First Mac Ransomware Found in Transmission BitTorrent Client

[emio]

What should the top of the file say if its up to date?

This:

https://forums.macrumors.com/thread...sion-bittorrent-client.1959908/#post-22641878

Looks like Apple has updated XProtect for this KeRanger malware already. This is from my xprotect.plist file.

View attachment 620009

 

[Ries]

Wonder if it'll touch Time Machine backups too if you have a backup disk mounted..

http://researchcenter.paloaltonetwo...ted-transmission-bittorrent-client-installer/

"Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data."

 

[Weaselboy]

Thanks.

But there is no such a entry in the file. How can i update the XProtect-File?

Run this command in Terminal and it will force an update. You will be asked for your password.

sudo softwareupdate --background-critical

 

[Weaselboy]

I have encrypted my computer since all the security stuff has been going on, and it made me start thinking, if my computer is already encrypted, then the ransomware can't be effective, right?

From what it looks like, the malware encrypts the individual files, so it could still work on an encrypted disk.

 

[Unami]

From what it looks like, the malware encrypts the individual files, so it could still work on an encrypted disk.

i guess, he was joking. let me put it another way: if you lock your money into a briefcase, that still doesn't prevent the briefcase from being locked into a safe.

 

[Westside guy]

(b) Install bit torrent clients (from a website no less) Which have little or no legitimate use other than piracy

Bittorrent has more or less been the de facto method of downloading Linux distros for the past decade - with the complete blessing of the companies/groups involved.

 

[emio]

Run this command in Terminal and it will force an update. You will be asked for your password.

sudo softwareupdate --background-critical

Done!

But no new entry in the file. I will wait some days to repeat this command.

 

[ApfelKuchen]

Doesn't this situation makes you very angry at Apple? It's all Apple's fault.

We have to deal with this crap because of Apple and Apple alone. Why? Mac App Store.

Not only is the MAS terrible as an app itself, those stupid restrictions that even Apple doesn't respect (see xCode) only mean that Mac users won't get a trustworthy download/install/update/uninstall method and a single trustworthy place to get their software from.

Transmission is one of those apps that make a Mac "worthy". A true classic app. Beautiful, lightweight, great functional interface.

It's time for our stores to get the "native" treatment (itunes too) and for Apple to change their policies not only what is/isn't allowed as an app, but what permissions/restrictions the app gets.

Then, we can have a single, trustworthy, place to download software from.

I'm not sure what you're trying to say, please correct me if I'm wrong...

If only Mac App Store was perfect, everybody would voluntarily do the right thing? No developer would ever again offer downloads from its own web site in order to pocket an extra 30%, nobody would ever release infected downloads out into the wild, nobody would ever again click a Download button at a web site? If OS X security was nailed down as tightly as iOS, nobody would ever develop or use a jailbreak? That Apple would be able to guarantee that no App Store developer would ever release faulty or malicious code?

I'm sure that, if there is an infinite number of parallel universes, there will be at least one where that will be true. However, it isn't this one. As far as I know, it's not possible to communicate between parallel universes (well, at least if you're living in this particular universe), so you're not living in an alternate universe where perfection is possible.

 

[furi0usbee]

How does this happen to a legit developer? I hope someone gets fired...

 

[iThingsGurl]

I honestly felt the same because the only times I have ever been directed to one of those site was when I search for info on a movie or software. It's always pirated stuff. And while I get your point, many times people on this site boast about pirating "over priced" software or movies. So, I'm sure they were only going by the only exposure they had. I did notice that those attacking others still never said they never download pirated items from the site, only that there are legitimate uses.

I never download pirated items. From any site.

 

[boredandlonely]

Any word on a quick workaround for the infected, in terms of changing the date to manual, and back a few days in time?

Apparently it only affects users who downloaded it off of the website and not those who used the in app update.

That may be correct in my case. I upgraded via app update, and currently have no signs of infection.

Cant really blame Apple for data loss if you
(a) Don't make regular backups
(b) Install bit torrent clients (from a website no less) Which have little or no legitimate use other than piracy

I have a CC backup running, and, oh joy, it duplicated the downloaded file and the installed file, for a total of 6 incursions. (so far none infected) as it was sparkle updated, and I think I did so before 11am PST also.

So let me show you how this looks like. LittleSnitch probably saved my butt yesterday.
Picture: An onion link from an unknown process that sounds like kernel but isn't? Onion liks are from TOR, which I never installed.

I did a clean install and hope that luck stays with me. "That luck" btw is called Little Snitch.

I also have Little Snitch installed, and received no warnings, so more confirmation I am likely okay, but still reading through the MR thread.

 

[iapplelove]

What if I do not have this installed at all? I do not use BitTorrent and never been on the site.

Then just like me you are fine. I never even heard of the site lol

 

[iThingsGurl]

Thanks. Found it! But there is no such entry in the XProtect-File.

Can I manually update the file? Because I have disabled the auto update function on mac os x (last week a security update disabling wired networks).

Go to System Preferences>App Store. Look for Check Now.

 

[R3k]

Here's a detailed write-up on how the software works.

http://researchcenter.paloaltonetwo...ted-transmission-bittorrent-client-installer/

Interesting, reports that it also tries to encrypt time machine backups.

 

[mag01]

2.92 has just been released with the OSX.KeRanger.A removal routine that's executed on startup
https://trac.transmissionbt.com/changeset/14712

 

[djgamble]

Couldnt you just restore from an earlier time machine backup to work around the encryption lock?

Don't know, but I'd presume that it encrypts your backup in some cases?

 

[iThingsGurl]

I see the heart you have here. But let's not try and deny that 99.5% of torrent use is transfer of illegal material.

Are you sure? May I ask where did you come up with that statistics from?

 

[bsolar]

I see the heart you have here. But let's not try and deny that 99.5% of torrent use is transfer of illegal material.

This still doesn't mean bittorrent users can be all generalised as pirates, even assuming your figures are correct and even assuming I should care about the definition of "illegal material" in your specific jurisdiction.

 

[AppleScruff1]

Torrent are used for more than piracy my friend, we are not in the early 2000 anymore!!

All Linux distribution are downoadable with torrent and they are 100% legit!

Do a lot of people with Macs download Linux?

 

[djgamble]

2.92 has just been released with the OSX.KeRanger.A removal routine that's executed on startup
https://trac.transmissionbt.com/changeset/14712

That's a cool feature. Be neat if OS X had similar built-in features IMO.

 

[bsolar]

Don't know, but I'd presume that it encrypts your backup in some cases?

According to the researchers there are hints in the malware executable that such functionality is in development but it's not yet active in the version they analysed.

 

[JosephAW]

Whoops. I can't install 2.9 because I'm on OS X 10.6
Nevermind.

 

[ArtOfWarfare]

(b) Install bit torrent clients (from a website no less) Which have little or no legitimate use other than piracy

A lot of media heavy apps (games) are only distributed via bit torrent.

Blizzard's downloader, for example, is nothing but a bit torrent client. Wouldn't be surprised in Microsoft distributes Windows 10 using bit torrents.

 

[iThingsGurl]

Do a lot of people with Macs download Linux?

I do. I carry a live USB too and use it when I am on public PCs.

 

[philipo_rock]

This:

https://forums.macrumors.com/thread...sion-bittorrent-client.1959908/#post-22641878

I'd previously updated in the app itself. I can't remember on what date i updated to 2.90 but i think it was when the update was announced on 9to5Mac or perhaps even on this site. It was notable because it was a long time coming.

My XProtect.plist file said LAST MODIFIED 7 FEB 16

I did the force update in Terminal - after a few minutes it now said LAST MIDIFIED: YESTERDAY 1727 (I'm in London/GMT)


An entry for "KeRanger..." is in the file now



Also, Transmission 2.92 is now available.