Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
First Mac Ransomware Found in Transmission BitTorrent Client
- Thread starter MacRumors
- Start date
- Sort by reaction score
I was under the impression that Macs are immune from virus/malware/ransomware. Or am I just being naive?
Viruses are non-existent. I'm aware of zero "drive-by" infections where something auto-installs without your knowledge. Everything on Mac is a Trojan. Trojans require an installer to run (think of something asking for your admin password to install, such as Office, XCode, Adobe, etc.).
THIS particular issue is worse than a Trojan, but not exactly a virus. It didn't "install." You didn't use your admin password. Instead, hackers got to the actual program and added some nastiness to it.
The nastiness of this particular issue is a one-two punch.
One – it got on your Mac without an admin password. Scary enough.
Two – it's ransom-ware. That **** is even scarier. All your most valuable and precious files encrypted. Gone... more or less. Unless you pay up and, even then, who's to say your files will be given back.
So, while I'm still not scared of a website infecting my Mac like it can (still) happen on Windows, it does mean you should be cautious (and so should developers). That said, I'm still not worried about installing antivirus. The Mac community and Apple tend to jump on this **** before it gets horrible.
For the sake of simplicity, I believe you have to install the Transmission app to have this infection happen, if one has never run the installer you would be in the clear.
What about a process that says "kernel_task"? Is that normal? It shows 715.2 MB, 113 threads, 0 ports, 0 PID, User Root.
Everything is grayed out so I cannot select any options on it.
I had transmission installed previously, and upgraded to the latest version through the automatic pop-up window prompting me to upgrade. I did not go to the website.
Everything is grayed out so I cannot select any options on it.
I had transmission installed previously, and upgraded to the latest version through the automatic pop-up window prompting me to upgrade. I did not go to the website.
Well, ok, you make a good point. Was it an installer asking for your admin password? If so, then it's easy to avoid. I don't *install* many items and if an app that normally doesn't need an installer all of a sudden wanted to use one, I'd wonder why.
On sites like MacUpdate, they use an installer for Firefox. Firefox doesn't require an installer, thus MacUpdate is installing something along with Firefox. Installers are red flags in many cases.
This weekend, a notice appeared on Transmissionbt.com warning users that version 2.90 of the popular Mac BitTorrent client downloaded from their site may have been infected with malware. The warning reads:Reuters reports that the infected download contained the first "Ransomware" found on the Mac platform. Ransomware is a type of malware that encrypts a user's hard drive and demands payment in order to unencrypt it. This type of attack has been increasingly popular on the PC, but this is the first time it has been seen on the Mac.
According to Reuters, Apple is aware of the issue and has already revoked "a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs."
The malware in question is said to delay encrypting the user's hard drive for 3 days, so we may see the first reports of those affected as early as Monday. Transmissionbt.com offers instructions on how to see you are affected (above). If you don't use the Transmission software, there is nothing you need to do at this time.
Article Link: First Mac Ransomware Found in Transmission BitTorrent Client
This weekend, a notice appeared on Transmissionbt.com warning users that version 2.90 of the popular Mac BitTorrent client downloaded from their site may have been infected with malware. The warning reads:Reuters reports that the infected download contained the first "Ransomware" found on the Mac platform. Ransomware is a type of malware that encrypts a user's hard drive and demands payment in order to unencrypt it. This type of attack has been increasingly popular on the PC, but this is the first time it has been seen on the Mac.
According to Reuters, Apple is aware of the issue and has already revoked "a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs."
The malware in question is said to delay encrypting the user's hard drive for 3 days, so we may see the first reports of those affected as early as Monday. Transmissionbt.com offers instructions on how to see you are affected (above). If you don't use the Transmission software, there is nothing you need to do at this time.
Update: Technical details about the malware.
Update 2: Transmissionbt.com says version 2.92 of Transmission will actively remove the malware.
Article Link: First Mac Ransomware Found in Transmission BitTorrent Client
This is not the first ever ransomware to attack Macs. Last year my wife's Mac got hit by one that demanded $500.00 in Bitcoin. Thankfully, we have Time Machine always on and recovered within a day. The Caveat is this: She needed to run MS Windows on Parallels on her Mac for her business software at the time. I am pretty sure it was a Windows-side attack that encrypted her Mac side because we had set up sharing between the virtual machine and the Mac OS. I wanted to literally get my hands on whatever moron that wrote this ransomware and kick his butt. But again, to me it is misleading to say that this is the first ever ransomware to get a Mac when in fact it can hit a Mac from the Windows side if you have it.
Maybe we can stop hearing some blindly preach about fast updates. Fast updates is like first ones to cross a minefield. I make it a habit to wait a few days to let others be the guinea pig.
Can someone who had this malware on their computer confirm if they ran an installer for Transmission? By installer, I mean it asks for your admin password? OR, did you simply drag the file to your Applications folder?
I have a 1 week old MacBook Pro and installed a ton of apps over the last week. I'm 99% sure I installed Transmission on Thursday, March 3rd. I don't see the process running, so at this point I have installed the new version to run the fix, just in case, and uninstalled it completely from my Mac.
Just crazy to think I evidently narrowly missed this by about 24 hours.
Just crazy to think I evidently narrowly missed this by about 24 hours.
I remember when I found out that I had a mac infected with the old Scores virus. Some people here probably weren't even born at that time.
I was horrified, but it didn't do any damage. I was librarian for a Mac user group, and probably got it from their disks.
You knew it was going to happen. Now we see how quickly Apple handles it from their end.
I was horrified, but it didn't do any damage. I was librarian for a Mac user group, and probably got it from their disks.
You knew it was going to happen. Now we see how quickly Apple handles it from their end.
Why does everyone here even have BitTorrent ? I thought it was just used to illegally download media ?
How do we know 2.91 or 2.92 aren't just the same folks that uploaded the bad version, using the publicity and fact that everyone is going to update to get more people to install a further infected build?
Use the fear of even those not infected to get even more to install further infected builds. It'd be a brilliant move.
Don't spread FUD.
That makes absolutely no sense. Apple has nothing at all to do with this story.
This really has nothing at all to do with Apple.
The bad update was put there with a link through a website hack, and the bad app was signed by an entirely different certificate than the one Transmission uses. That certificate has been revoked. Transmission's certificate was never compromised, nor was their legitimate builds. It would be like if I sent you an email attachment and you installed it, thinking I was really a Nigerian prince sending you a confirmation of a wire transfer. The real Nigerian prince trying to send you money hasn't actually done anything wrong except fail to secure his email server properly (which is quite understandable, considering his father just got deposed and he's a bit distracted trying to get his family to safety).
Transmission's front end, their website, was just the most vulnerable point of attack. Their back end development machines etc. are secure and can continue to produce secure software. Their distribution to probably 99% of their users through in-app updates was never compromised, and it was just the few people who downloaded directly from their compromised website in the last few days were affected.
You mean 2.90. That is the version that was compromised. They quickly replaced it with 2.91, which is safe, and then 2.92 which specifically removes the problem caused by 2.90.
I wouldn't take any chances, and download 2.92 as soon as possible.
This has been addressed many times already in the topic. Chances are you yourself have used bittorrent and never even realized it. It's just a protocol, used all over the place, and it's a legitimate distribution channel for a great many things.
So people only die in car crashes that happen on the other end of the country?
Your argument doesn't make any sense...
Condemning bittorrent because it's used by pirates is like condemning POP3 because it's used by spammers. Yeah, there's a significant number of people using the protocol for that purpose, but it's far from its only use.
Quite a small time frame to be infected, and 2.90 is out from a while...
Let's not try and deny that 99.5% of torrent use is for porn
Apple should really introduce a feature to show certificate of a program installer, just like Windows Vista and above does when popping up UAC control window.
And, never believe Mac OS X is virus-free. Mac now becomes a new vulnerable platform, like Windows, although malware/virus are not that many as Windows counterpart.
[doublepost=1457332654][/doublepost]
And, never believe Mac OS X is virus-free. Mac now becomes a new vulnerable platform, like Windows, although malware/virus are not that many as Windows counterpart.
[doublepost=1457332654][/doublepost]
Like a backup to external disk, not internal disk. I remember this is a recommended practice to keep backup separately stored elsewhere.