Transmission torrenting app compromised in OS X
The popular torrenting app Transmission has been compromised with ransomware in OS X. So far Linux users remain unaffected, and OS X users are urged to upgrade to Transmission 2.92.
The Research Center page on the Palo Alto Network site has more details on the ransomware in OS X's version of Transmission:
On March 4, we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware "KeRanger." The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.
Attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. When we identified the issue, the infected DMG files were still available for downloading from the Transmission site (https://download.transmissionbt.com/files/Transmission-2.90.dmg) Transmission is an open source project. It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred.
The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.
Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems.
The news about the OS X ransomware caught the attention of Linux redditors, some of whom wondered if the Linux version of Transmission had also been affected:
Venditatio: "Most Linux users of Transmission probably installed it through their package managers, so unless the source code was tampered with, not many people will be affected."
Thegnarts: "That’s where everyone should remind themselves of the purpose of distributions and signed packages. It’s also why those few wishing to contaminate our ecosystem with auto-updaters coz-the-distro-maintainers-2-slow-2-fix should be publicly ridiculed."
Russjr08: "...the ironic thing here is that users who updated via the auto-update mechanism didn't receive the bad update, due to signature checking, while those who manually downloaded it did."
EchoTheRat: "For those searching for an alternative, looks like even qBittorrent and Deluge suffered some kind of forum attack. Deluge even had a text file uploaded on its site. From qBittorrent side, they currently say that there wasn't an hack."
Wirelessflyingcord: "I think I remember getting an auto-email about qBittorrent when the password was reset and according to LastPass history I did change it around that time, but never received any email about Deluge. How nice to hear about a forum hack 2 and half months later."
Thatmofo: "Sigh, this is specific to OS X and has nothing to do with Linux"
Linusbobcat: "I updated using the build in updator, what should I do?"
Thatmofo: "Update to 2.92 if you're an OS X user. It's the Transmission team's fault for not using HTTPS before. They do now."
Visionator: "I think it's disingenuous to suggest that this was a MITM attack and therefore fixable with HTTPS. It would be obvious if there was a massive BGP hijack. The way more likely situation is that the download itself was compromised on the origin server, the same way the Linux Mint images were a few weeks ago."
Cac-p47: "I had updated to 2.90 middle of last week sometime. I didn't have the offending process or any related files. Apparently it was only delivered via a package wrapped around the full 2.90 .dmg from the Transmission website sometime on Friday, and those who just updated to 2.90 were safe. I updated again to 2.92 today (which supposedly had a fix for those who WERE actually infected) and checked everything again and all seems well."