First Mac Ransomware Found in Transmission BitTorrent Client

[mag01]

Seven pages and no one has mentioned the very specific conditions required for you to self-infect?

1) You'd have to had download the dmg from the from the website between 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016
2) Have opened the General.rtf file on the dmg
3) Have actively blocked gatekeeper from updating

These are all very specific conditions. If you have used Transmission before and auto-updated you are safe. If you don't open read me files you are safe.

Which makes me wonder why people are panicking over this. And also, if the hackers could compromise the official website with a dmg, why not poison the executable itself instead of relying on the user clicking a fake text file?

No, opening General.rtf isn't needed. It will be taken care of by the infected Transmission app which will copy the General.rtf to ~/Library/kernel_service and execute it.

EDIT: And yes, Gatekeeper didn't have to help either until the XProtect definitions were updated (and it took them some time)

 

[hummus]

2 and 3 not required conditions. How do I know? It happened to me with fully updated El Cap.

1. Downloaded Transmission from website (didn't already have it).
2. Opened Transmission (got the "you are opening this for the first time" warning)
3. Downloaded a couple of f23 ISOs from https://torrents.fedoraproject.org
4. Closed it when finished.

This morning I saw the news and checked: I had the kernel_service running, files in ~/Library. Fortunately 3 days had not elapsed and everything was intact.

Yes the installer executes General.rtf when you run it is how I interpreted the explanation.

 

[Rigby]

And it takes an ignorant to think that bittorrent clients are per se questionable software. Or a troll.

Ironically Apple may have contributed to this breach by not allowing bittorrent clients on their curated app store. I have no idea why, since as you said bittorrent is used for many legitimate reasons. It's like banning FTP clients because they could be used to access servers with pirated content.

 

[Osty]

I was under the impression that Macs are immune from virus/malware/ransomware. Or am I just being naive?

Afraid not. There's only degrees of vulnerability. If it can run code, it's not immune from attack.

Belief otherwise is foolish.

If you are serious about Security, stopping drinking Apple's marketing coolaid. The persistent belief that Mac's are immune from virus/malware/ransomware really needs to die

https://www.gov.uk/government/collections/end-user-devices-security-guidance
http://insights.ubuntu.com/wp-content/uploads/UK-Gov-Report-Summary.pdf

 

[AppleScruff1]

You'd be surprised how many people do. The Mac is a nice platform with good hardware but Linux is much better for doing certain types of work, especially development. I personally use Linux not only as a server/deployment platform but also to do my day job (I'm a technical writer who uses asciidoctor primarily). I also develop on and for the Raspberry Pi so I'm often downloading different images to flash to SD card. I use Pis like appliances: print and airprint server, home intranet, SSH/VPN box, wireless speaker system and I know my usage is hardly unique.

I know a lot of people who run Linux VMs or bare metal for development in Java, Rails, PHP, Node, Mono and C on Mac hardware.

Apple hardware gives you a nice designed laptop with a good trackpad. OS X is a half-decent UNIX box with support for proprietary apps when you need them and is mandatory for iOS development. Linux gives developers much more control, performance, better package management and an environment that's the same as their deployment target.

In fact I think OS X is a good avenue into Linux, especially for technical users and those of use who like performance and a file system that doesn't suck as badly as HFS+!

Thank you for the very informative reply.

 

[Mcmeowmers]

Afraid not. There's only degrees of vulnerability. If it can run code, it's not immune from attack.

Belief otherwise is foolish.

but...but. but...... muh macs!

 

[sigsegv]

The Mac App Store isn't safe either.

True, it is not entirely safe, but it is a little bit safer.

App Store apps can not access all your files by default - only their sandbox container. For an App Store app to access any file you first need to grant access to a file (or folder) through the Open dialog. The app can then access either that single file, or folder and anything beneath it.

 

[Osty]

Thank you for the very informative reply.

You're welcome and thank you for taking it with good grace.

 

[Glassed Silver]

to be expected when people use BitTorrent, I have zero sympathy for people who pirate stuff!

The general internet is commonly used for piracy too, do you have zero sympathy for drive-by infected users, too?

Glassed Silver:mac

 

[jebbe]

Lol, I don't think I've met an even SLIGHTLY savvy computer user (Mac or PC) in the last eight years or so that uses a client other than uTorrent.
Given that ALL torrent apps are free, why would anyone download this????????

If I had a better choice for my PC, I wouldn't be using uTorrent as it's become nothing but bloatware. Transmission is easy and straightforward and isn't trying to sell you anything. It also doesn't have video ads like uTorrent does that play without your consent.

 

[beebarb]

Lol, I don't think I've met an even SLIGHTLY savvy computer user (Mac or PC) in the last eight years or so that uses a client other than uTorrent.

I personally wouldn't touch uTorrent with a 50-foot pole.
The last time I downloaded uTorrent, FROM THE OFFICIAL SITE, it was infected with the Spigot adware.

And now I find the one I use which has been historically malware free has been infected by something as well?!
I just want to download files as quickly as I can with my subpar connection.

Note that I don't pirate.
I mostly use torrents with Linux distributions for Virtual Machines, or games I buy legitimately through HumbleBundle (yes, HB has a torrent download option).

 

[CelestialToys]

If I had a better choice for my PC, I wouldn't be using uTorrent as it's become nothing but bloatware. Transmission is easy and straightforward and isn't trying to sell you anything. It also doesn't have video ads like uTorrent does that play without your consent.

Try qBittorrent

 

[Osty]

Lol, I don't think I've met an even SLIGHTLY savvy computer user (Mac or PC) in the last eight years or so that uses a client other than uTorrent.
Given that ALL torrent apps are free, why would anyone download this????????

Well, we haven't met true, but I'm reasonably tech savy (technical writer and developer) and I use Transmission and rTorrent depending on the box I'm working on.

 

[Weaselboy]

Wasn't the sparkle auto-update framework recently found to be compromised and the solution given was to get updates directly from the developer instead of using auto-update?

It was not so much compromised, but vulnerable to compromise if one targeted a specific apps Sparkle update mechanism. You are correct though, that it is ironic the direct download (non-Sparkle) method in this case seemed to result in the infected app.

 

[robertcoogan]

Apparently it only affects users who downloaded it off of the website and not those who used the in app update.

Yes, I am not seeing it. I haven't downloaded directly off their site in a while.
[doublepost=1457312112][/doublepost]

What if I do not have this installed at all? I do not use BitTorrent and never been on the site.

Then why are you asking? Did you read the article???

 

[Weaselboy]

Whats the path to this in OS X?

You can find the xprotect.plist file in this folder.

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/

[doublepost=1457312214][/doublepost]

I was under the impression that Macs are immune from virus/malware/ransomware. Or am I just being naive?

At this point there don't seem to be any viruses out there in the wild that impact OS X, but there is malware like in this case.

 

[Osty]

Then why are you asking? Did you read the article???

I had a good chuckle when I read this too. Do you reckon people should have licences before they can use a computer? Badly handled, they just as dangerous as cars.

 

[coolfactor]

What if I do not have this installed at all? I do not use BitTorrent and never been on the site.

Then obviously you are fine.

 

[Osty]

At this point there don't seem to be any viruses out there in the wild that impact OS X, but there is malware like in this case.

It's semantics, really. As far as the end user is concerned the result is largely the same. We as technical users shouldn't muddy the waters; it just perpetuates the myth that Mac are more secure than any other platform. Given that mac users have been spared for so long, I actually think the user base is more vulnerable because most are 1. clueless and 2 have been lulled into a false sense of security by Apple's marketing machine

 

[AppleScruff1]

You're welcome and thank you for taking it with good grace.

I learned something new.

 

[coolfactor]

Ironically Apple may have contributed to this breach by not allowing bittorrent clients on their curated app store. I have no idea why, since as you said bittorrent is used for many legitimate reasons. It's like banning FTP clients because they could be used to access servers with pirated content.

But which one outweighs the others? FTP is used for legitimate purposes FAR more than BitTorrent clients are. That said, I do agree that Apple should allow verified BitTorrent apps simply to protect more users from this type of attack.

 

[OldSchoolMacGuy]

Funny to see so many surprised by the ideas of malware and viruses on Macs. We wrote and demo'd a virus at Macworld back in 2008. People were less than happy to see it and many simply refused to believe it was real.

 

[coolfactor]

It's semantics, really. As far as the end user is concerned the result is largely the same. We as technical users shouldn't muddy the waters; it just perpetuates the myth that Mac are more secure than any other platform. Given that mac users have been spared for so long, I actually think the user base is more vulnerable because most are 1. clueless and 2 have been lulled into a false sense of security by Apple's marketing machine

But Macs are more secure. That's a fact. Does it mean that they are impenetrable? No. Software is constantly changing, and with that comes opportunities for them to "slip up" and inadvertently open a hole somewhere. Or a piece of software may not get updated to utilize the latest security features. Overall, Apple has done a fantastic job at creating a secure, safe platform.

 

[Osty]

FTP is used for legitimate purposes FAR more than BitTorrent clients are.

I beg to differ. FTP is useful but not very secure and doesn't have built-in checksums. Different technologies, different purposes.

 

[SeaFox]

to be expected when people own guns, I have zero sympathy for people who murder!

Do you see how stupid your post looks now?

Edit: To take my metaphor one step further, even if you don't agree with the people who pirate, to wish people who use torrent clients to get malware that can cause data loss is like wishing for the weapons owned by gun owners to backfire into their faces.