Stories
Slash Boxes
Comments

SoylentNews is people

Transmission 2.90 Infected with First Known OSX Ransomware [Updated]

posted by martyb on Sunday March 06 2016, @11:22AM   Printer-friendly
from the get-your-updates-now dept.

An Anonymous Coward writes:

Following closely upon the hacking of the Linux Mint website, the developers of the Transmission bittorrent client have announced that last week's 2.90 release was infected by a new form of OSX malware, OSX.keRanger.A (or "KeyRanger" as 9to5mac is calling it).

The payload appears to be the first OSX ransomware discovered in the wild. If it works, OSX.KeRanger.A should begin encrypting infected users' files on Monday, March 7. The malware seems to have been included only in downloads from the developers' website, while Transmission's internal update function (using the Sparkle framework) seems to have delivered clean updates. The developers have released two updates (2.91 and 2.92) in the past twenty-four hours to remove the infection.

Those who use Transmission on OSX should check for the following on their systems:

  • a process called "kernel_service" running
  • a file "Contents/Resources/General.rtf" inside the Transmission.app directory
  • any of the following files in the "/Library/" directory: ".kernel_pid", ".kernel_time", ".kernel_complete" or "kernel_service"

[Update:] According to a report in ITWorld, Apple shuts down first-ever ransomware attack against Mac users.

With the help of security researchers, Apple over the weekend quickly blocked a cyberattack aimed at infecting Mac users with file-encrypting malware known as ransomware.

[...] The tainted Transmission version was signed with a legitimate Apple developer's certificate. If a Mac user's security settings are set to allow downloads from identified Apple developers, the person may not see a warning from Apple's GateKeeper that the application could be dangerous.

Apple revoked the certificate after being notified on Friday, [Security company] Palo Alto wrote. The company has also updated its XProtect antivirus engine.

After it is installed on a system, KeRanger waits three days before connecting to a remote command-and-control server using the Tor system. It is coded to encrypt more than 300 types of files.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Transmission 2.90 Infected with First Known OSX Ransomware [Updated] | Log In/Create an Account | Top | 7 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: -1, Troll) by Anonymous Coward on Sunday March 06 2016, @10:15PM

    by Anonymous Coward on Sunday March 06 2016, @10:15PM (#314596)

    what happened to that?

    Starting Score:    0  points
    Moderation   -1  
       Troll=1, Total=1
    Extra 'Troll' Modifier   0  
    Total Score:   -1  

  • (Score: 2, Informative) by Anonymous Coward on Sunday March 06 2016, @10:46PM

    by Anonymous Coward on Sunday March 06 2016, @10:46PM (#314610)

    Linux got its first ransomware last year with Linux.Encoder.1. Both Linux.Encoder.1 and OSX.KeRanger.A require nothing above user privileges, because encryption of user files is simple and requires no escalation. Like Linux ransomware, this requires installation by hand (it's not part of the Mac AppStore but an independent download).

    The Transmission developers got either careless or greedy. Either way, this isn't a Mac security problem so much as it is a general problem of trusting developers. The same can and has happened on Linux.

    • (Score: 0) by Anonymous Coward on Monday March 07 2016, @04:06AM

      by Anonymous Coward on Monday March 07 2016, @04:06AM (#314702)

      This wasn't about Linux. Spin again, Joe.

  • (Score: 2) by isostatic on Monday March 07 2016, @01:36PM

    by isostatic (365) on Monday March 07 2016, @01:36PM (#314913) Journal

    The threat surface has changed over the last 20 years.