Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Crime Desktops (Apple) Encryption Network Portables (Apple) Privacy Software News Apple Technology

Transmission BitTorrent App Contained Malware (cnbc.com) 109

An anonymous reader writes: Apple users were targeted in the first known Mac ransomware campaign. Hackers targeted Transmission, which is one of the most popular Mac applications used to download software, videos, music, and other data from the BitTorrent peer-to-peer information sharing network. As per this forum post (English screenshot of warning), OS X detected malware called OSX.KeRanger.A. This is the first one in the wild that is functional as it encrypts your files and seeks a ransom. An Apple representative said the company had taken steps over the weekend to prevent attacks by revoking a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs.
This discussion has been archived. No new comments can be posted.

Transmission BitTorrent App Contained Malware

Comments Filter:
  • by NotInHere ( 3654617 ) on Sunday March 06, 2016 @07:40PM (#51650549)

    In fact, in this case probably it was the contrary. I guess the developer was not part of the developer team for transmission, but external. If it were easy to package software for macs without having to pay lots of fees, the dev team could have done it themselves. Apple really should give free dev licenses to free software developers, to help fight abuse. Github does something like that too.

    • by Anonymous Coward on Sunday March 06, 2016 @08:03PM (#51650631)

      $99 a year isn't an exorbitant fee for a code signing cert.

      Thats the only part of Apple's developer programs that require cost (besides buying a Mac, and frankly its not a crazy concept to own the platform you are developing for)

      • by Jamu ( 852752 ) on Sunday March 06, 2016 @08:41PM (#51650761)
        You can probably make that back from the ransom payments...
      • Re: (Score:3, Interesting)

        by ( 4475953 )
        It can be exorbitant for small developers in combination with the other requirements. You also need to buy Macs every 3-5 five years in order to be able to stay afloat as a developer. Let's say you only update your machine every 5 years (a bit optimistic). Then a realistic estimate for the real development costs is USD 99 x 5 + USD 1300 MacBook Pro 13 + USD 249 Apple Care for MacBook Pro 13 for a total of USD 2044 / 5 years or USD 409 per year, not including any software, online storage and backup, we
        • by tlhIngan ( 30335 )

          Then a realistic estimate for the real development costs is USD 99 x 5 + USD 1300 MacBook Pro 13 + USD 249 Apple Care for MacBook Pro 13 for a total of USD 2044 / 5 years or USD 409 per year, not including any software, online storage and backup, web services, backup software and storage, etc.

          Well, if you were a shareware developer that was hard up, I'd ditch the laptop and get a Mac Mini, which can be had for around $500 and updated far less often. I'd also ditch the AppleCare plan and self-insure, which

    • Re: (Score:1, Flamebait)

      by NotInHere ( 3654617 )

      I think that version is safe. My guess at the core of the whole story is that transmission wanted to provide binaries for mac, and they asked someone external to the project to do it, because neither of them had a mac nor wanted to afford $100 in order to build software for free, and that person was malicious and included the ransomware.

      I guess that that made enough money to compensate for the Mac purchase and the 100$ developer fee. One can even say that in this case, apple made money with malware.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        Given that Transmission originates as a project purely for Mac OS (which has subsequently become cross platform), I'd be amazed if the main devs didn't own Macs.

      • transmission is a longtime award winning mac app.

    • by Anonymous Coward

      In Linux Mint 13.

      Yes: and so is the source code https://www.transmissionbt.com/about/ So if there is hacked version for Linux it will be a compiled binary without the source being available which is against the terms and conditions of Mint. The dev that released the app on the APPLE "APE STORE" must monkeyed around with the code and deserves to be black balled from the dev communities permanently. I can't say as I blame the folks at transmission.COM for not paying to release it on the APE STORE system. Don't sweat it the b

  • Now the ransomware's certificate is revoked, I guess there is no hope to pay the crooks and recover the data?
    • by SeaFox ( 739806 )

      Now the ransomware's certificate is revoked, I guess there is no hope to pay the crooks and recover the data?

      Macrumors reports [macrumors.com] there was a three-day delay before the lockout would take effect. So most people haven't been caught by it yet.

      • by Anonymous Coward

        They did a pretty good job with Palo Alto.

        The malware was on the site for about 32 hours, pulled at the end of that window, with both Gatekeeper & Xprotect updated in that time, as well as the Dev Cert being revoked. The patch was live before Palo Alto went public.

        That's really good in terms of response time from Apple, Palo Alto Networks & the Transmission project.

      • I'm really curious what made me "immune." I updated Transmission last Thursday or Friday to the version supposedly infected. I learned about the malware Sunday and immediately checked for the reported signs of an infected computer, of which I had none. I immediately upgraded to the clean version and as of last night, my Mac mini is still clean.
  • I never get this. (Score:4, Insightful)

    by rrohbeck ( 944847 ) on Sunday March 06, 2016 @09:19PM (#51650929)

    How is an encrypted drive different from a failed drive, other than that if it's only encrypted you don't even have to buy a new one - just wipe it and restore your backup, maybe reinstall your OS first.

    • by antdude ( 79039 )

      Unless it infects the backup drives too. :(

      • How can it? They're offline or on a backup system, ideally offsite. Right?

        • by antdude ( 79039 )

          Some people always have them connected. :(

          • by Anonymous Coward

            Then it's not a backup.

            • by Anonymous Coward

              Sure it is. The point of a backup is to be able to restore after disk failure or accidental deletion, and to restore data to an earlier timepoint. Having the backup online doesn't prevent any of those.

              It's just not an ideal way of doing the job because the best backup solutions offer physical disaster recovery as well as the above. But that is a failure of the disaster recovery plan, not of backups.

    • It's no different to a power user. As you said, you wipe and reinstall your apps and documents.

      For the general public, it's a little different. With a failed drive they're hosed. With an encrypted file, they have the option to pay the ransom and regain their data. (And, typically, the second time around they'll buy an automated backup solution. Since this is an Apple OS, probably Time Capsule).

    • by sociocapitalist ( 2471722 ) on Monday March 07, 2016 @07:32AM (#51652433)

      How is an encrypted drive different from a failed drive, other than that if it's only encrypted you don't even have to buy a new one - just wipe it and restore your backup, maybe reinstall your OS first.

      Because cryptolocker type attacks also encrypt any backup drives that are connected (either directly or over the network). You may even be backing up malware encrypted files, overwriting unencrypted files, for some time before the malware notice flashes up on your screen.

      Keep in mind that the malware process runs encryption in the background for some time (i.e. until some target percentage of what the malware considers to be 'interesting files' has been encrypted) so you don't generally know that you're under attack until most of your files have been made useless to you.

      The only reasonably certain defense is having a lot of one off backups that you make and then store offline. As USB keys are cheap I've been making weekly backups of the data that's really important and just throwing the keys in a drawer.

    • A failed drive is that... a failed drive. Any malware worth its salt will be encrypting/corrupting all data on external backup drives. It doesn't matter if you have RAID 7+1, replicated among three active/active peers. If the machine can get to it and rm/corrupt files, the backups are worthless.

      What really needs do be done is to have an outside server SSH into the desktop machine and dump the files to someplace the desktop cannot touch by normal means. On Macs, this isn't too difficult -- have a decent

  • Time Machine (Score:4, Informative)

    by khchung ( 462899 ) on Sunday March 06, 2016 @11:16PM (#51651219) Journal

    So, if you find your important file encrypted by ransomware, how difficult is it to just restore it from a Time Machine backup?

    After all, once it was encrypted, you can use it anymore, so it is simple to just get the version before the last update time.

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      I'm guessing the time machine files will all be encrypted themselves so that data cannot be recovered. Assuming here that the time machine drive files are similar in form to the application 'bundles', just instead of programs and shared libraries on the 'bundle', there will be a source file and the various binary diffs of the versions of the files.
    • From the TorrentFreak article [torrentfreak.com]:

      Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.

    • So, if you find your important file encrypted by ransomware, how difficult is it to just restore it from a Time Machine backup?

      After all, once it was encrypted, you can use it anymore, so it is simple to just get the version before the last update time.

      Timemachine is network attached storage and, as such, is reachable by the malware.

      From the article: "...it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data."

      Also, as the attack is over time you will be backing up encrypted files and if you don't have enough space on your time machine to keep backups for a looong time, you may end up with your entire set of backups encrypted.

      • Time Machine is the Mac's built in backup program. Time Capsule is Apple's firewall/switch/Wi-Fi AP/NAS which allows one to back up (using Time Machine) to it, optionally encrypted.

        As an alternative to the Time Capsule, especially if one already has a wireless AP, switch, or router, and just needs a NAS, a Synology or QNAP device is cheaper, and can store more. A 3TB Time Capsule runs about $400. You can buy a Synology 216se for $150, add two WD Reds for about $100 each, and have the same functionality a

    • by AmiMoJo ( 196126 )

      How are Time Machine backups protected? Viruses on Windows like to infect System Restore points on XP (Vista and above has better security). Hopefully Time Machine backups are encrypted and protected by access control.

      • IIRC, Time Machine backups have an ACL, similar to what SELinux uses, to inhibit writing to TM backup disks. However, it may not be that difficult for software to override that, or just write to /dev/diskwhatever to zero out the backups.

        Time Machine is best used with another backup program. Mozy comes to mind, or back up via TM to a NAS, and have the data stashed there, saved to another location via snapshots (either by an automated process like what Synology and QNAP offer), or just tar the NAS share, pi

  • is in-browser support for BitTorrent so there can be better trust.
  • Hi, I have two computers.

    I remember I saw that "improved compatibilty with modern OS X" and pressed install update..., but I can not remember which one or even both. After checking this machines Transmission, it is still 2.84

    And I when reading this, I actually catched an uber to get to my other office to check what was going on there. ... but that also had 2.84, so it seems that the 2.9 update was unsuccessful on both computer / or one of them...

    so then all safe? or is it masking itself as an older version

    • by Anonymous Coward

      Just follow the instructions to check if your machines are infected, there's plenty of information from the guys at palo alto:

        http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

    • by 666999 ( 999666 )

      Downloaded newest version (v2.92) from their site, installed, still shows as v2.84

      But in the app's About window it shows the correct version number. Strange.

  • According to a comment at MacRumors, the malware only infected software downloaded from the website, not software updated through the updater mechanism.

  • From the technical analysis section of the research document [paloaltonetworks.com]

    In addition to this behavior, it seems like KeRanger is still under development. There are some apparent functions named “_create_tcp_socket”, “_execute_cmd” and “_encrypt_timemachine”. Some of them have been finished but are not used in current samples. Our analysis suggests the attacker may be trying to develop backdoor functionality and encrypt Time Machine backup files as well. If these backup files are encrypted, victims would not be able to recover their damaged files using Time Machine.

    So it would appear that Time Machine's current design keeps it's data safe -- for now -- from having one's online backups encrypted. As others have pointed out, that's not likely to last and offline backups are a *very* good idea.

No hardware designer should be allowed to produce any piece of hardware until three software guys have signed off for it. -- Andy Tanenbaum

Working...