Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
I was under the impression that Macs are immune from virus/malware/ransomware. Or am I just being naive? :(

Viruses are non-existent. I'm aware of zero "drive-by" infections where something auto-installs without your knowledge. Everything on Mac is a Trojan. Trojans require an installer to run (think of something asking for your admin password to install, such as Office, XCode, Adobe, etc.).

THIS particular issue is worse than a Trojan, but not exactly a virus. It didn't "install." You didn't use your admin password. Instead, hackers got to the actual program and added some nastiness to it.

The nastiness of this particular issue is a one-two punch.
One – it got on your Mac without an admin password. Scary enough.
Two – it's ransom-ware. That **** is even scarier. All your most valuable and precious files encrypted. Gone... more or less. Unless you pay up and, even then, who's to say your files will be given back.

So, while I'm still not scared of a website infecting my Mac like it can (still) happen on Windows, it does mean you should be cautious (and so should developers). That said, I'm still not worried about installing antivirus. The Mac community and Apple tend to jump on this **** before it gets horrible.
 
For the sake of simplicity, I believe you have to install the Transmission app to have this infection happen, if one has never run the installer you would be in the clear.
 
What about a process that says "kernel_task"? Is that normal? It shows 715.2 MB, 113 threads, 0 ports, 0 PID, User Root.

Everything is grayed out so I cannot select any options on it.

I had transmission installed previously, and upgraded to the latest version through the automatic pop-up window prompting me to upgrade. I did not go to the website.
 
For the sake of simplicity, I believe you have to install the Transmission app to have this infection happen, if one has never run the installer you would be in the clear.

Well, ok, you make a good point. Was it an installer asking for your admin password? If so, then it's easy to avoid. I don't *install* many items and if an app that normally doesn't need an installer all of a sudden wanted to use one, I'd wonder why.

On sites like MacUpdate, they use an installer for Firefox. Firefox doesn't require an installer, thus MacUpdate is installing something along with Firefox. Installers are red flags in many cases.
 
  • Like
Reactions: Mapjin
Can anyone suggest a reliable torrent app to download the Transmission 2.92 update torrent? Wait!
 



transmission-29.png

This weekend, a notice appeared on Transmissionbt.com warning users that version 2.90 of the popular Mac BitTorrent client downloaded from their site may have been infected with malware. The warning reads:Reuters reports that the infected download contained the first "Ransomware" found on the Mac platform. Ransomware is a type of malware that encrypts a user's hard drive and demands payment in order to unencrypt it. This type of attack has been increasingly popular on the PC, but this is the first time it has been seen on the Mac.

According to Reuters, Apple is aware of the issue and has already revoked "a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs."

The malware in question is said to delay encrypting the user's hard drive for 3 days, so we may see the first reports of those affected as early as Monday. Transmissionbt.com offers instructions on how to see you are affected (above). If you don't use the Transmission software, there is nothing you need to do at this time.

Article Link: First Mac Ransomware Found in Transmission BitTorrent Client



transmission-29.png

This weekend, a notice appeared on Transmissionbt.com warning users that version 2.90 of the popular Mac BitTorrent client downloaded from their site may have been infected with malware. The warning reads:Reuters reports that the infected download contained the first "Ransomware" found on the Mac platform. Ransomware is a type of malware that encrypts a user's hard drive and demands payment in order to unencrypt it. This type of attack has been increasingly popular on the PC, but this is the first time it has been seen on the Mac.

According to Reuters, Apple is aware of the issue and has already revoked "a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs."

The malware in question is said to delay encrypting the user's hard drive for 3 days, so we may see the first reports of those affected as early as Monday. Transmissionbt.com offers instructions on how to see you are affected (above). If you don't use the Transmission software, there is nothing you need to do at this time.

Update: Technical details about the malware.

Update 2: Transmissionbt.com says version 2.92 of Transmission will actively remove the malware.

Article Link: First Mac Ransomware Found in Transmission BitTorrent Client



This is not the first ever ransomware to attack Macs. Last year my wife's Mac got hit by one that demanded $500.00 in Bitcoin. Thankfully, we have Time Machine always on and recovered within a day. The Caveat is this: She needed to run MS Windows on Parallels on her Mac for her business software at the time. I am pretty sure it was a Windows-side attack that encrypted her Mac side because we had set up sharing between the virtual machine and the Mac OS. I wanted to literally get my hands on whatever moron that wrote this ransomware and kick his butt. But again, to me it is misleading to say that this is the first ever ransomware to get a Mac when in fact it can hit a Mac from the Windows side if you have it.
 
Maybe we can stop hearing some blindly preach about fast updates. Fast updates is like first ones to cross a minefield. I make it a habit to wait a few days to let others be the guinea pig.
 
  • Like
Reactions: Morod and mrxak
Can someone who had this malware on their computer confirm if they ran an installer for Transmission? By installer, I mean it asks for your admin password? OR, did you simply drag the file to your Applications folder?
 
I have a 1 week old MacBook Pro and installed a ton of apps over the last week. I'm 99% sure I installed Transmission on Thursday, March 3rd. I don't see the process running, so at this point I have installed the new version to run the fix, just in case, and uninstalled it completely from my Mac.

Just crazy to think I evidently narrowly missed this by about 24 hours.
 
I remember when I found out that I had a mac infected with the old Scores virus. Some people here probably weren't even born at that time.

I was horrified, but it didn't do any damage. I was librarian for a Mac user group, and probably got it from their disks.

You knew it was going to happen. Now we see how quickly Apple handles it from their end.
 
  • Like
Reactions: orbital~debris
How do we know 2.91 or 2.92 aren't just the same folks that uploaded the bad version, using the publicity and fact that everyone is going to update to get more people to install a further infected build? o_O

Use the fear of even those not infected to get even more to install further infected builds. It'd be a brilliant move.

Don't spread FUD.

Are we sure this is not an act by the DOJ or its lackeys (ex. FBI) paying Apple a sample of things to come?

After all the download is from the app's legitimate site - you just have to force/bribe one person inside!

This is meant as a talking point - hope it is not anywhere close to reality!

That makes absolutely no sense. Apple has nothing at all to do with this story.

Wonder how many different, valid Apple developer certificates these folks have?

Apple already revoked the one that they used to sign the first 'bad version'.

I'm guessing the whole Transmission update process will be under Apple's microscope for a bit. I'd be very surprised if anything bad gets up there and doesn't get quickly noticed and then revoked again.

This really has nothing at all to do with Apple.

The bad update was put there with a link through a website hack, and the bad app was signed by an entirely different certificate than the one Transmission uses. That certificate has been revoked. Transmission's certificate was never compromised, nor was their legitimate builds. It would be like if I sent you an email attachment and you installed it, thinking I was really a Nigerian prince sending you a confirmation of a wire transfer. The real Nigerian prince trying to send you money hasn't actually done anything wrong except fail to secure his email server properly (which is quite understandable, considering his father just got deposed and he's a bit distracted trying to get his family to safety).

Transmission's front end, their website, was just the most vulnerable point of attack. Their back end development machines etc. are secure and can continue to produce secure software. Their distribution to probably 99% of their users through in-app updates was never compromised, and it was just the few people who downloaded directly from their compromised website in the last few days were affected.

Does this only affect those who downloaded TransmissionBT since March 4th of version 2.9.1 only? I remember I downloaded 2.9.0 on February 28th... I take it that version/copy is safe?

You mean 2.90. That is the version that was compromised. They quickly replaced it with 2.91, which is safe, and then 2.92 which specifically removes the problem caused by 2.90.

I wouldn't take any chances, and download 2.92 as soon as possible.

Why does everyone here even have BitTorrent ? I thought it was just used to illegally download media ?

This has been addressed many times already in the topic. Chances are you yourself have used bittorrent and never even realized it. It's just a protocol, used all over the place, and it's a legitimate distribution channel for a great many things.
 
Damn there are many people here who can't read the OP.

No, if you dont use the software you are not affected. You don't die from car crashes that happens in the other end of the country.

So people only die in car crashes that happen on the other end of the country?

Your argument doesn't make any sense...
 
Apple should really introduce a feature to show certificate of a program installer, just like Windows Vista and above does when popping up UAC control window.
And, never believe Mac OS X is virus-free. Mac now becomes a new vulnerable platform, like Windows, although malware/virus are not that many as Windows counterpart.
[doublepost=1457332654][/doublepost]
While it remains unclear whether this particular malware encrypts backups, it's a risk with any ransomware. Some of the Windows ransomwares delete "shadow copies" which is a time machine-like feature. The only true backup is offline, offsite backup.
Like a backup to external disk, not internal disk. I remember this is a recommended practice to keep backup separately stored elsewhere.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.