BitTorrent app Transmission once again source of macOS malware
Once again, BitTorrent client Transmission has distributed malware to some users through an altered installer, with downloaders of the software on Aug. 28 and 29 probably infected by the "Keydnap" package.
The previous version of Keydnap required users to click on a maliciously formed file, which then opened the installer in Terminal. The malware then waited to install until the next app was launched, and popped up a dialog box asking for authentication.
When packaged with Transmission, the malware needed no second app to execute, nor did it require further user authentication beyond what was needed to install Transmission. Additionally, since the Transmission app was properly signed, Gatekeeper allowed the execution of the malware installation without complaint.
After being granted root access, the updated Keydnap can then be used by the owners of the improved command and control server to hunt down the decryption key for the user's Keychain, and upload the stored passwords. Keychain-stored passwords include system passwords, as well as login information for Internet-based services, such as banking credentials, Gmail passwords, Amazon login information, and others.
The signature included in the bogus Transmission installer does not belong to the legitimate developers. Apple has been informed about the bad signature, and it is unknown if the key has been revoked at this time.
Transmission's developers immediately pulled the infected download after being informed of the issue.
ESET Research recommends that users who installed Transmission between Aug. 28 and Aug. 29 look for any of the following files or directories:
To supplement Gatekeeper, an internet connection monitoring application like Little Snitch can be used to examine incoming and outgoing Internet transmissions, and block undesirable ones, such as the broadcast of pilfered data with this implementation of Keydnap. Utilities similar to BlockBlock can continuously monitor for installation of persistent components vital for malware installers.
Originally, ESET had no idea how Keydnap was spread, and suspected that security researchers were the prime target. The latest inclusion in Transmission is the first wide vector of attack for the malware.
For two days in March, users who downloaded Transmission 2.90 were subject to the KeRanger malware. When incorporated into an app, KeRanger connected to a remote server through the Tor anonymizing service, then began encrypting stored documents and data before asking for a one bitcoin ransom.
The previous version of Keydnap required users to click on a maliciously formed file, which then opened the installer in Terminal. The malware then waited to install until the next app was launched, and popped up a dialog box asking for authentication.
When packaged with Transmission, the malware needed no second app to execute, nor did it require further user authentication beyond what was needed to install Transmission. Additionally, since the Transmission app was properly signed, Gatekeeper allowed the execution of the malware installation without complaint.
After being granted root access, the updated Keydnap can then be used by the owners of the improved command and control server to hunt down the decryption key for the user's Keychain, and upload the stored passwords. Keychain-stored passwords include system passwords, as well as login information for Internet-based services, such as banking credentials, Gmail passwords, Amazon login information, and others.
The signature included in the bogus Transmission installer does not belong to the legitimate developers. Apple has been informed about the bad signature, and it is unknown if the key has been revoked at this time.
Transmission's developers immediately pulled the infected download after being informed of the issue.
ESET Research recommends that users who installed Transmission between Aug. 28 and Aug. 29 look for any of the following files or directories:
- /Applications/Transmission.app/Contents/Resources/License.rtf
- /Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id
- $HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
- /Library/Application Support/com.apple.iCloud.sync.daemon/
- $HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist
To supplement Gatekeeper, an internet connection monitoring application like Little Snitch can be used to examine incoming and outgoing Internet transmissions, and block undesirable ones, such as the broadcast of pilfered data with this implementation of Keydnap. Utilities similar to BlockBlock can continuously monitor for installation of persistent components vital for malware installers.
Originally, ESET had no idea how Keydnap was spread, and suspected that security researchers were the prime target. The latest inclusion in Transmission is the first wide vector of attack for the malware.
For two days in March, users who downloaded Transmission 2.90 were subject to the KeRanger malware. When incorporated into an app, KeRanger connected to a remote server through the Tor anonymizing service, then began encrypting stored documents and data before asking for a one bitcoin ransom.
Comments
All those who defend the torrent, usually cite these kinds of uses (though you didn't mention that the torrent is a option for any distro that I have ever seen (with mirrors being by far the preferred method) But... what you fail to disclose is that the overwhelming bulk of torrent traffic IS wares, video (copyrighted) and music (copyrighted) You can pretend that it has legitimate uses (and perhaps it COULD) but for now it is (almost completely) a channel for pirated goods.
I'm not sure what you're arguing. If you're saying that the the BitTorrent technology should be outlawed because it can be used for illegal reasons, then you can say the same for any OS, web browser, or search engine.
BitTorrent technology is useful. Many companies use it within their own software to handle large downloads or other updates.
But incorporating BitTorrent technology into your software is not the same as getting a BitTorrent client, which is used primarily by asshole thieves to steal content. I know there are legitimate users, but you can't tell me cases like yours are the norm.
I think a big part of the reason interest in Napster (and similar sites) plummeted was that the iTunes music store made almost all music super easy to download and use at a reasonable price.
But that's not how it is with video right now. There's a lot of video you can buy through iTunes but the price is fairly ridiculous. The content owners could do more to end piracy by doing a fair deal with Apple than by pursuing their whack-a-mole strategy with pirates.