BitTorrent Client Transmission Infected With First Mac Ransomware
#1
[Image: transmission-2.jpg]With millions of active users, Transmission is one of the most used BitTorrent clients around, particularly for Mac users.

The application has been around for more than a decade and has a great reputation. However, this weekend several users started to report malware problems in the Transmission forums.

The malware in question was identified as “OSX.KeRanger.A” and several users reported that it’s linked to Transmission 2.90.

Today, their suspicions were confirmed by researchers from Palo Alto Networks who published a warning and an overview of the technical details on their website.

“Attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. When we identified the issue, the infected DMG files were still available for downloading from the Transmission site,” they write.

KeRanger is so-called ransomware which effectively encrypts the victim’s computer. The attackers then promise to decrypt it if a ransom is paid, amounting to one Bitcoin in this case.


[b]Ransom request (image credit Palo Alto Networks)[/b]
[Image: ransomreq.png]
“The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files,” the researchers explain.

“Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.”

Apple was also informed about the issue and has since revoked the abused certificate and updated its XProtect antivirus signature.

As Ars Technica points out, the “KeRanger” ransomware is notable as it’s the first Mac-targeted ransomware that’s been reported in the wild.

The Transmission team, meanwhile, has added a warning message to their site, alerting users to upgrade their clients right away.

“Everyone running 2.90 on OS X should immediately upgrade to 2.92, as they may have downloaded a malware-infected file. This new version will make sure that the ‘OSX.KeRanger.A’ ransomware is correctly removed from you computer,” the warning reads.


Transmission warning
[Image: transmission-ransomware.png]
Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.
[Image: Torrentfreak?d=yIl2AUoC8zA][Image: Torrentfreak?i=OzFSh0dDcYk:S392A2n-wBQ:D7DqB2pKExk]
[Image: OzFSh0dDcYk]

Originally Published: Sun, 06 Mar 2016 22:23:23 +0000
source
Reply
#2
Aah... The same virus like CriptoWall for Windows. RIP originality, hackers!
Reply
#3
I guess this is for Apple fans...
Reply
#4
Windows malware live long. This one was taken down quickly. Certificate was revoked quickly. Apple malware is still not very easy to monetise, but yes, as more users buy Apple - it is now a new target. Mac malware list is growing quickly. http://macsecurity.net/view/113/
Reply
#5
This on the heels of another thread here about an infected Linux distro.

While is it noteworthy that neither of these cases were Windows targets, it is more significant to note both instances were attacks on what should be a trusted download source rather than through ads or shady web sites tricking people into installing their wares.
Reply
#6
But how the hell did hackers managed to change the app with an infected one? The same applies to Linux distro. Either it was an inside job or the servers got cracked (if that's the case, dumb admins; use the latest security tips next time)
Reply
#7
(Mar 07, 2016, 15:19 pm)dolly_cat Wrote: But how the hell did hackers managed to change the app with an infected one? The same applies to Linux distro. Either it was an inside job or the servers got cracked (if that's the case, dumb admins; use the latest security tips next time)



That was pretty much my point.  Both are less stories about malware on the Mac or Linux platforms and more about the malware installation vector being a "trusted" source.

No amount of security on any platform can stop people from installing the malware themselves when they believe it to be a legitimate piece of software.

I haven't found an article in either case that has explained how the malware was slipped into the package they were serving up to the public.
Reply
#8
EDIT: Never mind my message... better not give them any ideas.
Reply
#9
Moe Wrote:That was pretty much my point.  Both are less stories about malware on the Mac or Linux platforms and more about the malware installation vector being a "trusted" source.

Well... Shit Dodgy
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Judge Issues Devastating Order Against BitTorrent Copyright Troll Ernesto 1 17,948 Jan 10, 2018, 23:25 pm
Last Post: contrail
  World’s Largest BitTorrent Trackers Suffer Prolonged Downtime Ernesto 13 54,293 Mar 05, 2014, 14:07 pm
Last Post: Metamorphic-rock



Users browsing this thread: 10 Guest(s)