Transmission BitTorrent App Contained Malware

An anonymous reader writes: Apple users were targeted in the first known Mac ransomware campaign. Hackers targeted Transmission, which is one of the most popular Mac applications used to download software, videos, music, and other data from the BitTorrent peer-to-peer information sharing network. As per this forum post (English screenshot of warning), OS X detected malware called OSX.KeRanger.A. This is the first one in the wild that is functional as it encrypts your files and seeks a ransom. An Apple representative said the company had taken steps over the weekend to prevent attacks by revoking a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs.

Digital certs don't make your software secure

[NotInHere]

In fact, in this case probably it was the contrary. I guess the developer was not part of the developer team for transmission, but external. If it were easy to package software for macs without having to pay lots of fees, the dev team could have done it themselves. Apple really should give free dev licenses to free software developers, to help fight abuse. Github does something like that too.

Re:Digital certs don't make your software secure

[Anonymous Coward]

$99 a year isn't an exorbitant fee for a code signing cert.

Thats the only part of Apple's developer programs that require cost (besides buying a Mac, and frankly its not a crazy concept to own the platform you are developing for)

Re:Digital certs don't make your software secure

[Jamu]

You can probably make that back from the ransom payments...

Re:

[Anonymous Coward]

Right. Because Macs run iOS. Of course.

They don't, but the iDevice simulators in Xcode do.

Re:

It can be exorbitant for small developers in combination with the other requirements. You also need to buy Macs every 3-5 five years in order to be able to stay afloat as a developer. Let's say you only update your machine every 5 years (a bit optimistic). Then a realistic estimate for the real development costs is USD 99 x 5 + USD 1300 MacBook Pro 13 + USD 249 Apple Care for MacBook Pro 13 for a total of USD 2044 / 5 years or USD 409 per year, not including any software, online storage and backup, we

Re:

[Anonymous Coward]

Holy shit! Good thing Windows development doesn't need any of this! Get a $99 used Windows XP computer and you can be up and running today.

Re:

[tlhIngan]

Then a realistic estimate for the real development costs is USD 99 x 5 + USD 1300 MacBook Pro 13 + USD 249 Apple Care for MacBook Pro 13 for a total of USD 2044 / 5 years or USD 409 per year, not including any software, online storage and backup, web services, backup software and storage, etc.

Well, if you were a shareware developer that was hard up, I'd ditch the laptop and get a Mac Mini, which can be had for around $500 and updated far less often. I'd also ditch the AppleCare plan and self-insure, which

Re:

[NotInHere]

Sadly we live in the age of walled gardens, and not of open protocols. I really don't wonder that people mix this.

Re:

[Dunbal]

One man's walled garden is another man's state prison...

If I remember right transmission is also included

[Trax3001BBS]

In Linux Mint 13.

Re:

[NotInHere]

I think that version is safe. My guess at the core of the whole story is that transmission wanted to provide binaries for mac, and they asked someone external to the project to do it, because neither of them had a mac nor wanted to afford $100 in order to build software for free, and that person was malicious and included the ransomware.

I guess that that made enough money to compensate for the Mac purchase and the 100$ developer fee. One can even say that in this case, apple made money with malware.

Re:

[Anonymous Coward]

Given that Transmission originates as a project purely for Mac OS (which has subsequently become cross platform), I'd be amazed if the main devs didn't own Macs.

Re:

[Trax3001BBS]

Transmission started on the Mac. You really think that a couple $k for tools is a big deal to those with a job?

TL;DR: Geez Louise, cuntcheese, if you don't know what you're talking about...don't say it!

Just hits me as a tad odd that a program supplied as a default Linux program - that does the same thing, shares the same name, and not hit a copyright wall; so suspect as an update.

Re:

[Trax3001BBS]

Transmission started on the Mac. You really think that a couple $k for tools is a big deal to those with a job?

TL;DR: Geez Louise, cuntcheese, if you don't know what you're talking about...don't say it!

Just hits me as a tad odd that a program supplied as a default Linux program - that does the same thing, shares the same name, and not hit a copyright wall; so suspect as an update.

All said and done it would appear my concerns a non issue. I just came across Transmission included in the excellent program "Portable Apps" https://sourceforge.net/projec... [sourceforge.net] . Not as isolated as I tended to believe; many checks and balances.

Re:

[Noah Haders]

transmission is a longtime award winning mac app.

Re:

[Anonymous Coward]

In Linux Mint 13.

Yes: and so is the source code https://www.transmissionbt.com/about/ So if there is hacked version for Linux it will be a compiled binary without the source being available which is against the terms and conditions of Mint. The dev that released the app on the APPLE "APE STORE" must monkeyed around with the code and deserves to be black balled from the dev communities permanently. I can't say as I blame the folks at transmission.COM for not paying to release it on the APE STORE system. Don't sweat it the b

Re:

[Fnord666]

Stop trying to find ways to steal other people's work without compensating them and you won't have this problem.

But just like drug users, there will always be an excuse for why people think it's acceptable.

Ok, I give up. What are you nattering on about?

Re:

[Jamu]

Apparently a peer-to-peer file transfer protocol can be used to transfer files from one peer to another. And... err... Chewbacca lives on the planet Endor, therefore coping files is stealing, we've always been at war with Eastasia, and you have to compensate people for their work, because... they've not lost anything?

Re:

[stealth_finger]

And... err... Chewbacca lives on the planet Endor...

Chewbacca lives on Endor? Does he have a thing for the furry little Ewoks, or are they just food? Next you'll be telling us that Jar-Jar Binks is a Sith Lord! Oh wait [reddit.com], perhaps he actually was meant to be that, but Lucas backed off because of the vitriol towards Binks. More info in link. Even an interesting secondary thread on the name Bink name possibly referencing a Piers Anthony character.

That does not make sense! Why would Chewbaca, an 8ft tall Wookie from the planet Kashyyk wand to live on Endor with a bunch of 2ft tall fucking Ewoks? If Chewbaca lives on Endor you must acquit!

Re:

[MrKrillls]

Don't give up. Don't ask.

Decipher

[manu0601]

Now the ransomware's certificate is revoked, I guess there is no hope to pay the crooks and recover the data?

Re:

[SeaFox]

Now the ransomware's certificate is revoked, I guess there is no hope to pay the crooks and recover the data?

Macrumors reports [macrumors.com] there was a three-day delay before the lockout would take effect. So most people haven't been caught by it yet.

Re: Decipher

[Anonymous Coward]

They did a pretty good job with Palo Alto.

The malware was on the site for about 32 hours, pulled at the end of that window, with both Gatekeeper & Xprotect updated in that time, as well as the Dev Cert being revoked. The patch was live before Palo Alto went public.

That's really good in terms of response time from Apple, Palo Alto Networks & the Transmission project.

Re:

[wootcat]

I'm really curious what made me "immune." I updated Transmission last Thursday or Friday to the version supposedly infected. I learned about the malware Sunday and immediately checked for the reported signs of an infected computer, of which I had none. I immediately upgraded to the clean version and as of last night, my Mac mini is still clean.

I never get this.

[rrohbeck]

How is an encrypted drive different from a failed drive, other than that if it's only encrypted you don't even have to buy a new one - just wipe it and restore your backup, maybe reinstall your OS first.

Re:

[krray]

No, he's just saying that to the end user the symptoms are the same, ie; "it doesn't work right anymore".

Replace the drive (not needed in this case), format, and reload from a good backup.

You have a good backup, right? :)

Re:

[antdude]

Unless it infects the backup drives too. :(

Re:

[rrohbeck]

How can it? They're offline or on a backup system, ideally offsite. Right?

Re:

[antdude]

Some people always have them connected. :(

Re:

[Anonymous Coward]

Then it's not a backup.

Re:

[Anonymous Coward]

Sure it is. The point of a backup is to be able to restore after disk failure or accidental deletion, and to restore data to an earlier timepoint. Having the backup online doesn't prevent any of those.

It's just not an ideal way of doing the job because the best backup solutions offer physical disaster recovery as well as the above. But that is a failure of the disaster recovery plan, not of backups.

Re:

[MMC Monster]

It's no different to a power user. As you said, you wipe and reinstall your apps and documents.

For the general public, it's a little different. With a failed drive they're hosed. With an encrypted file, they have the option to pay the ransom and regain their data. (And, typically, the second time around they'll buy an automated backup solution. Since this is an Apple OS, probably Time Capsule).

Re:I never get this.

[sociocapitalist]

How is an encrypted drive different from a failed drive, other than that if it's only encrypted you don't even have to buy a new one - just wipe it and restore your backup, maybe reinstall your OS first.

Because cryptolocker type attacks also encrypt any backup drives that are connected (either directly or over the network). You may even be backing up malware encrypted files, overwriting unencrypted files, for some time before the malware notice flashes up on your screen.

Keep in mind that the malware process runs encryption in the background for some time (i.e. until some target percentage of what the malware considers to be 'interesting files' has been encrypted) so you don't generally know that you're under attack until most of your files have been made useless to you.

The only reasonably certain defense is having a lot of one off backups that you make and then store offline. As USB keys are cheap I've been making weekly backups of the data that's really important and just throwing the keys in a drawer.

Re:

[castionsosa]

A failed drive is that... a failed drive. Any malware worth its salt will be encrypting/corrupting all data on external backup drives. It doesn't matter if you have RAID 7+1, replicated among three active/active peers. If the machine can get to it and rm/corrupt files, the backups are worthless.

What really needs do be done is to have an outside server SSH into the desktop machine and dump the files to someplace the desktop cannot touch by normal means. On Macs, this isn't too difficult -- have a decent

What is this backup

[future assassin]

you speak off?

Time Machine

[khchung]

So, if you find your important file encrypted by ransomware, how difficult is it to just restore it from a Time Machine backup?

After all, once it was encrypted, you can use it anymore, so it is simple to just get the version before the last update time.

Re:

[Anonymous Coward]

I'm guessing the time machine files will all be encrypted themselves so that data cannot be recovered. Assuming here that the time machine drive files are similar in form to the application 'bundles', just instead of programs and shared libraries on the 'bundle', there will be a source file and the various binary diffs of the versions of the files.

Re:

[Anonymous Coward]

Yes, but if you look at your time capsule or w/e you're backing up to your time machine backups are a single large binary blob. So if the ransomware decided to encrypt that file, you'd be SOL as you couldn't access any of the time machine backups.

Re:

[wootcat]

From what I read on the Palo Alto site, the ransomware is still under development and looks like it will eventually encrypt TIme Machine, but that functionality is not active in this round.

Re:

[SilentChasm]

From the TorrentFreak article [torrentfreak.com]:

Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.

Re:

[sociocapitalist]

So, if you find your important file encrypted by ransomware, how difficult is it to just restore it from a Time Machine backup?

After all, once it was encrypted, you can use it anymore, so it is simple to just get the version before the last update time.

Timemachine is network attached storage and, as such, is reachable by the malware.

From the article: "...it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data."

Also, as the attack is over time you will be backing up encrypted files and if you don't have enough space on your time machine to keep backups for a looong time, you may end up with your entire set of backups encrypted.

Re:

[James Keane]

He's thinking of Time Capsule, a NAS built into a WiFi router, which identifies to Time Machine to make backups easier in a home network.

Re:

[castionsosa]

Time Machine is the Mac's built in backup program. Time Capsule is Apple's firewall/switch/Wi-Fi AP/NAS which allows one to back up (using Time Machine) to it, optionally encrypted.

As an alternative to the Time Capsule, especially if one already has a wireless AP, switch, or router, and just needs a NAS, a Synology or QNAP device is cheaper, and can store more. A 3TB Time Capsule runs about $400. You can buy a Synology 216se for $150, add two WD Reds for about $100 each, and have the same functionality a

Re:

[AmiMoJo]

How are Time Machine backups protected? Viruses on Windows like to infect System Restore points on XP (Vista and above has better security). Hopefully Time Machine backups are encrypted and protected by access control.

Re:

[castionsosa]

IIRC, Time Machine backups have an ACL, similar to what SELinux uses, to inhibit writing to TM backup disks. However, it may not be that difficult for software to override that, or just write to /dev/diskwhatever to zero out the backups.

Time Machine is best used with another backup program. Mozy comes to mind, or back up via TM to a NAS, and have the data stashed there, saved to another location via snapshots (either by an automated process like what Synology and QNAP offer), or just tar the NAS share, pi

What we need

[subk]

is in-browser support for BitTorrent so there can be better trust.

Re:

[castionsosa]

Opera has BitTorrent built in, but disabled by default. Not too hard to enable/use it.

2.84..updated?

[techtech]

Hi, I have two computers.

I remember I saw that "improved compatibilty with modern OS X" and pressed install update..., but I can not remember which one or even both. After checking this machines Transmission, it is still 2.84

And I when reading this, I actually catched an uber to get to my other office to check what was going on there. ... but that also had 2.84, so it seems that the 2.9 update was unsuccessful on both computer / or one of them...

so then all safe? or is it masking itself as an older version

Re:

[Anonymous Coward]

Just follow the instructions to check if your machines are infected, there's plenty of information from the guys at palo alto:

  http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

Re:

[666999]

Downloaded newest version (v2.92) from their site, installed, still shows as v2.84

But in the app's About window it shows the correct version number. Strange.

Apparently didn't affect auto updates.

[bkk_diesel]

According to a comment at MacRumors, the malware only infected software downloaded from the website, not software updated through the updater mechanism.

Time Machine safe, for now

[GlobalEcho]

From the technical analysis section of the research document [paloaltonetworks.com]

In addition to this behavior, it seems like KeRanger is still under development. There are some apparent functions named “_create_tcp_socket”, “_execute_cmd” and “_encrypt_timemachine”. Some of them have been finished but are not used in current samples. Our analysis suggests the attacker may be trying to develop backdoor functionality and encrypt Time Machine backup files as well. If these backup files are encrypted, victims would not be able to recover their damaged files using Time Machine.

So it would appear that Time Machine's current design keeps it's data safe -- for now -- from having one's online backups encrypted. As others have pointed out, that's not likely to last and offline backups are a *very* good idea.

Re:

[chefmonkey]

I think everything you're proposing can be achived via psuedonymity, which allows you to create a new persona detached from your real one (insulating the real you from persecution), but which allows the rest of use to set the "dipshit" flag on that persona if you're clearly a dipshit. Anonymity encourages assholism. Just reading through the "anonymous cowards" comments on Slashdot should be enough to make that fact evident.

Re:

[MobileTatsu-NJG]

Anonymity on the internet is immeasurably valuable in terms of free speech and this is one of the last somewhat meanigful places on the internet you can still have it.

AC posting on Slashdot is no more anonymous than posting with an account. It just uniquifies your identity in the discussion.