back to article First working Apple Mac ransomware infects Transmission BitTorrent app downloads

The first "fully functional" ransomware targeting OS X has landed on Macs – after somehow smuggling itself into downloads of the popular Transmission BitTorrent client. Transmission's developers have warned in a notice splashed in red on the app's website that if you fetched and installed an afflicted copy of the software just …

  1. BebopWeBop

    Arggggg

    KeRanger was cryptographically signed using a now-revoked Apple-issued developer certificate, but will still be accepted by OS X's Gatekeeper protection system

    This could be painful for some. Can anyone provide a plausible excuse as to why Gatekeeper was still accepting revoked security certs? Other than 'someone at Apple has dropped a clanger of course.

    1. Adam 1

      Re: Arggggg

      GOTO fail2;

    2. 45RPM Silver badge

      Re: Arggggg

      Worryingly, a signed application can launch an unsigned application without troubling Gatekeeper (if I've understood correctly). Hopefully Apple will fix this rather glaring oversight - and, when they do, you can be sure that it'll be lauded with much trumpeting as an advanced new feature in the next version of Mac OS X!

      In any case, and regardless of your preferred OS, everyone should be running an Antivirus app, and ensuring that the definitions are bang up to date.

      1. David Lawton

        Re: Arggggg

        OS X's built in anti malware already has the definitions for this in it so should block anybody from getting it now , unless they have told the Mac not to download X Protect updates .

      2. Andy629

        Re: Arggggg

        Up to date anti virus ignored the download of transmission 2.90. Not willing to see if it would grumble on "installation". I assume the payload would be encrypted (A/V client reported file it could not scan when I asked it to scan the downloads folder containing Transmission (& other files). A/V - yes it should be running, but it does not help much with latest malware (FYI running free version of Avira on OS X)

        1. 45RPM Silver badge

          Re: Arggggg

          @Andy629 - I agree. My apologies - my point wasn't that you should run Anti Virus and you'll be safe if you do - my point was that you should run Anti Virus, FireWalls, a healthy degree of paranoia and mistrust - and try not to use piracy sites (because that's just asking for trouble).

          The internet is like Detroit*. It's a dangerous shithole, but some parts are really very dangerous and other parts are just a bit sketchy. Steer clear of the dangerous parts, and treat the rest of it with suspicion.

          *apologies to residents of Detroit. There may be some very nice parts - but I had to pick on somewhere, and it makes a change from picking on Glasgow**

          **whoops, I did it again.

          1. Palpy

            Re: "...some parts are really very dangerous..."

            "...and some parts are just a bit sketchy."

            Agree mostly, have an upvote, but a really smart group with a powerful script will get more action if they can get their trap set on a hugely popular site -- as has been done on Forbes and Huffington Post, 'monsgst others. So the "sketchy" concept here should include just a few expert muggers with full-auto guns lurking in "safe" neighborhoods like Bexley.

            For a long time, the wise have been saying that visiting dodgy sites and downloading promiscuously risks infection. And so it does. But in these dank days, drive-by infections can be had from completely innocuous websites.

            As one of the careful-and-safe, I try to remember not to blame the victim.

          2. Anonymous Coward
            Anonymous Coward

            Re: Arggggg, Mac users

            "I agree. My apologies - my point wasn't that you should run Anti Virus and you'll be safe if you do - my point was that you should run Anti Virus, FireWalls, a healthy degree of paranoia and mistrust - and try not to use piracy sites (because that's just asking for trouble)."

            And therein lies the problem: all too many Mac users, after hearing for years how their Apple computers are "virus free", still operate with that blind assumption. They thereby leave themselves open to infection precisely because they do not believe that the common-sense precautions that you quote apply to them.

            I have to hear this crap from my own boss, who runs Macs at home: how he "doesn't have to worry about viruses" and how, after I set up his MacBook for the first time to use Time Machine on our new NAS, that's a "waste of fucking time because I'm backed up to iCloud!" Yes, he knows better, about everything of course, even though he barely knows how to remove a redundant printer from the Control Panel and does not do anything more with his Mac than surf the internet and only very occasionally use Photoshop (which his children use, actually, because he wouldn't know how).

            In other words, the *average* Mac user seems to be a holier-than-thou type, to whom the average concerns of "mere PC uses" don't apply. So they are ripe for infections, randsoms and social engineering because they are too stubborn to change their beliefs, because then they would have to admit that 20 years of marketing hype is nothing but exactly that.

  2. Spanky_McPherson

    But what was the original vulnerability?

    The actions taken (i.e. release a new version of the affected application) only make sense if the original vulnerability in the web server has been identified and patched.

    Otherwise, what's to stop this new version from getting infected in the same way?

    You shouldn't use *any* software from this developer until the question is answered: what was the actual vulnerability, and how was it fixed?

  3. Pascal Monett Silver badge

    "malware's executable was smuggled in an .RTF README file"

    An RTF ? Is there nothing sacred anymore ? Do they have to go and pervert every single aspect of our poor lives ?

    Obviously they do.

    1. This post has been deleted by its author

    2. Adam 52 Silver badge

      Re: "malware's executable was smuggled in an .RTF README file"

      It wasn't an rtf file, it was an executable with an rtf file icon.

      1. Doctor_Wibble

        Re: "malware's executable was smuggled in an .RTF README file"

        Was the file actually an executable or was it one of those lovely 'active document' things simply saved with a .RTF extension?

        A batch of 'here is your invoice' emails with .rtf attachments that turned out to be not-quite-identical .docx files with lovely little VB programs arrived over the last week, interestingly mostly via hacked end users on Mexican ISPs. And one actual old-fashioned spam trying to sell me a watch. No really, I swear, those still happen.

        1. Adam 52 Silver badge

          Re: "malware's executable was smuggled in an .RTF README file"

          From the linked report: "It uses an icon that looks like a normal RTF file but is actually a Mach-O format executable file packed with UPX 3.91. "

          1. Dan 55 Silver badge
            Facepalm

            Re: "malware's executable was smuggled in an .RTF README file"

            Oh lordy, Mac OS followed Windows into hiding extensions by default, and look what happened.

            1. NotBob
              Windows

              Re: "malware's executable was smuggled in an .RTF README file"

              Mac OS followed Windows in more ways than one this time.

            2. Fibbles

              Not everything is Windows

              AFAIK OSX, like Linux, uses mime types to determine which program to open a file with. The file extension is just there for the benefit of the meatbag at the other end of the keyboard. It is not guaranteed to be accurate.

              1. Crazy Operations Guy

                "uses mime types to determine which program to open a file with."

                When will someone write some code for file managers to place a warning emblem over the icon when the MIME type doesn't match the file extension. It seems like such an easy thing to write...

              2. Dan 55 Silver badge

                Re: Not everything is Windows

                Rename a file in Terminal and Finder will faithfully treat it differently if the extension changed. That also goes for if you told Finder to show file extensions then rename a file with Finder changing the extension.

                Here the malware seems to be an app bundle dressed up as an rtf file, and if you have extensions hidden (as they are by default) then you're not going to know unless you realise the context menu options and properties are appropriate for apps.

                Not good design.

          2. Doctor_Wibble

            Re: "malware's executable was smuggled in an .RTF README file"

            > From the linked report

            D'oh, I should have looked before posting...

      2. Anonymous Coward
        Anonymous Coward

        Re: "malware's executable was smuggled in an .RTF README file"

        ... but with an rtf extension as well so to all intents and purposes would convincingly look like one when seen in the GUI, even for those who force all file extensions to be shown.

  4. Spanky_McPherson

    How to mitigate the encryption malware?

    I like the way the malware can encrypt Time Machine backups.

    I am considering changing my Time Machine configuration so that it writes to a Linux box on the network rather than an external disk, and where I can take daily ZFS snapshots of it - presumably this would mitigate against this type of malware.

    I believe this configuration works , but is unsupported by Apple.

    1. Anonymous Coward
      Anonymous Coward

      Belt and braces

      "I am considering changing my Time Machine configuration so that it writes to a Linux box on the network rather than an external disk, and where I can take daily ZFS snapshots of it - presumably this would mitigate against this type of malware."

      In addition to TM backups I use SuperDuper to take regular clones of my system to sparse images residing on Illumos with ZFS and regular snapshots. This works nicely.

      The sparse images are only oniine when I want them to be, and should my Time Machine disks fail or fumble fingers do their worst, I have other backups.

    2. Anonymous Coward
      Anonymous Coward

      Re: How to mitigate the encryption malware?

      "I am considering changing my Time Machine configuration so that it writes to a Linux box on the network rather than an external disk, and where I can take daily ZFS snapshots of it - presumably this would mitigate against this type of malware."

      Or just use a USB stick or plug in drive which has a nice air gap between the malware and your data.

      1. HollyHopDrive

        Re: How to mitigate the encryption malware?

        I do all my torrent downloading from a Linux VM on my Mac.(nothing dodgy, Linux images and the like). One of the reasons is exactly that. While it's not guaranteed to keep you safe on its own, it's an extra layer of security and seperation, and if my VM gets trashed, just restore from the snapshot. It's 20gb of my hard disk I'm happy to give up on the off chance. I don't install much on my Mac unless I'm 100% sure it's safe as it can be. I.e. office, chrome. Everything else it's a VM and I'll live with the marginal performance drop off.

        Regualr(ish) USB drive backups (multiple drives) helps mitigate losing it all too.

        Seems my paranoia may be justified....

  5. Matthew 17

    being thick...

    You don't install transmission, it's a stand alone app. Nor do you run it as root or grant it privileges. Is it just scrambling the users docs in their home directory, so any backup would be fine to recover or is it able to encrypt the attached volume(s) if so, how?

    1. Dan 55 Silver badge

      Re: being thick...

      The nobbled version of Transmission puts an executable in the Library directory in the user's home directory. That process could encrypt any document the user has read/write access to, it just depends if it's programmed so that it searches other volumes too. Assume the worst.

      You'd need to panic if you see kernel_service in activity monitor or in the ~/Library directory (~/Library is now helpfully hidden by default, Choose Go from the Finder menu to find it).

  6. Anonymous Coward
    Anonymous Coward

    Ransomware is probably the single biggest threat to the world of computers and devices which IMO for the perpetrators justifies extraordinary rendition, water boarding, orange jump suits and the re-population of Guantanamo Bay with no possibility of parole.

    1. Anonymous Coward
      Anonymous Coward

      "Ransomware is probably the single biggest threat to the world of computers and devices [owned by idiots]"

      There, FTFY.

      Anyone with a working brain does frequent versioned backups to multiple locations, preferably with an air gap or at least no semi-permanent connection that can be exploited like with Time Machine.

      1. Halfmad

        Nice attitude,

        Relying on backups and not addressing the core problem though - that ransomware does happen and preventing it from doing so is equally idiotic. Must be lonely up on your high horse, cuddling those back ups.

        1. Anonymous Coward
          Anonymous Coward

          " Must be lonely up on your high horse, cuddling those back ups."

          Lonely? I'm glad you think so highly of me that you assume I'm the only person who's heard of backups. Perhaps you should enlighten yourself about them.

          1. WolfFan Silver badge

            You got downvoted for being on the high horse, though it looks more like a mangey donkey from here. Everyone here's heard of backups. This particular bit of malware deliberately delayed starting up so that it could be included in this weekend's backups.

            1. Anonymous Coward
              Anonymous Coward

              "You got downvoted for being on the high horse,"

              "Being on the high horse" - translation: Someone making out an obvious point to idiots who don't appreciate being reminded of their own stupidity.

              "This particular bit of malware deliberately delayed starting up so that it could be included in this weekend's backups."

              Duh, thats why you keep multiple versioned backups Booboo! Oh, and you do checksum and compare your important data before you back it up, right? No? Why doesn't that surprise me.

              Christ, it really is idiot week on here.

              1. James O'Shea

                boltar, m'man, you're in dire need of an attitude transplant. Right now you're making Donnie Trump look like Francis of Assisi.

      2. Locky
        Joke

        Or....

        "Idiot Users are probably the single biggest threat to the world of computers and devices"

        There, FTFTFY

  7. Anonymous Coward
    Anonymous Coward

    Oh dear, how sad, never mind.

    People get infected by running software designed and used mostly for pirating?

    Hard to feel any sympathy there...

    (Go on, down vote me for daring to tell the truth)

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh dear, how sad, never mind.

      I'll downvote you for talking crap, bittorrent is a very useful protocol.

      Read on:

      https://torrentfreak.com/apple-is-running-bittorrent-trackers-in-cupertino-160306/

      1. Anonymous Coward
        Anonymous Coward

        Re: Oh dear, how sad, never mind.

        "I'll downvote you for talking crap, bittorrent is a very useful protocol."

        Riiight, because most of the people using it are doing so for the benefit of humanity. Nothing to do with not wanting to pay for media. No, no, thats a vicious rumour put out by The Man. Right?

        1. Bloakey1

          Re: Oh dear, how sad, never mind.

          "Riiight, because most of the people using it are doing so for the benefit of humanity. Nothing to do with not wanting to pay for media. No, no, thats a vicious rumour put out by The Man. Right?"

          I think that if we extrapolate your theory further we can find the real culprit. Computers!!!! Everybody in the world using a computer is a nasty software thief, hacker, etc.

          Ban all computers I say, think of the children.

        2. John Brown (no body) Silver badge

          Re: Oh dear, how sad, never mind.

          "Riiight, because most of the people using it are doing so for the benefit of humanity. Nothing to do with not wanting to pay for media. No, no, thats a vicious rumour put out by The Man. Right?"

          The same can be said for other protocols. The majority of email is spam of varying degrees of criminality. So do we assume that the majority of email users are spammers? Your "logic" says yes.

        3. JLV
          Facepalm

          Re: Oh dear, how sad, never mind.

          >Nothing to do with not wanting to pay for media. No, no, thats a vicious rumour put out by The Man. Right?

          Totally agree. Let's shut down the internet because people use it for piracy.

          Moss - "Jen - hand over 'The Internet'. We need to take it down"

          Now, what I am more curious about is whether you could catch this kinda crap via HomeBrew/Port of innocent proggies. Hopefully the folks looking after those repositories are on the ball. This particular snafu sounds like a good wake up call for all.

    2. Wyrdness

      Re: Oh dear, how sad, never mind.

      I very nearly downloaded Transmission for my Mac this weekend. The reason being that I've just bought a Pi 3 for my 7 year old and was downloading Raspberian. There's an option for downloading via bittorrent. Since the http download was going very slowly, I considered downloading Transmission and using that instead. In which case, I'd have ended up with this malware on my Mac.

      There are other open source projects (Libreoffice springs to mind) that provide torrents for downloading, so there are certainly legitimate uses for installing Transmission.

      So I hope that you're downvoted to the pits of hell, where you obviously belong.

  8. Joerg

    So now official websites have files with viruses, uh?

    And so who is behind this scam?

    Who compiled the virus inside the binary for distribution of the torrent client ?

    It is not on some pirate website in an unknown country. It is an official distribution for a torrent client used by NAS manufacturers too. Transmission is installed everywhere.

    What is going on really?

    1. NeverMindTheBullocks

      Re: So now official websites have files with viruses, uh?

      Whats going on is that Transmission was specifically targeted by the scammers in the knowledge that it is widely used around the world. Exactly how they managed it remains to be seen, but fundamentally they set out to break into the distribution of Transmission and upload a malware infected version signed with an revoked but otherwise legitimate looking developer certificate.

      You can put the tinfoil hat away. There is no great conspiracy here. Just a particularly cunning exploit of a popular application by scammers looking to make money.

      1. Anonymous Coward
        Anonymous Coward

        Re: So now official websites have files with viruses, uh?

        "You can put the tinfoil hat away. There is no great conspiracy here. Just a particularly cunning exploit of a popular application by scammers looking to make money."

        Exactly! Same thing happened with Linux recently. Its just hackers changing attack vector, looking for new and easy 'central' targets to boost the spread of their malware / botnet (ego...)

  9. PassiveSmoking

    Does this affect people who downloaded a new version via Transmission's auto-update mechanism as well, or is it just people who downloaded it from the website?

    1. WolfFan Silver badge

      Apparently it's just those who downloaded the full installer. If you ran the updater and everything went well, you're okay. If you ran the updater and had a problem and had to use the full installer, you're in trouble. If you just got the full installer, you're in trouble. If you're like me and haven't updated in a long time, you're okay.

      1. PassiveSmoking

        Yeah, first thing I did when I got home was triple-check everything on the list of signs I'd been infected, none of the described symptoms showed up.

        I've shit-canned Transmission anyway though, a) to be on the safe side and b) because my trust in them has been destroyed. Also running a very thorough virus/malware scan that's probably going to take until tomorrow.

  10. Nifty Silver badge

    Checksums anyone?

    First Mint now Transmission. Is there no SIMPLE way to compare hash checksums against a less-likely to be hacked reference source? Will we be needing a blockchain system to verify what we download in future?

    1. Seajay#

      Re: Checksums anyone?

      I'm not sure any amount of checksum / hash wizardry would have helped.

      If attackers manage to sneak a malicious file in to your repository and the person on the Transmission team who does the release doesn't notice, then adding steps to the release process where they send a hash to an external website wouldn't help, unless the external website independently verfies that there is nothing bad in the installer.

      I guess one of the big AV companies could offer an automated service that signs a particular realease to say "Free of known viruses as at 14:49 7 March 2016". That seems like a big risk for the AV company though, eventually they are bound to sign something which later turns out to be malware.

    2. Charlie Clark Silver badge

      Re: Checksums anyone?

      The problem is where is your reference source for a download from a web page?

      Most software distribution systems, including Transmission's update procedure, use hashes to make sure that what's downloaded is what it should be. And many websites/ftp sites provide the hashes in various forms so you can check. However, how many of us bother to do us with everything we install? Developer credentials are supposed to work around this so the user has to okay the unverifiable install.

      Sounds like a well-planned and well-executed scam:

      1) hack the website so that a different file is offered

      2) hack the credentials so that the download can bypass OS protection mechanisms

  11. Anonymous Coward
    Anonymous Coward

    Typical Apple.....

    .....Even their malware is unreasonably more expensive than the competition.

  12. Kevin McMurtrie Silver badge

    Well, it's good to know that my 10.6.8 computers, long ago abandoned by Apple, are now too old for modern Malware. I couldn't upgrade Transmission because of system requirements.

  13. Anonymous Coward
    Anonymous Coward

    MD5 hash?

    Would it have helped if the site owners published a MD5 hash so that the downloaded application file could be checked against this using an appropriate tool. Granted that some folks would ignore this and also that the onsite MD5 hash itself could be tampered with in the same way the file was.

  14. Anonymous Coward
    Anonymous Coward

    bromium for anti malware

    checkout bromium.com - they need to make this available to joe public, not just corporates

    1. Seajay#

      Re: bromium for anti malware

      The reason Bromium isn't available for joe public is that wouldn't help you outside of a centrally managed IT environment. It runs your browser and email client in VMs so that nothing your browser does can permanently affect your computer. However, if you've downloaded the Transmission installer you WANT that to permanently affect your computer, you want to install Transmission. Bromium would prevent that.

      If you want that level of security plus the ability to install your own software, you want Qubes.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like