Malware-infected Transmission 2.9 app threatened OS X users, stopped by XProtect
Users who downloaded the Transmission BitTorrent client on Friday or Saturday are being warned to update to the latest 2.92 version to avoid being targeted by a ransomware that infiltrated an earlier version of the open source software.
Claud Xiao and Jin Chen of Palo Alto Networks reported on the threat earlier today, noting that "attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4."
KeRanger is the name given to what is believed to be the "first fully functional" ransomware on the OS X platform. When incorporated into an app, the malware connects to a remote server via the Tor anonymizing service, then "begins encrypting certain types of document and data files on the system."
The malware then "demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files." Researchers say the malicious code is "under active development" and seems to be trying to also encrypt users' Time Machine backups to also prevent them from being able to recover their backed up data.
The same day that Palo Alto Networks discovered the threat--which was distributed with the Transmission app in a DMG package signed by a valid developer ID--Apple revoked the signing certificate involved to prevent new installations of the infected version via the Mac's iOS-like GateKeeper signed-app security system.
Apple also began automatic distribution of an OS X XProtect antivirus signature to flag and quarantine existing compromised downloads.
The security firm noted that anyone who directly installed Transmission between March 4th and March 5th may be infected with the KeRanger malware, and outlined steps to identify and remove the malware if it has already been installed.
Because Apple has already revoked the certificate and distributed an XProtect update, anyone attempting to open a known-infected version of the Transmission app will now be given a warning dialog box that notes "Transmission.app will damage your computer. You should move it to the Trash," or "Transmission can't be opened. You should eject the disk image."
A clean, updated 2.91 version of the Transmission app can be downloaded from the app developer's website.
Claud Xiao and Jin Chen of Palo Alto Networks reported on the threat earlier today, noting that "attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4."
KeRanger is the name given to what is believed to be the "first fully functional" ransomware on the OS X platform. When incorporated into an app, the malware connects to a remote server via the Tor anonymizing service, then "begins encrypting certain types of document and data files on the system."
The malware then "demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files." Researchers say the malicious code is "under active development" and seems to be trying to also encrypt users' Time Machine backups to also prevent them from being able to recover their backed up data.
Mac OS X's GateKeeper, XProtect spring into action
The same day that Palo Alto Networks discovered the threat--which was distributed with the Transmission app in a DMG package signed by a valid developer ID--Apple revoked the signing certificate involved to prevent new installations of the infected version via the Mac's iOS-like GateKeeper signed-app security system.
Apple also began automatic distribution of an OS X XProtect antivirus signature to flag and quarantine existing compromised downloads.
The security firm noted that anyone who directly installed Transmission between March 4th and March 5th may be infected with the KeRanger malware, and outlined steps to identify and remove the malware if it has already been installed.
Because Apple has already revoked the certificate and distributed an XProtect update, anyone attempting to open a known-infected version of the Transmission app will now be given a warning dialog box that notes "Transmission.app will damage your computer. You should move it to the Trash," or "Transmission can't be opened. You should eject the disk image."
A clean, updated 2.91 version of the Transmission app can be downloaded from the app developer's website.
Comments
People don't just "sign up" to be an Apple Developer and get certificates. For example, to become an Apple Enterprise Developer you need to prove to Apple you are a legal entity. If there's a legal entity behind the certificate, then there's someone who can be sued for fraudulently obtaining a certificate for the purposes of spreading malware.
B: I wouldn't recommend BTing any longer. The (c) trolls are on the rise.
In the future, I'm thinking of just using programs like this in virtualized environments. There's no need to expose them to my entire machine and its critical data. And I'll probably start using Little Snitch to catch any programs trying to access the Tor network without permission.
Updates weren't affected, only a full binary install for about a 24 hour period.
Time Machine under El Capitan would be pretty hard to hack as it's protected with SIP (System Integrity Protect). Not foolproof, but pretty hard.
All it took was 3 things:
1. Access to the source code to be altered and recompiled
2. Access to the distribution server to upload the infected version
3. A valid dev cert to use in the recompile, whether the actual dev's cert, or some other one
Beyond that, I'm not knowledgeable enough about this stuff to say how Apple can change things in the future to avoid this sort of thing from happening.
Either way, I've removed Transmission from my Mac now anyway as I never use it any more so I'm not sure why I bothered to update it in the first place.
The other two things they did have, they accessed the distribution server and replaced one package with another, and they had a valid dev certificate, not to recompile anything, but just to re-sign the installer they'd added new payload to.
2. is the lapse from the developer. Anyone can get the installer package and modify it, anyone with a dev cert can re-sign the modified installer, but the important bit is putting it on the dev's website to replace a legitimate version.