Following closely upon the hacking of the Linux Mint website, the developers of the Transmission bittorrent client have announced that last week's 2.90 release was infected by a new form of OSX malware, OSX.keRanger.A (or "KeyRanger" as 9to5mac is calling it).
The payload appears to be the first OSX ransomware discovered in the wild. If it works, OSX.KeRanger.A should begin encrypting infected users' files on Monday, March 7. The malware seems to have been included only in downloads from the developers' website, while Transmission's internal update function (using the Sparkle framework) seems to have delivered clean updates. The developers have released two updates (2.91 and 2.92) in the past twenty-four hours to remove the infection.
Those who use Transmission on OSX should check for the following on their systems:
- a process called "kernel_service" running
- a file "Contents/Resources/General.rtf" inside the Transmission.app directory
- any of the following files in the "/Library/" directory: ".kernel_pid", ".kernel_time", ".kernel_complete" or "kernel_service"
[Update:] According to a report in ITWorld, Apple shuts down first-ever ransomware attack against Mac users.
With the help of security researchers, Apple over the weekend quickly blocked a cyberattack aimed at infecting Mac users with file-encrypting malware known as ransomware.
[...] The tainted Transmission version was signed with a legitimate Apple developer's certificate. If a Mac user's security settings are set to allow downloads from identified Apple developers, the person may not see a warning from Apple's GateKeeper that the application could be dangerous.
Apple revoked the certificate after being notified on Friday, [Security company] Palo Alto wrote. The company has also updated its XProtect antivirus engine.
After it is installed on a system, KeRanger waits three days before connecting to a remote command-and-control server using the Tor system. It is coded to encrypt more than 300 types of files.
Related Stories
If you downloaded Mint Cinnamon today (for versions of "today" that include February 20th, 2016) you should immediately check the MD5 checksum. Blog Entry here.
From Clem:
We were exposed to an intrusion today. It was brief and it shouldn't impact many people, but if it impacts you, it's very important you read the information below.
Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.
As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.
If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn't affect you either.
Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.
Apparently the hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to absentvodka.com. Both lead to Sofia, Bulgaria, and the name of 3 people over there.
The comment thread suggests that the ISOs are showing up in other places, and that the Mint site may still not be entirely secure.
(Score: -1, Troll) by Anonymous Coward on Sunday March 06 2016, @10:15PM
what happened to that?
(Score: 2, Informative) by Anonymous Coward on Sunday March 06 2016, @10:46PM
Linux got its first ransomware last year with Linux.Encoder.1. Both Linux.Encoder.1 and OSX.KeRanger.A require nothing above user privileges, because encryption of user files is simple and requires no escalation. Like Linux ransomware, this requires installation by hand (it's not part of the Mac AppStore but an independent download).
The Transmission developers got either careless or greedy. Either way, this isn't a Mac security problem so much as it is a general problem of trusting developers. The same can and has happened on Linux.
(Score: 0) by Anonymous Coward on Monday March 07 2016, @04:06AM
This wasn't about Linux. Spin again, Joe.
(Score: 2) by isostatic on Monday March 07 2016, @01:36PM
The threat surface has changed over the last 20 years.
(Score: -1, Troll) by Anonymous Coward on Monday March 07 2016, @12:13AM
The name is fucking Transmission... Of course it's going to be the way a virus spreads.
This, from a recovering Gnome user who has since switched away from that shit after trying and failing to maintain a single piece of the cluster fuck these people call "code".
(Score: 0) by Anonymous Coward on Monday March 07 2016, @06:23AM
It asks victims to pay exactly one bitcoin. To the following address.
https://blockchain.info/en/address/1PGAUBqHNcwSHYKnpHgzCrPkyxNxvsmEof [blockchain.info]
Looks like the only piece of malware these OSX users are paying for is their operating system.
(Score: 1) by anubi on Monday March 07 2016, @07:40AM
I remember back in the days of the Seagate ST-225, I never knew once I powered my system down, if it would come back up again. Those drives were known for "stiction" problems. Many times I used to pick up my entire machine and violently snap it in a rotary manner to free the stuck drive by breaking the disks free using rotational inertia.
If that didn't work, I would have to take the machine apart, remove the drive, and do the same with the drive out of the machine... that way I could direct more of what force I could muster on the disk assembly. If that didn't work, I would start tapping it on the desk or use an object to strike it to try to free up the platters.
I knew the disk was dying. But it wasn't dead yet. A new one at the time was about $400. This was a machine I built up from throwaways at work ( an aerospace contractor ) that showed up in the surplus store.
Seems no different today, however it isn't the probability of disk stiction that threatens your stuff on your disk... its malware like this.
The solution now is little changed from the solution then.
Keep backups!
Its a lot more difficult today to keep good backups, as a lot of code is now full of proprietary interlocks and licensing verification that is apt to fail - so I resort to disk images.
Buy several large high capacity external drives. Do not toss your old images. In the event of a "time bomb", your more recent images may have this in them, waiting to detonate just as soon as they see your clock. You may have to retrieve your executables off of an older backup and your more recent work off of a newer backup. Be very cautious of willy-nilly versioning upgrades, for in the event of a time bomb, you may find a recent executable useless - infected with a time bomb - but the older executable failing to recognize the newer files.
If you are working for yourself, you can probably protect yourself pretty well, but in the corporate world, you probably have to prance out there on the net naked as a jaybird.
I use CloneZilla these days... in the old days it was a shoebox full of floppies and extra hard drives.
Whatever you do, PLEASE do not feed these troublemakers by paying their ransom. We will just see more of it.
Statistics are on our side. We know what we are doing. There are a lot of people with political power but no technical acumen out there. Eventually some business executive will have his business nailed with the thing; and cost him a LOT of money. HE will have the political connections it takes to actually do something about stuff like this.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]