it within their own software to handle large downloads or other updates.

    But incorporating BitTorrent technology into your software is not the same as getting a BitTorrent client, which is used primarily by asshole thieves to steal content. I know there are legitimate users, but you can't tell me cases like yours are the norm.
  • Reply 12 of 36
    SoliSoli Posts: 10,033member
    Soli said:

    I'm not sure what you're arguing. If you're saying that the the BitTorrent technology should be outlawed because it can be used for illegal reasons, then you can say the same for any OS, web browser, or search engine.

    BitTorrent technology is useful. Many companies use it within their own software to handle large downloads or other updates.

    But incorporating BitTorrent technology into your software is not the same as getting a BitTorrent client, which is used primarily by asshole thieves to steal content. I know there are legitimate users, but you can't tell me cases like yours are the norm.
    I don't know a single person that uses BitTorrent Sync other than syncing with a company for legal downloads. It's very handy and it's not the same as Transmission or µTorrent. It's more of a Dropbox competitor without requiring everything first be synced with their cloud, and arguably offers more security since it's not stored on their servers.
    edited August 2016
  • Reply 13 of 36
    Nothing brings out the Cindy Bradys, tattletales and self-righteous dogooders crowd more than merely mentioning BitTorrent or torrenting.
    nolamacguystourque
  • Reply 14 of 36
    blastdoorblastdoor Posts: 2,698member
    BitTorrent technology is useful. Many companies use it within their own software to handle large downloads or other updates.

    But incorporating BitTorrent technology into your software is not the same as getting a BitTorrent client, which is used primarily by asshole thieves to steal content. I know there are legitimate users, but you can't tell me cases like yours are the norm.
    Who is the bigger asshole, the person who illegally downloads a movie or Comcast?  I contend there would be fewer "asshole thieves" if content were made easily accessible at a reasonable price (i.e., if there were fewer asshole content distributors) 

    I think a big part of the reason interest in Napster (and similar sites) plummeted was that the iTunes music store made almost all music super easy to download and use at a reasonable price. 

    But that's not how it is with video right now. There's a lot of video you can buy through iTunes but the price is fairly ridiculous. The content owners could do more to end piracy by doing a fair deal with Apple than by pursuing their whack-a-mole strategy with pirates. 

    SolibignolamacguyTurboPGTxixobadmonk
  • Reply 15 of 36
    Besides thieves who download music/movies, who else uses BT?
    Its not theft if you torrent stuff, content like movies/music, apps & other content are free on torrent sites for a reason.
    edited August 2016 londorxixo
  • Reply 16 of 36
    SoliSoli Posts: 10,033member
    Besides thieves who download music/movies, who else uses BT?
    Its not theft if you torrent stuff, content like movies/music, apps & other content are free on torrent sites for a reason.
    You have to be a special kind of asshole to think that taking what is not yours isn't stealing if the risk of being caught and convicted is practically nil.
    edited August 2016 chia
  • Reply 17 of 36
    focherfocher Posts: 687member
    Besides thieves who download music/movies, who else uses BT?
    I used it to download the WatchOS 3 beta profile. Just thought I'd let you know, as that wasn't a category included in your self-righteous indignation. 
    avoidMLMschemeswilliamlondonTurboPGT
  • Reply 18 of 36
    jfanningjfanning Posts: 3,398member
    Besides thieves who download music/movies, who else uses BT?
    How does one steal a physical item via a BT?  Or are you mistaking copyright violation for theft?
    avoidMLMschemeslondordrownolamacguywilliamlondonTurboPGTxixo
  • Reply 19 of 36
    nolamacguynolamacguy Posts: 4,758member
    Besides thieves who download music/movies, who else uses BT?
    it's a protocol. that question is as absurd as asking who uses FTP. 
    williamlondonTurboPGT
  • Reply 20 of 36
    nolamacguynolamacguy Posts: 4,758member
    blastdoor said:
    BitTorrent technology is useful. Many companies use it within their own software to handle large downloads or other updates.

    But incorporating BitTorrent technology into your software is not the same as getting a BitTorrent client, which is used primarily by asshole thieves to steal content. I know there are legitimate users, but you can't tell me cases like yours are the norm.
    Who is the bigger asshole, the person who illegally downloads a movie or Comcast?  I contend there would be fewer "asshole thieves" if content were made easily accessible at a reasonable price (i.e., if there were fewer asshole content distributors) 

    I think a big part of the reason interest in Napster (and similar sites) plummeted was that the iTunes music store made almost all music super easy to download and use at a reasonable price. 

    But that's not how it is with video right now. There's a lot of video you can buy through iTunes but the price is fairly ridiculous. The content owners could do more to end piracy by doing a fair deal with Apple than by pursuing their whack-a-mole strategy with pirates. 

    this. I used to rent movies & tv via iTunes. but now the studios want $6.99 for a 24-hour rental (an insulting artificial limitation). no more....the absurd prices are why I quit Blockbuster stores a decade ago. deja vu all over again. 
    edited August 2016 williamlondon
Sign In or Register to comment.