First Mac Ransomware Found in Transmission BitTorrent Client

[OldSchoolMacGuy]

How do we know 2.91 or 2.92 aren't just the same folks that uploaded the bad version, using the publicity and fact that everyone is going to update to get more people to install a further infected build?

Use the fear of even those not infected to get even more to install further infected builds. It'd be a brilliant move.

 

[Osty]

But Macs are more secure. That's a fact. Does it mean that they are impenetrable? No. Software is constantly changing, and with that comes opportunities for them to "slip up" and inadvertently open a hole somewhere. Or a piece of software may not get updated to utilize the latest security features. Overall, Apple has done a fantastic job at creating a secure, safe platform.

More secure...than what?

A windows box? sure, maybe.

A hardened Linux or BSD machine? No, chance.

OS X doesn't even ship with its firewall switched on and it's UNIX/GNU packages are woefully out of date.

 

[zorinlynx]

Absolutely no word from the Transmission developers on how their app download got infected?

That's a bit concerning.

 

[Troneas]

Absolutely no word from the Transmission developers on how their app download got infected?

That's a bit concerning.

Probably their website got hacked and the download link changed considering in-app downloads were fine.

 

[SeaFox]

Absolutely no word from the Transmission developers on how their app download got infected?

Might be like the recent Linux Mint hack where the site was serving up bad ISOs. Security failure at the website access level.

 

[Osty]

Probably their website got hacked and the download link changed considering in-app downloads were fine.

That was my thought too. Same thing happened to Mint last week.

 

[Weaselboy]

It's semantics, really. As far as the end user is concerned the result is largely the same. We as technical users shouldn't muddy the waters; it just perpetuates the myth that Mac are more secure than any other platform. Given that mac users have been spared for so long, I actually think the user base is more vulnerable because most are 1. clueless and 2 have been lulled into a false sense of security by Apple's marketing machine

I don't want to derail the thread with a whole debate about Macs and viruses and a technical discussion of what constitutes a virus. I will just say I was trying to answer the forum member's question in the clearest possible way without getting bogged down in the whole Macs and viruses issue.

I do agree with what I think your sentiment is though. There are those who are perhaps too quick to imply Macs are immune from these problems.

 

[Osty]

I don't want to derail the thread with a whole debate about Macs and viruses and a technical discussion of what constitutes a virus. I will just say I was trying to answer the forum member's question in the clearest possible way without getting bogged down in the while Macs and viruses issue.

I do agree with what I think your sentiment is though. There are those who are perhaps too quick to imply Macs are immune from these problems.

Fair enough I didn't want to derail it either, but my point was more relevant than some of the comments here about a moral argument on the use of torrents.

 

[adib]

Finally Macs get popular enough to get malware (and likely viruses too).
[doublepost=1457314413][/doublepost]

Do you see how stupid your post looks now?

Edit: To take my metaphor one step further, even if you don't agree with the people who pirate, to wish people who use torrent clients to get malware that can cause data loss is like wishing for the weapons owned by gun owners to backfire into their faces.

Which sometimes happen – usually those guns obtained from shoddy places.

 

[Keirasplace]

Funny to see so many surprised by the ideas of malware and viruses on Macs. We wrote and demo'd a virus at Macworld back in 2008. People were less than happy to see it and many simply refused to believe it was real.

Malware are essentially programs people install themselves, so off course they exist; just the fact OSX was not worth it as a target saved the Mac from this kind of thing.

 

[mdw1]

Couldnt you just restore from an earlier time machine backup to work around the encryption lock?

I just used Time Machine backed up on the 3rd now I feel better.

 

[KPandian1]

Are we sure this is not an act by the DOJ or its lackeys (ex. FBI) paying Apple a sample of things to come?

After all the download is from the app's legitimate site - you just have to force/bribe one person inside!

This is meant as a talking point - hope it is not anywhere close to reality!

 

[iapplelove]

I was under the impression that Macs are immune from virus/malware/ransomware. Or am I just being naive?

There are more clever sophisticated ways to harm your machine now a days. It's probably much harder to hit OS X but it's not anything proof.

 

[Atlantico]

Lol, I don't think I've met an even SLIGHTLY savvy computer user (Mac or PC) in the last eight years or so that uses a client other than uTorrent.
Given that ALL torrent apps are free, why would anyone download this????????

Because uTorrent itself is spyware and malware. Anyone who uses the term "computer savvy" is anything but.

 

[AppleScruff1]

That was my thought too. Same thing happened to Mint last week.

A quick off topic interjection. I have an older version of Mint that I run on a flash drive. I have used it to get files off of a messed up hdd. I haven't played with Linux for several years now. You're giving me the urge to try it again.

 

[Crzyrio]

Lol, I don't think I've met an even SLIGHTLY savvy computer user (Mac or PC) in the last eight years or so that uses a client other than uTorrent.
Given that ALL torrent apps are free, why would anyone download this????????

Because it is super ligh weight and doesn't have a ton of adds and signage like utorrent

 

[Jessica Lares]

Man, I am so glad I've been out of the loop lately and haven't even open Transmission in awhile. Awful news.

I also use Transmission because it's lighter than most clients - Since OS X Tiger.

 

[Wonderwarthog]

*should* being the word that is not in my vocabulary. The only way not to get this , is don't upgrade to 2.90, but i also blame the developer for not even knowing and not acting quick...

If you would have enacted the labour of reading the fine article you would have noticed that the many ways not to get this are: don't use the software, don't update, update through sparkle (the automated feed) which didn't contain the ransomware version. DUH.

 

[SarahKirschbaum]

what can I do to prevent such virus/malware/ransomware attacks from ever hitting my Mac? do anti-virus or internet security software make any difference? such as paid software from Norton or Kaspersky... I don't mind paying for peace of mind, if they offer noticeable defence.

thanks!

 

[throAU]

And this is why code signing and things like gatekeeper are a good thing.
[doublepost=1457320757][/doublepost]

... if you use time machine

Also, assuming your time machine isn't mounted/connected to your mac, and the ransomware doesn't encrypt that as well.

 

[Mr. Dee]

Haven't connected my Mac to the Internet in a few weeks, will need to check. I do use it often though.

 

[aristobrat]

How do we know 2.91 or 2.92 aren't just the same folks that uploaded the bad version, using the publicity and fact that everyone is going to update to get more people to install a further infected build?

Use the fear of even those not infected to get even more to install further infected builds. It'd be a brilliant move.

Wonder how many different, valid Apple developer certificates these folks have?

Apple already revoked the one that they used to sign the first 'bad version'.

I'm guessing the whole Transmission update process will be under Apple's microscope for a bit. I'd be very surprised if anything bad gets up there and doesn't get quickly noticed and then revoked again.

 

[AppleInLVX]

unbelievable luck. I downloaded Transmission early on Saturday to fetch several Linux ISOs. I ended up with the infected version and only discovered after seeing this post (gatekeeper was not updated at the time I downloaded and launched). kernel_service was running under my logged-in user ID.

The bizarre thing is that I hardly ever use BT - it wasn't on this laptop that I bought about a year ago - and just did on a whim because the HTTP fetches were looking a little slower than I wanted.

I'm very skeptical about downloading new apps and trusted this based upon reputation (Transmission has been around for years).. The disturbing thing is how this exploit found its way in without the developer's knowledge. I have several tools (both commercial and open-source) that aren't available through the App Store because their functionality doesn't fit the sandbox.

There's no real solution to these other than to run all untrusted apps on a sacrificial machine (or virtual machine).

Gah. I also had one of my macs (only one, thank goodness) that was running the kernel_service. I have obviously since killed the service, deleted the General.rtf file, deleted Transmission, and reinstalled 2.92. From what I can see, I'm clear now, but what I don't know is what this service might have done in the time it WAS running on the system. Is there any concern at all now that I have irradiated the immediate threat that nothing will bite me in the future for this particular issue?

 

[throAU]

How do we know 2.91 or 2.92 aren't just the same folks that uploaded the bad version,

This is the problem code signing is designed to solve.

The code is certified by a trusted third party (e.g., Apple App Store) or at the very least signed with a certificate that is owned by a trusted developer (e.g., for non-app store apps you still sign your code with a certificate issued by a trusted third party like Apple or Microsoft in the case of Windows). If the developer is found to be doing dodgy stuff, the CA revokes their certificate and then the code no longer runs.

This is the plus side of code signing, the need to re-download all your OS X installers if the certificates expire is the downside.

I'll take code signing thanks.

 

[bladerunner2000]

Does this only affect those who downloaded TransmissionBT since March 4th of version 2.9.1 only? I remember I downloaded 2.9.0 on February 28th... I take it that version/copy is safe?