|
|
First OS X ransomware inadvertently distributed by Transmission update
|
|
|
|
MacNN Staff
Join Date: Jul 2012
Status:
Offline
|
|
A recent update to popular BitTorrent client Transmission has been withdrawn and replaced because of malware included in the installer. Early downloads of the Transmission 2.90 client were infected with a ransomware package which has been dubbed "KeRanger" by the security researchers at Palo Alto Networks. KeRanger is the first functional malware of its kind on OS X.
If installed, the package waits for three days before contacting command and control servers through Tor, sending Mac model number, and UUID, which are probably used to derive an encryption key. Following successful communication with the control server, the malware starts encrypting documents stored on the host system.
Documents sought by the malware to encrypt are nearly every audio and video type, Microsoft documents, source code files, SQL databases, certificates, and compressed archives. Palo Alto notes that it also attempts to encrypt Time Machine backup files -- but without success. After completion, the malware informs the user that a ransom of one bitcoin must be paid to a specific address for decryption of the afflicted files.
The malware was signed with a valid app development certificate, so GateKeeper allowed it to pass before Apple killed the abused certificate. The infected Transmission installers were signed with a different certificate than the one historically used by the developer ID attached to the open-source project. At this time, it is not known how the malware was included in the distributed binary, but insinuation of the malware into the open source package without the program maintainer's knowledge seems likely.
Palo Alto has an examination procedure for manual eradication, which requires inspection of files in the library, and investigation of processes running in the Activity Monitor. Users who downloaded the installer after 8AM ET on March 4, and 4PM March 5 may have been struck by the malware. Older versions, and the new updates promulgated since the infected installer was distributed are unaffected.
(
Last edited by NewsPoster; Mar 16, 2016 at 05:35 AM.
)
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Dec 1999
Location: Brightwaters, NY
Status:
Offline
|
|
Interesting, I wonder if Transmission is liable for virus-laden downloads on their site.
|
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Oct 2012
Status:
Offline
|
|
" Following successful communication with the control server, the malware starts encrypting documents stored on the host system"
What does "host system" include? Just the internals drive, externally connected drives, and/or NAS devices? While I'm not effected by this, I keep my backup's on NAS units, and was wondering if these were subject to this type of attack.
Mike
|
|
|
|
|
|
|
|
|
Managing Editor
Join Date: Jul 2012
Status:
Offline
|
|
If a drive is mounted, and available to an infected OS, then it is generally subject to these kind of attacks.
|
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Apr 2007
Status:
Offline
|
|
Originally Posted by NewsPoster
... it also attempts to encrypt Time Machine backup files -- but without success.
One more reason for everyone to have Time Machine running. I've lost track of how many people stop by the forums for advice on drive recovery. Invariably they hadn't set up TM or any other backup solution.
Backups are good for everyone. Go get a spare drive and start Time Machine.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|