Slashdot Mirror

← Back to Stories (view on slashdot.org)

Transmission BitTorrent App Contained Malware (cnbc.com)

Posted by BeauHD on from the late-to-the-party dept.

An anonymous reader writes: Apple users were targeted in the first known Mac ransomware campaign. Hackers targeted Transmission, which is one of the most popular Mac applications used to download software, videos, music, and other data from the BitTorrent peer-to-peer information sharing network. As per this forum post (English screenshot of warning), OS X detected malware called OSX.KeRanger.A. This is the first one in the wild that is functional as it encrypts your files and seeks a ransom. An Apple representative said the company had taken steps over the weekend to prevent attacks by revoking a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs.

52 of 109 comments (clear)

  1. Digital certs don't make your software secure by NotInHere · · Score: 3, Interesting

    In fact, in this case probably it was the contrary. I guess the developer was not part of the developer team for transmission, but external. If it were easy to package software for macs without having to pay lots of fees, the dev team could have done it themselves. Apple really should give free dev licenses to free software developers, to help fight abuse. Github does something like that too.

    1. Re:Digital certs don't make your software secure by Anonymous Coward · · Score: 4, Insightful

      $99 a year isn't an exorbitant fee for a code signing cert.

      Thats the only part of Apple's developer programs that require cost (besides buying a Mac, and frankly its not a crazy concept to own the platform you are developing for)

    2. Re:Digital certs don't make your software secure by Jamu · · Score: 3, Insightful

      You can probably make that back from the ransom payments...

      --
      Who ordered that?
    3. Re:Digital certs don't make your software secure by Anonymous Coward · · Score: 2, Informative

      Right. Because Macs run iOS. Of course.

      They don't, but the iDevice simulators in Xcode do.

    4. Re:Digital certs don't make your software secure by butzwonker · · Score: 3, Interesting

      It can be exorbitant for small developers in combination with the other requirements. You also need to buy Macs every 3-5 five years in order to be able to stay afloat as a developer. Let's say you only update your machine every 5 years (a bit optimistic). Then a realistic estimate for the real development costs is USD 99 x 5 + USD 1300 MacBook Pro 13 + USD 249 Apple Care for MacBook Pro 13 for a total of USD 2044 / 5 years or USD 409 per year, not including any software, online storage and backup, web services, backup software and storage, etc. For serious business these costs are no problem. For small shareware and occasional developers these costs can be prohibitive. They certainly are the reason why I don't develop for Apple. And don't forget that Apple additionally takes 30% of all your revenue as opposed to 10 - 16 percent that ordinary payment services take, so the real costs for individual developers are much higher.

    5. Re:Digital certs don't make your software secure by Anonymous Coward · · Score: 1

      Holy shit! Good thing Windows development doesn't need any of this! Get a $99 used Windows XP computer and you can be up and running today.

    6. Re:Digital certs don't make your software secure by tlhIngan · · Score: 1

      Then a realistic estimate for the real development costs is USD 99 x 5 + USD 1300 MacBook Pro 13 + USD 249 Apple Care for MacBook Pro 13 for a total of USD 2044 / 5 years or USD 409 per year, not including any software, online storage and backup, web services, backup software and storage, etc.

      Well, if you were a shareware developer that was hard up, I'd ditch the laptop and get a Mac Mini, which can be had for around $500 and updated far less often. I'd also ditch the AppleCare plan and self-insure, which should bring the cost down considerably. Yes, you need to supply a keyboard, mouse and monitor, but if you're resourceful, those can be had for practically free. So your total cost is around $200 a year, or half o what you figured going the economy route. Though if you're really trying to skimp, I would suggest finding a regular day job to pay the bills and do the shareware stuff on the side, like most developers out there.

      You can develop on Macs on even the most low end of Macs.

  2. Re:"peer-to-peer information sharing network" by NotInHere · · Score: 1

    Sadly we live in the age of walled gardens, and not of open protocols. I really don't wonder that people mix this.

  3. If I remember right transmission is also included by Trax3001BBS · · Score: 1

    In Linux Mint 13.

  4. Re:No sympathy by Fnord666 · · Score: 1

    Stop trying to find ways to steal other people's work without compensating them and you won't have this problem.

    But just like drug users, there will always be an excuse for why people think it's acceptable.

    Ok, I give up. What are you nattering on about?

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  5. Re:No sympathy by Jamu · · Score: 1

    Apparently a peer-to-peer file transfer protocol can be used to transfer files from one peer to another. And... err... Chewbacca lives on the planet Endor, therefore coping files is stealing, we've always been at war with Eastasia, and you have to compensate people for their work, because... they've not lost anything?

    --
    Who ordered that?
  6. Re:No sympathy by MrKrillls · · Score: 1

    Don't give up. Don't ask.

    --
    Don't step on the baby.
  7. Re:If I remember right transmission is also includ by Anonymous Coward · · Score: 3, Insightful

    Given that Transmission originates as a project purely for Mac OS (which has subsequently become cross platform), I'd be amazed if the main devs didn't own Macs.

  8. Decipher by manu0601 · · Score: 1

    Now the ransomware's certificate is revoked, I guess there is no hope to pay the crooks and recover the data?

    1. Re:Decipher by SeaFox · · Score: 2

      Now the ransomware's certificate is revoked, I guess there is no hope to pay the crooks and recover the data?

      Macrumors reports there was a three-day delay before the lockout would take effect. So most people haven't been caught by it yet.

    2. Re: Decipher by Anonymous Coward · · Score: 1

      They did a pretty good job with Palo Alto.

      The malware was on the site for about 32 hours, pulled at the end of that window, with both Gatekeeper & Xprotect updated in that time, as well as the Dev Cert being revoked. The patch was live before Palo Alto went public.

      That's really good in terms of response time from Apple, Palo Alto Networks & the Transmission project.

    3. Re:Decipher by wootcat · · Score: 1

      I'm really curious what made me "immune." I updated Transmission last Thursday or Friday to the version supposedly infected. I learned about the malware Sunday and immediately checked for the reported signs of an infected computer, of which I had none. I immediately upgraded to the clean version and as of last night, my Mac mini is still clean.

      --
      I'm really a low 5-digit Slashdotter, but this ID is where I am now.
  9. I never get this. by rrohbeck · · Score: 3, Insightful

    How is an encrypted drive different from a failed drive, other than that if it's only encrypted you don't even have to buy a new one - just wipe it and restore your backup, maybe reinstall your OS first.

    --
    thegodmovie.com - watch it
    1. Re: I never get this. by krray · · Score: 2

      No, he's just saying that to the end user the symptoms are the same, ie; "it doesn't work right anymore".

      Replace the drive (not needed in this case), format, and reload from a good backup.

      You have a good backup, right? :)

    2. Re:I never get this. by antdude · · Score: 2

      Unless it infects the backup drives too. :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    3. Re:I never get this. by rrohbeck · · Score: 1

      How can it? They're offline or on a backup system, ideally offsite. Right?

      --
      thegodmovie.com - watch it
    4. Re:I never get this. by antdude · · Score: 1

      Some people always have them connected. :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    5. Re:I never get this. by Anonymous Coward · · Score: 1

      Then it's not a backup.

    6. Re:I never get this. by MMC+Monster · · Score: 1

      It's no different to a power user. As you said, you wipe and reinstall your apps and documents.

      For the general public, it's a little different. With a failed drive they're hosed. With an encrypted file, they have the option to pay the ransom and regain their data. (And, typically, the second time around they'll buy an automated backup solution. Since this is an Apple OS, probably Time Capsule).

      --
      Help! I'm a slashdot refugee.
    7. Re:I never get this. by sociocapitalist · · Score: 3, Insightful

      How is an encrypted drive different from a failed drive, other than that if it's only encrypted you don't even have to buy a new one - just wipe it and restore your backup, maybe reinstall your OS first.

      Because cryptolocker type attacks also encrypt any backup drives that are connected (either directly or over the network). You may even be backing up malware encrypted files, overwriting unencrypted files, for some time before the malware notice flashes up on your screen.

      Keep in mind that the malware process runs encryption in the background for some time (i.e. until some target percentage of what the malware considers to be 'interesting files' has been encrypted) so you don't generally know that you're under attack until most of your files have been made useless to you.

      The only reasonably certain defense is having a lot of one off backups that you make and then store offline. As USB keys are cheap I've been making weekly backups of the data that's really important and just throwing the keys in a drawer.

      --
      blindly antisocialist = antisocial
    8. Re:I never get this. by Anonymous Coward · · Score: 1

      Sure it is. The point of a backup is to be able to restore after disk failure or accidental deletion, and to restore data to an earlier timepoint. Having the backup online doesn't prevent any of those.

      It's just not an ideal way of doing the job because the best backup solutions offer physical disaster recovery as well as the above. But that is a failure of the disaster recovery plan, not of backups.

    9. Re:I never get this. by castionsosa · · Score: 1

      A failed drive is that... a failed drive. Any malware worth its salt will be encrypting/corrupting all data on external backup drives. It doesn't matter if you have RAID 7+1, replicated among three active/active peers. If the machine can get to it and rm/corrupt files, the backups are worthless.

      What really needs do be done is to have an outside server SSH into the desktop machine and dump the files to someplace the desktop cannot touch by normal means. On Macs, this isn't too difficult -- have a decent Synology NAS with zbackup installed do a dump.

  10. Re:"peer-to-peer information sharing network" by Dunbal · · Score: 1

    One man's walled garden is another man's state prison...

    --
    Seven puppies were harmed during the making of this post.
  11. Re:If I remember right transmission is also includ by Noah+Haders · · Score: 2

    transmission is a longtime award winning mac app.

  12. Time Machine by khchung · · Score: 3, Informative

    So, if you find your important file encrypted by ransomware, how difficult is it to just restore it from a Time Machine backup?

    After all, once it was encrypted, you can use it anymore, so it is simple to just get the version before the last update time.

    --
    Oliver.
    1. Re:Time Machine by Anonymous Coward · · Score: 2, Insightful

      I'm guessing the time machine files will all be encrypted themselves so that data cannot be recovered. Assuming here that the time machine drive files are similar in form to the application 'bundles', just instead of programs and shared libraries on the 'bundle', there will be a source file and the various binary diffs of the versions of the files.

    2. Re:Time Machine by SilentChasm · · Score: 2

      From the TorrentFreak article:

      Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.

    3. Re:Time Machine by sociocapitalist · · Score: 1

      So, if you find your important file encrypted by ransomware, how difficult is it to just restore it from a Time Machine backup?

      After all, once it was encrypted, you can use it anymore, so it is simple to just get the version before the last update time.

      Timemachine is network attached storage and, as such, is reachable by the malware.

      From the article: "...it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data."

      Also, as the attack is over time you will be backing up encrypted files and if you don't have enough space on your time machine to keep backups for a looong time, you may end up with your entire set of backups encrypted.

      --
      blindly antisocialist = antisocial
    4. Re:Time Machine by AmiMoJo · · Score: 1

      How are Time Machine backups protected? Viruses on Windows like to infect System Restore points on XP (Vista and above has better security). Hopefully Time Machine backups are encrypted and protected by access control.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:Time Machine by Anonymous Coward · · Score: 1

      Yes, but if you look at your time capsule or w/e you're backing up to your time machine backups are a single large binary blob. So if the ransomware decided to encrypt that file, you'd be SOL as you couldn't access any of the time machine backups.

    6. Re:Time Machine by JamesKeane7745 · · Score: 1

      He's thinking of Time Capsule, a NAS built into a WiFi router, which identifies to Time Machine to make backups easier in a home network.

    7. Re:Time Machine by castionsosa · · Score: 1

      Time Machine is the Mac's built in backup program. Time Capsule is Apple's firewall/switch/Wi-Fi AP/NAS which allows one to back up (using Time Machine) to it, optionally encrypted.

      As an alternative to the Time Capsule, especially if one already has a wireless AP, switch, or router, and just needs a NAS, a Synology or QNAP device is cheaper, and can store more. A 3TB Time Capsule runs about $400. You can buy a Synology 216se for $150, add two WD Reds for about $100 each, and have the same functionality as the TC... except with RAID 1 [1].

      One backup plan that I have been doing is having more than one NAS. My first NAS is where my shares are directly attached for backups of my desktop boxes. The second NAS doesn't interact with any machines other than the first NAS, and is where the first NAS pushes snapshots to. Synology's replication software (which does deduplicate) can keep up to 256 snapshots, space permitting, so if malware does zero out the NAS shares, those can be restored to a pre-calamity state, and files restored to desktops.

      [1]: Technically Linux's MD-RAID.

    8. Re:Time Machine by castionsosa · · Score: 1

      IIRC, Time Machine backups have an ACL, similar to what SELinux uses, to inhibit writing to TM backup disks. However, it may not be that difficult for software to override that, or just write to /dev/diskwhatever to zero out the backups.

      Time Machine is best used with another backup program. Mozy comes to mind, or back up via TM to a NAS, and have the data stashed there, saved to another location via snapshots (either by an automated process like what Synology and QNAP offer), or just tar the NAS share, pipe it to a zbackup repository.

    9. Re:Time Machine by wootcat · · Score: 1

      From what I read on the Palo Alto site, the ransomware is still under development and looks like it will eventually encrypt TIme Machine, but that functionality is not active in this round.

      --
      I'm really a low 5-digit Slashdotter, but this ID is where I am now.
  13. What we need by subk · · Score: 1

    is in-browser support for BitTorrent so there can be better trust.

    --
    Now, if you'll excuse me, I have backups to corrupt.
    1. Re:What we need by castionsosa · · Score: 1

      Opera has BitTorrent built in, but disabled by default. Not too hard to enable/use it.

  14. Re:If I remember right transmission is also includ by Anonymous Coward · · Score: 1

    In Linux Mint 13.

    Yes: and so is the source code https://www.transmissionbt.com/about/ So if there is hacked version for Linux it will be a compiled binary without the source being available which is against the terms and conditions of Mint. The dev that released the app on the APPLE "APE STORE" must monkeyed around with the code and deserves to be black balled from the dev communities permanently. I can't say as I blame the folks at transmission.COM for not paying to release it on the APE STORE system. Don't sweat it the black hats like this prick don't go after Linux users 1. because by and large we know to look out for stupid alteration that do not include source. 2. We are mostly cheap assholes who thumb our noses at Apple and Mac users LOL. First rule of linux if the code 'aint available and easily verifiable don't use it.

  15. Re: ban anonymous cowards by MobileTatsu-NJG · · Score: 1

    Anonymity on the internet is immeasurably valuable in terms of free speech and this is one of the last somewhat meanigful places on the internet you can still have it.

    AC posting on Slashdot is no more anonymous than posting with an account. It just uniquifies your identity in the discussion.

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  16. Re:The REAL Phantom Menace by stealth_finger · · Score: 1

    And... err... Chewbacca lives on the planet Endor...

    Chewbacca lives on Endor? Does he have a thing for the furry little Ewoks, or are they just food? Next you'll be telling us that Jar-Jar Binks is a Sith Lord! Oh wait, perhaps he actually was meant to be that, but Lucas backed off because of the vitriol towards Binks. More info in link. Even an interesting secondary thread on the name Bink name possibly referencing a Piers Anthony character.

    That does not make sense! Why would Chewbaca, an 8ft tall Wookie from the planet Kashyyk wand to live on Endor with a bunch of 2ft tall fucking Ewoks? If Chewbaca lives on Endor you must acquit!

    --
    Wanna buy a shirt?
    https://www.redbubble.com/people/stealthfinger/shop?asc=u
  17. 2.84..updated? by techtech · · Score: 1

    Hi, I have two computers.

    I remember I saw that "improved compatibilty with modern OS X" and pressed install update..., but I can not remember which one or even both. After checking this machines Transmission, it is still 2.84

    And I when reading this, I actually catched an uber to get to my other office to check what was going on there. ... but that also had 2.84, so it seems that the 2.9 update was unsuccessful on both computer / or one of them...

    so then all safe? or is it masking itself as an older version or something.

    1. Re:2.84..updated? by Anonymous Coward · · Score: 1

      Just follow the instructions to check if your machines are infected, there's plenty of information from the guys at palo alto:

        http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

    2. Re:2.84..updated? by 666999 · · Score: 1

      Downloaded newest version (v2.92) from their site, installed, still shows as v2.84

      But in the app's About window it shows the correct version number. Strange.

  18. Apparently didn't affect auto updates. by bkk_diesel · · Score: 1

    According to a comment at MacRumors, the malware only infected software downloaded from the website, not software updated through the updater mechanism.

  19. What is this backup by future+assassin · · Score: 1

    you speak off?

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
  20. Time Machine safe, for now by GlobalEcho · · Score: 1

    From the technical analysis section of the research document

    In addition to this behavior, it seems like KeRanger is still under development. There are some apparent functions named “_create_tcp_socket”, “_execute_cmd” and “_encrypt_timemachine”. Some of them have been finished but are not used in current samples. Our analysis suggests the attacker may be trying to develop backdoor functionality and encrypt Time Machine backup files as well. If these backup files are encrypted, victims would not be able to recover their damaged files using Time Machine.

    So it would appear that Time Machine's current design keeps it's data safe -- for now -- from having one's online backups encrypted. As others have pointed out, that's not likely to last and offline backups are a *very* good idea.

  21. Re:If I remember right transmission is also includ by Trax3001BBS · · Score: 1

    Transmission started on the Mac. You really think that a couple $k for tools is a big deal to those with a job?

    TL;DR: Geez Louise, cuntcheese, if you don't know what you're talking about...don't say it!

    Just hits me as a tad odd that a program supplied as a default Linux program - that does the same thing, shares the same name, and not hit a copyright wall; so suspect as an update.

  22. Re:If I remember right transmission is also includ by Trax3001BBS · · Score: 1

    Transmission started on the Mac. You really think that a couple $k for tools is a big deal to those with a job?

    TL;DR: Geez Louise, cuntcheese, if you don't know what you're talking about...don't say it!

    Just hits me as a tad odd that a program supplied as a default Linux program - that does the same thing, shares the same name, and not hit a copyright wall; so suspect as an update.

    All said and done it would appear my concerns a non issue. I just came across Transmission included in the excellent program "Portable Apps" https://sourceforge.net/projec... . Not as isolated as I tended to believe; many checks and balances.