back to article First working Apple Mac ransomware infects Transmission BitTorrent app downloads

The first "fully functional" ransomware targeting OS X has landed on Macs – after somehow smuggling itself into downloads of the popular Transmission BitTorrent client. Transmission's developers have warned in a notice splashed in red on the app's website that if you fetched and installed an afflicted copy of the software just …

This post has been deleted by a moderator

BebopWeBop Silver badge

Arggggg

KeRanger was cryptographically signed using a now-revoked Apple-issued developer certificate, but will still be accepted by OS X's Gatekeeper protection system

This could be painful for some. Can anyone provide a plausible excuse as to why Gatekeeper was still accepting revoked security certs? Other than 'someone at Apple has dropped a clanger of course.

Adam 1 Silver badge

Re: Arggggg

GOTO fail2;

45RPM Silver badge

Re: Arggggg

Worryingly, a signed application can launch an unsigned application without troubling Gatekeeper (if I've understood correctly). Hopefully Apple will fix this rather glaring oversight - and, when they do, you can be sure that it'll be lauded with much trumpeting as an advanced new feature in the next version of Mac OS X!

In any case, and regardless of your preferred OS, everyone should be running an Antivirus app, and ensuring that the definitions are bang up to date.

David Lawton

Re: Arggggg

OS X's built in anti malware already has the definitions for this in it so should block anybody from getting it now , unless they have told the Mac not to download X Protect updates .

Andy629

Re: Arggggg

Up to date anti virus ignored the download of transmission 2.90. Not willing to see if it would grumble on "installation". I assume the payload would be encrypted (A/V client reported file it could not scan when I asked it to scan the downloads folder containing Transmission (& other files). A/V - yes it should be running, but it does not help much with latest malware (FYI running free version of Avira on OS X)

45RPM Silver badge

Re: Arggggg

@Andy629 - I agree. My apologies - my point wasn't that you should run Anti Virus and you'll be safe if you do - my point was that you should run Anti Virus, FireWalls, a healthy degree of paranoia and mistrust - and try not to use piracy sites (because that's just asking for trouble).

The internet is like Detroit*. It's a dangerous shithole, but some parts are really very dangerous and other parts are just a bit sketchy. Steer clear of the dangerous parts, and treat the rest of it with suspicion.

*apologies to residents of Detroit. There may be some very nice parts - but I had to pick on somewhere, and it makes a change from picking on Glasgow**

**whoops, I did it again.

Palpy

Re: "...some parts are really very dangerous..."

"...and some parts are just a bit sketchy."

Agree mostly, have an upvote, but a really smart group with a powerful script will get more action if they can get their trap set on a hugely popular site -- as has been done on Forbes and Huffington Post, 'monsgst others. So the "sketchy" concept here should include just a few expert muggers with full-auto guns lurking in "safe" neighborhoods like Bexley.

For a long time, the wise have been saying that visiting dodgy sites and downloading promiscuously risks infection. And so it does. But in these dank days, drive-by infections can be had from completely innocuous websites.

As one of the careful-and-safe, I try to remember not to blame the victim.

Anonymous Coward
Anonymous Coward

Re: Arggggg, Mac users

"I agree. My apologies - my point wasn't that you should run Anti Virus and you'll be safe if you do - my point was that you should run Anti Virus, FireWalls, a healthy degree of paranoia and mistrust - and try not to use piracy sites (because that's just asking for trouble)."

And therein lies the problem: all too many Mac users, after hearing for years how their Apple computers are "virus free", still operate with that blind assumption. They thereby leave themselves open to infection precisely because they do not believe that the common-sense precautions that you quote apply to them.

I have to hear this crap from my own boss, who runs Macs at home: how he "doesn't have to worry about viruses" and how, after I set up his MacBook for the first time to use Time Machine on our new NAS, that's a "waste of fucking time because I'm backed up to iCloud!" Yes, he knows better, about everything of course, even though he barely knows how to remove a redundant printer from the Control Panel and does not do anything more with his Mac than surf the internet and only very occasionally use Photoshop (which his children use, actually, because he wouldn't know how).

In other words, the *average* Mac user seems to be a holier-than-thou type, to whom the average concerns of "mere PC uses" don't apply. So they are ripe for infections, randsoms and social engineering because they are too stubborn to change their beliefs, because then they would have to admit that 20 years of marketing hype is nothing but exactly that.

Spanky_McPherson

But what was the original vulnerability?

The actions taken (i.e. release a new version of the affected application) only make sense if the original vulnerability in the web server has been identified and patched.

Otherwise, what's to stop this new version from getting infected in the same way?

You shouldn't use *any* software from this developer until the question is answered: what was the actual vulnerability, and how was it fixed?

Pascal Monett Silver badge

"malware's executable was smuggled in an .RTF README file"

An RTF ? Is there nothing sacred anymore ? Do they have to go and pervert every single aspect of our poor lives ?

Obviously they do.

This post has been deleted by its author

Adam 52 Silver badge

Re: "malware's executable was smuggled in an .RTF README file"

It wasn't an rtf file, it was an executable with an rtf file icon.

Doctor_Wibble

Re: "malware's executable was smuggled in an .RTF README file"

Was the file actually an executable or was it one of those lovely 'active document' things simply saved with a .RTF extension?

A batch of 'here is your invoice' emails with .rtf attachments that turned out to be not-quite-identical .docx files with lovely little VB programs arrived over the last week, interestingly mostly via hacked end users on Mexican ISPs. And one actual old-fashioned spam trying to sell me a watch. No really, I swear, those still happen.

Adam 52 Silver badge

Re: "malware's executable was smuggled in an .RTF README file"

From the linked report: "It uses an icon that looks like a normal RTF file but is actually a Mach-O format executable file packed with UPX 3.91. "

Dan 55 Silver badge
Facepalm

Re: "malware's executable was smuggled in an .RTF README file"

Oh lordy, Mac OS followed Windows into hiding extensions by default, and look what happened.

Anonymous Coward
Anonymous Coward

Re: "malware's executable was smuggled in an .RTF README file"

... but with an rtf extension as well so to all intents and purposes would convincingly look like one when seen in the GUI, even for those who force all file extensions to be shown.

NotBob
Windows

Re: "malware's executable was smuggled in an .RTF README file"

Mac OS followed Windows in more ways than one this time.

Doctor_Wibble

Re: "malware's executable was smuggled in an .RTF README file"

> From the linked report

D'oh, I should have looked before posting...

Fibbles

Not everything is Windows

AFAIK OSX, like Linux, uses mime types to determine which program to open a file with. The file extension is just there for the benefit of the meatbag at the other end of the keyboard. It is not guaranteed to be accurate.

Crazy Operations Guy

"uses mime types to determine which program to open a file with."

When will someone write some code for file managers to place a warning emblem over the icon when the MIME type doesn't match the file extension. It seems like such an easy thing to write...

Dan 55 Silver badge

Re: Not everything is Windows

Rename a file in Terminal and Finder will faithfully treat it differently if the extension changed. That also goes for if you told Finder to show file extensions then rename a file with Finder changing the extension.

Here the malware seems to be an app bundle dressed up as an rtf file, and if you have extensions hidden (as they are by default) then you're not going to know unless you realise the context menu options and properties are appropriate for apps.

Not good design.

Spanky_McPherson

How to mitigate the encryption malware?

I like the way the malware can encrypt Time Machine backups.

I am considering changing my Time Machine configuration so that it writes to a Linux box on the network rather than an external disk, and where I can take daily ZFS snapshots of it - presumably this would mitigate against this type of malware.

I believe this configuration works , but is unsupported by Apple.

Anonymous Coward
Anonymous Coward

Belt and braces

"I am considering changing my Time Machine configuration so that it writes to a Linux box on the network rather than an external disk, and where I can take daily ZFS snapshots of it - presumably this would mitigate against this type of malware."

In addition to TM backups I use SuperDuper to take regular clones of my system to sparse images residing on Illumos with ZFS and regular snapshots. This works nicely.

The sparse images are only oniine when I want them to be, and should my Time Machine disks fail or fumble fingers do their worst, I have other backups.

boltar Silver badge

Re: How to mitigate the encryption malware?

"I am considering changing my Time Machine configuration so that it writes to a Linux box on the network rather than an external disk, and where I can take daily ZFS snapshots of it - presumably this would mitigate against this type of malware."

Or just use a USB stick or plug in drive which has a nice air gap between the malware and your data.

HollyHopDrive

Re: How to mitigate the encryption malware?

I do all my torrent downloading from a Linux VM on my Mac.(nothing dodgy, Linux images and the like). One of the reasons is exactly that. While it's not guaranteed to keep you safe on its own, it's an extra layer of security and seperation, and if my VM gets trashed, just restore from the snapshot. It's 20gb of my hard disk I'm happy to give up on the off chance. I don't install much on my Mac unless I'm 100% sure it's safe as it can be. I.e. office, chrome. Everything else it's a VM and I'll live with the marginal performance drop off.

Regualr(ish) USB drive backups (multiple drives) helps mitigate losing it all too.

Seems my paranoia may be justified....

Matthew 17

being thick...

You don't install transmission, it's a stand alone app. Nor do you run it as root or grant it privileges. Is it just scrambling the users docs in their home directory, so any backup would be fine to recover or is it able to encrypt the attached volume(s) if so, how?

Dan 55 Silver badge

Re: being thick...

The nobbled version of Transmission puts an executable in the Library directory in the user's home directory. That process could encrypt any document the user has read/write access to, it just depends if it's programmed so that it searches other volumes too. Assume the worst.

You'd need to panic if you see kernel_service in activity monitor or in the ~/Library directory (~/Library is now helpfully hidden by default, Choose Go from the Finder menu to find it).

Anonymous Coward
Anonymous Coward

Ransomware is probably the single biggest threat to the world of computers and devices which IMO for the perpetrators justifies extraordinary rendition, water boarding, orange jump suits and the re-population of Guantanamo Bay with no possibility of parole.

boltar Silver badge

"Ransomware is probably the single biggest threat to the world of computers and devices [owned by idiots]"

There, FTFY.

Anyone with a working brain does frequent versioned backups to multiple locations, preferably with an air gap or at least no semi-permanent connection that can be exploited like with Time Machine.

Halfmad

Nice attitude,

Relying on backups and not addressing the core problem though - that ransomware does happen and preventing it from doing so is equally idiotic. Must be lonely up on your high horse, cuddling those back ups.

Locky
Joke

Or....

"Idiot Users are probably the single biggest threat to the world of computers and devices"

There, FTFTFY

boltar Silver badge

" Must be lonely up on your high horse, cuddling those back ups."

Lonely? I'm glad you think so highly of me that you assume I'm the only person who's heard of backups. Perhaps you should enlighten yourself about them.

WolfFan Silver badge

You got downvoted for being on the high horse, though it looks more like a mangey donkey from here. Everyone here's heard of backups. This particular bit of malware deliberately delayed starting up so that it could be included in this weekend's backups.

boltar Silver badge

"You got downvoted for being on the high horse,"

"Being on the high horse" - translation: Someone making out an obvious point to idiots who don't appreciate being reminded of their own stupidity.

"This particular bit of malware deliberately delayed starting up so that it could be included in this weekend's backups."

Duh, thats why you keep multiple versioned backups Booboo! Oh, and you do checksum and compare your important data before you back it up, right? No? Why doesn't that surprise me.

Christ, it really is idiot week on here.

James O'Shea Silver badge

boltar, m'man, you're in dire need of an attitude transplant. Right now you're making Donnie Trump look like Francis of Assisi.

Anonymous Coward
Anonymous Coward

Oh dear, how sad, never mind.

People get infected by running software designed and used mostly for pirating?

Hard to feel any sympathy there...

(Go on, down vote me for daring to tell the truth)

Anonymous Coward
Anonymous Coward

Re: Oh dear, how sad, never mind.

I'll downvote you for talking crap, bittorrent is a very useful protocol.

Read on:

https://torrentfreak.com/apple-is-running-bittorrent-trackers-in-cupertino-160306/

boltar Silver badge

Re: Oh dear, how sad, never mind.

"I'll downvote you for talking crap, bittorrent is a very useful protocol."

Riiight, because most of the people using it are doing so for the benefit of humanity. Nothing to do with not wanting to pay for media. No, no, thats a vicious rumour put out by The Man. Right?

Bloakey1

Re: Oh dear, how sad, never mind.

"Riiight, because most of the people using it are doing so for the benefit of humanity. Nothing to do with not wanting to pay for media. No, no, thats a vicious rumour put out by The Man. Right?"

I think that if we extrapolate your theory further we can find the real culprit. Computers!!!! Everybody in the world using a computer is a nasty software thief, hacker, etc.

Ban all computers I say, think of the children.

Wyrdness

Re: Oh dear, how sad, never mind.

I very nearly downloaded Transmission for my Mac this weekend. The reason being that I've just bought a Pi 3 for my 7 year old and was downloading Raspberian. There's an option for downloading via bittorrent. Since the http download was going very slowly, I considered downloading Transmission and using that instead. In which case, I'd have ended up with this malware on my Mac.

There are other open source projects (Libreoffice springs to mind) that provide torrents for downloading, so there are certainly legitimate uses for installing Transmission.

So I hope that you're downvoted to the pits of hell, where you obviously belong.

John Brown (no body) Silver badge

Re: Oh dear, how sad, never mind.

"Riiight, because most of the people using it are doing so for the benefit of humanity. Nothing to do with not wanting to pay for media. No, no, thats a vicious rumour put out by The Man. Right?"

The same can be said for other protocols. The majority of email is spam of varying degrees of criminality. So do we assume that the majority of email users are spammers? Your "logic" says yes.

JLV Silver badge
Facepalm

Re: Oh dear, how sad, never mind.

>Nothing to do with not wanting to pay for media. No, no, thats a vicious rumour put out by The Man. Right?

Totally agree. Let's shut down the internet because people use it for piracy.

Moss - "Jen - hand over 'The Internet'. We need to take it down"

Now, what I am more curious about is whether you could catch this kinda crap via HomeBrew/Port of innocent proggies. Hopefully the folks looking after those repositories are on the ball. This particular snafu sounds like a good wake up call for all.

Joerg

So now official websites have files with viruses, uh?

And so who is behind this scam?

Who compiled the virus inside the binary for distribution of the torrent client ?

It is not on some pirate website in an unknown country. It is an official distribution for a torrent client used by NAS manufacturers too. Transmission is installed everywhere.

What is going on really?

NeverMindTheBullocks

Re: So now official websites have files with viruses, uh?

Whats going on is that Transmission was specifically targeted by the scammers in the knowledge that it is widely used around the world. Exactly how they managed it remains to be seen, but fundamentally they set out to break into the distribution of Transmission and upload a malware infected version signed with an revoked but otherwise legitimate looking developer certificate.

You can put the tinfoil hat away. There is no great conspiracy here. Just a particularly cunning exploit of a popular application by scammers looking to make money.

Anonymous Coward
Anonymous Coward

Re: So now official websites have files with viruses, uh?

"You can put the tinfoil hat away. There is no great conspiracy here. Just a particularly cunning exploit of a popular application by scammers looking to make money."

Exactly! Same thing happened with Linux recently. Its just hackers changing attack vector, looking for new and easy 'central' targets to boost the spread of their malware / botnet (ego...)

PassiveSmoking

Does this affect people who downloaded a new version via Transmission's auto-update mechanism as well, or is it just people who downloaded it from the website?

WolfFan Silver badge

Apparently it's just those who downloaded the full installer. If you ran the updater and everything went well, you're okay. If you ran the updater and had a problem and had to use the full installer, you're in trouble. If you just got the full installer, you're in trouble. If you're like me and haven't updated in a long time, you're okay.

PassiveSmoking

Yeah, first thing I did when I got home was triple-check everything on the list of signs I'd been infected, none of the described symptoms showed up.

I've shit-canned Transmission anyway though, a) to be on the safe side and b) because my trust in them has been destroyed. Also running a very thorough virus/malware scan that's probably going to take until tomorrow.

Nifty

Checksums anyone?

First Mint now Transmission. Is there no SIMPLE way to compare hash checksums against a less-likely to be hacked reference source? Will we be needing a blockchain system to verify what we download in future?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018