First Mac Ransomware Found in Transmission BitTorrent Client

[Weaselboy]

How can I check my updated XProtect?

Click your Desktop then hit shift-command-g (all three keys at once) then paste in the file path below and return. Then scroll down to xprotect.plist in the Finder window and select the file. Then press the space bar to Quicklook the file contents. You can see the latest updates at the top of the file.

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/

 

[stridemat]

So if you upgraded "within" the software you're safe? You're only affected if you downloaded the software from transmissions webpage?

Thats what seems to be being reported.

 

[Weaselboy]

I guess kernel_task is ok ? Seems to be on all the time CPU Time

Yep... that is part of the OS and normal.

 

[uptownnyc]

So pretty sure I'd downloaded the infected version from their site. I never launched the app after installing (I'm not a BT user for any illegal stuff), and I don't see the process in my activity monitor. I've deleted the previous install using AppCleaner, and installed 2.91. Anything else I need to do? Does it infect upon install or upon launching the app?

 

[jdogg836]

You must have only met slightly savvy computer users then.

I know what you mean. uTorrent is very near the bottom of my list of preferred torrent clients.

 

[pedrom]

Doesn't this situation makes you very angry at Apple? It's all Apple's fault.

We have to deal with this crap because of Apple and Apple alone. Why? Mac App Store.

Not only is the MAS terrible as an app itself, those stupid restrictions that even Apple doesn't respect (see xCode) only mean that Mac users won't get a trustworthy download/install/update/uninstall method and a single trustworthy place to get their software from.

Transmission is one of those apps that make a Mac "worthy". A true classic app. Beautiful, lightweight, great functional interface.

It's time for our stores to get the "native" treatment (itunes too) and for Apple to change their policies not only what is/isn't allowed as an app, but what permissions/restrictions the app gets.

Then, we can have a single, trustworthy, place to download software from.

 

[donlab]

So pretty sure I'd downloaded the infected version from their site. I never launched the app after installing (I'm not a BT user for any illegal stuff), and I don't see the process in my activity monitor. I've deleted the previous install using AppCleaner, and installed 2.91. Anything else I need to do? Does it infect upon install or upon launching the app?

Upon launch it would seem.

 

[letssia]

So let me show you how this looks like. LittleSnitch probably saved my butt yesterday.
Picture: An onion link from an unknown process that sounds like kernel but isn't? Onion liks are from TOR, which I never installed.

Then again how could it be Transmission when the in program update service itself (called ->Sparkle) was called insecure just before.
https://vulnsec.com/2016/osx-apps-vulnerabilities/
So I thought, of course I will take the secure road and download the program from the developers webpage. Aaaand pwnd.

Guys, now is the moment to read https://github.com/drduh/OS-X-Security-and-Privacy-Guide and slowly take in the many links. Oh and backups, obviously.

I did a clean install and hope that luck stays with me. "That luck" btw is called Little Snitch. See picture. Also http://researchcenter.paloaltonetwo...ted-transmission-bittorrent-client-installer/

Godspeed to those infected.

 

[emio]

Click your Desktop then hit shift-command-g (all three keys at once) then paste in the file path below and return. Then scroll down to xprotect.plist in the Finder window and select the file. Then press the space bar to Quicklook the file contents. You can see the latest updates at the top of the file.

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/

Thanks.

But there is no such a entry in the file. How can i update the XProtect-File?

 

[jonnysods]

**********ers.

Man, hackers are so frustrating.

 

[PizzaBoxStyle]

to be expected when people use BitTorrent, I have zero sympathy for people who pirate stuff!

True. But sometimes using a P2P client is much faster for downloading ISOs of Linux or whatever else than HTTP or FTP from their main site.

 

[iThingsGurl]

But there is no such a file.

You should be able to find it probably at the very bottom. You do not need to update it manually, it will be (should be by now) updated already.

 

[a104375]

just dodged that one, I installed transmission from their website but on thursday which is before the infected file was uploaded.

I did nuke the entirety of Transmission from the computer, library and all, will reinstall later when they've proven it safe. Also checked for the process as recommended didn't see it.

 

[bsolar]

A lot of very detailed informations can be found here.

Especially helpful the section detailing how to determine if you have the infected version:

1. Using either Terminal or Finder, check whether /Applicaions/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
2. Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users/<username>/Library/kernel_service” (Figure 12). If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.
3. After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.

 

[C64]

Thanks.

But there is no such a entry in the file. How can i update the XProtect-File?

Look for "XProtect.plist", not "xprotect.plist".

 

[Mac Fly (film)]

That's worrying. You're encouraged to constantly keep your applications and OS updated, but recently that's becoming troublesome. First with Apple's silent security update disabling wired networks and now this! Worrying year for security this.

Yes I'm sure Apple's boo-boo will be talked about it 3 years time as if it's a weekly occurrence.

 

[emio]

You should be able to find it probably at the very bottom. You do not need to update it manually, it will be (should be by now) updated already.

Look for "XProtect.plist", not "xprotect.plist".

Thanks. Found it! But there is no such entry in the XProtect-File.

Can I manually update the file? Because I have disabled the auto update function on mac os x (last week a security update disabling wired networks).

 

[Studioman]

This is an ignorant statement to make. How is using BitTorrent directly attributed to "pirating stuff"? The last Linux distro I downloaded was officially available via BitTorrent.

I honestly felt the same because the only times I have ever been directed to one of those site was when I search for info on a movie or software. It's always pirated stuff. And while I get your point, many times people on this site boast about pirating "over priced" software or movies. So, I'm sure they were only going by the only exposure they had. I did notice that those attacking others still never said they never download pirated items from the site, only that there are legitimate uses.

 

[Chazz08]

I have encrypted my computer since all the security stuff has been going on, and it made me start thinking, if my computer is already encrypted, then the ransomware can't be effective, right?

 

[boredandlonely]

I have encrypted my computer since all the security stuff has been going on, and it made me start thinking, if my computer is already encrypted, then the ransomware can't be effective, right?

I suspect it would simply encrypt the enrypted file(s) over again.

 

[goobot]

Click your Desktop then hit shift-command-g (all three keys at once) then paste in the file path below and return. Then scroll down to xprotect.plist in the Finder window and select the file. Then press the space bar to Quicklook the file contents. You can see the latest updates at the top of the file.

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/

What should the top of the file say if its up to date?

 

[elmateo487]

Couldnt you just restore from an earlier time machine backup to work around the encryption lock?

Honest question. But how is Time Machine going to unencyrpt your hard drive. Especially since time machine doesn't make images of your drives, just file archive and replacement.
[doublepost=1457297435][/doublepost]

This is an ignorant statement to make. How is using BitTorrent directly attributed to "pirating stuff"? The last Linux distro I downloaded was officially available via BitTorrent.

I see the heart you have here. But let's not try and deny that 99.5% of torrent use is transfer of illegal material.

 

[kolax]

Couldnt you just restore from an earlier time machine backup to work around the encryption lock?

Wonder if it'll touch Time Machine backups too if you have a backup disk mounted..

 

[ScottishDuck]

Lol, I don't think I've met an even SLIGHTLY savvy computer user (Mac or PC) in the last eight years or so that uses a client other than uTorrent.
Given that ALL torrent apps are free, why would anyone download this????????

Are you joking? uTorrent has a horrendous history of bundling adware and even a goddamn bitcoin miner into their crap app.

 

[Unami]

to be expected when people use BitTorrent, I have zero sympathy for people who pirate stuff!

it's a freaking transfer protocol, nothing more. i regularly use it to send big files to other people (habe you ever tried apple's maildrop for a bunch of 4-5 files? good luck with that), and there's a lot of (non illegal) content and software that's distributed via bittorrent. i guess, you also have zero sympathy for people who use the download function of their browser or who watch videos on youtube...