Daniel Eran Dilger
Users who downloaded the Transmission BitTorrent client on Friday or Saturday are being warned to update to the latest 2.92 version to avoid being targeted by a ransomware that infiltrated an earlier version of the open source software.
Claud Xiao and Jin Chen of Palo Alto Networks reported on the threat earlier today, noting that "attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4."
KeRanger is the name given to what is believed to be the "first fully functional" ransomware on the OS X platform. When incorporated into an app, the malware connects to a remote server via the Tor anonymizing service, then "begins encrypting certain types of document and data files on the system."
The malware then "demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files." Researchers say the malicious code is "under active development" and seems to be trying to also encrypt users' Time Machine backups to also prevent them from being able to recover their backed up data.
Mac OS X's GateKeeper, XProtect spring into action
The same day that Palo Alto Networks discovered the threat— which was distributed with the Transmission app in a DMG package signed by a valid developer ID— Apple revoked the signing certificate involved to prevent new installations of the infected version via the Mac's iOS-like GateKeeper signed-app security system.
Apple also began automatic distribution of an OS X XProtect antivirus signature to flag and quarantine existing compromised downloads.
The security firm noted that anyone who directly installed Transmission between March 4th and March 5th may be infected with the KeRanger malware, and outlined steps to identify and remove the malware if it has already been installed.
Because Apple has already revoked the certificate and distributed an XProtect update, anyone attempting to open a known-infected version of the Transmission app will now be given a warning dialog box that notes "Transmission.app will damage your computer. You should move it to the Trash," or "Transmission can't be opened. You should eject the disk image."
A clean, updated 2.91 version of the Transmission app can be downloaded from the app developer's website.
William Gallagher
Christine McKee
AppleInsider Staff
Chip Loder
Malcolm Owen
35 Comments
Non-issue. This has already been addressed by Apple and it's a little irresponsible of the media to put so much focus on this when there's Windows and Android malware that they could be reporting on instead.
The real price of "free" software and music files.
What I want to know is what happens to all these ASSHOLES who are using Apple developer certificates to try and get malware onto Macs or iOS devices? We've heard of many of them getting revoked (especially the enterprise certificates that allow side loading of iOS Apps), but we never hear about the consequences for those caught.
People don't just "sign up" to be an Apple Developer and get certificates. For example, to become an Apple Enterprise Developer you need to prove to Apple you are a legal entity. If there's a legal entity behind the certificate, then there's someone who can be sued for fraudulently obtaining a certificate for the purposes of spreading malware.
I'd like to hear more from the dev about how this happened.