Transmission Malware On Mac, Strike 2 (macrumors.com)

← Back to Stories (view on slashdot.org)

Transmission Malware On Mac, Strike 2 (macrumors.com)

Posted by msmash on Wednesday August 31, 2016 @03:20AM from the security-woes dept.

New reader puenktli writes: Just five months after Transmission was infected with the first 'ransomware' ever found on the Mac, the popular BitTorrent client is again at the center of newly uncovered OS X malware. Researchers at security website We Live Security have discovered the malware, called OSX/Keydnap, was spread through a recompiled version of Transmission temporarily distributed through the client's official website. OSX/Keydnap executes itself in a similar manner as the previous Transmission ransomware KeRanger, by adding a malicious block of code to the main function of the app, according to the researchers. Likewise, they said a legitimate code signing key was used to sign the malicious Transmission app, different from the legitimate Transmission certificate, but still signed by Apple and thereby able to bypass Gatekeeper on OS X.

61 comments

Min score:

Reason:

Sort:

Gee.. I wonder why. by fish_in_the_c · 2016-08-31 03:26 · Score: 3

Why would a platform which is hated by many multibillion dollar corporations for being used to violates their legal rights be a target for malware.
( ok.... I think I will go put on my tinfoil hat now :) but then again it does make you kind of wonder. Does anyone else know who or why people target this kind of system with malware. I suppose it is also a good target because the machines may already be using large amounts of bandwidth so there is less chance of detection. Seriously though, anybody out there know why malware makers pick specific targets, what makes some easier ect.

--
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
1. Re:Gee.. I wonder why. by Anonymous Coward · 2016-08-31 03:37 · Score: 3, Interesting
  
  I think it's more of a case of a "hacker" going down through the list of "Most popular Mac OS applications", and finding that number X (in this case, Transmission) had a good popularity to ease of hacking ratio. That is, it was easy to hack and popular enough to be a good infection vector.
  If number X-1 was easier to hack, it would've been that one instead.
  I don't believe that anyone would target transmission specifically because it is a bittorrent client, since there are a whole bunch of other clients (I use Deluge on Linux) and those haven't been hacked yet, popular or not. And if their intention was to disrupt bittorrent, then why would they target Mac OS? Targeting Windows would be far more damaging (more users).
  So, tl;dr, i don't think there's any conspiracy going on. The developers of Transmission are just crap at security.
2. Re:Gee.. I wonder why. by fish_in_the_c · 2016-08-31 05:05 · Score: 1
  
  ok, why was this moded as troll? Was it not obvious from the tinfoil hat comment that the first part was meant as humor? Although I was wondering how the target was picked and have heard from time to time of copywriter holders interfering with or hacking networks they didn't like. The Madonna hack of Napster comes to mind off the top of my head.
  
  --
  âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
3. Re:Gee.. I wonder why. by NatasRevol · 2016-08-31 05:38 · Score: 1
  
  Ironically, Apple could buy just about any corporation that hates it.
  I guess that's one definition of success.
  
  --
  There are two types of people in the world: Those who crave closure
4. Re:Gee.. I wonder why. by Anonymous Coward · 2016-08-31 06:33 · Score: 0
  
  Ya because corporations are just in business hoping to get bought by apple.
5. Re:Gee.. I wonder why. by poofmeisterp · 2016-08-31 06:57 · Score: 2
  
  Ya because corporations are just in business hoping to get bought by Microsoft.
  Made a little correction for ya.
6. Re:Gee.. I wonder why. by Anonymous Coward · 2016-09-01 05:01 · Score: 0
  
  It's not OSX that's hated (well, more and more every day) , It's APPLE. Oh, you mean torrenting apps? You meant to say, why would a n application used by people to steal movies be a target for malware? Er.. DOH.. Um I don't know.. Are you ffing serious?
7. Re:Gee.. I wonder why. by Anonymous Coward · 2016-09-01 05:03 · Score: 0
  
  Er, no, it was not obvious...
8. Re:Gee.. I wonder why. by fish_in_the_c · 2016-09-02 07:13 · Score: 1
  
  No, wasn't serious, that was why I put the comment about the 'tinfoil hat' in there.
  
  --
  âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
9. Re:Gee.. I wonder why. by fish_in_the_c · 2016-09-02 07:16 · Score: 1
  
  oh sorry. Most of the people I run with assume if anyone says "let me put on my tinfoil hat" they are making a joke about something. Usually a conspiracy theory because in the movies the stock 'wacko conspiracy theorist often wears a tinfoil hat to protect his mind from being read by THEM'
  
  --
  âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
Cert signed by central private authority = crock by Anonymous Coward · 2016-08-31 03:27 · Score: 0

...since all it confirms is that the malicious author has managed to bypass the extremely primitive identity verification methods.
wait Gatekeeper ... by arbiter1 · 2016-08-31 03:34 · Score: 1

Does it have a master backdoor login to give easy access to very unpleasant people? (movie reference for people that remember which one)
1. Re:wait Gatekeeper ... by funky49 · 2016-08-31 03:40 · Score: 1
  
  Sneakers?
  
  --
  --- rapper/producer/bachelorette party stripper
2. Re:wait Gatekeeper ... by Anonymous Coward · 2016-08-31 04:00 · Score: 0
  
  I'm thinking 'The Net' ...mmm... Sandra Bullock.....
3. Re:wait Gatekeeper ... by ryanmc1 · 2016-08-31 06:20 · Score: 1
  
  Only if you click on the PI symbol in the bottom right corner of the screen.
4. Re:wait Gatekeeper ... by Anonymous Coward · 2016-08-31 08:05 · Score: 0
  
  That girl's standing right over there and you're talking about our backdoors?!?!
'infected Transmission app was signed on..' by Anonymous Coward · 2016-08-31 03:46 · Score: 0

if that was with the legit key, then it sounds like they got bigger issues than they realize.
1. Re:'infected Transmission app was signed on..' by DougOtto · 2016-08-31 03:48 · Score: 1
  
  This.
  
  --
  Solving Unix problems since 1989...
2. Re: 'infected Transmission app was signed on..' by Rosyna · 2016-08-31 05:40 · Score: 2
  
  The Dev ID used to sign it was not Transmission's Dev ID.
Re:Cert signed by central private authority = croc by Anubis+IV · 2016-08-31 03:48 · Score: 3, Insightful

...since all it confirms is that the malicious author has managed to bypass the extremely primitive identity verification methods.
Unlikely. A far more likely scenario is that the build machine itself was compromised.
We first started hearing widespread reports of fake versions of XCode making the rounds in China last year (apparently because download speeds in China from Apple's servers are atrocious, so people host local mirrors of XCode to help each other out), which were configured to inject malware at compilation into any software being built. At that point, the developer would then sign their app like normal and distribute it through their official channels, which is exactly what we saw happen here.
I mean, at the end of the day, do you really think it's more likely that someone managed to crack the entire signing mechanism and decided that their first target should be a relative small-fry whose website they'd have to take the time to personally hack in order to distribute the software via official channels, or is it instead possibly just a bit more likely that a known vector that's been in the wild was used to compromise this particular dev's system somewhere upstream?
More LUDDITE lies! by Anonymous Coward · 2016-08-31 03:55 · Score: 0

The appy Transmission app was apped by Apple, which means it's super appy, NOT LUDDITE malware!

Apps!
Gatekeeper by Anonymous Coward · 2016-08-31 03:57 · Score: 0

Gatekeeper does not keep undiscovered malware out; it keeps known malware out. Expect a certificate revocation momentarily (unless it's already happened).
1. Re:Gatekeeper by Anonymous Coward · 2016-08-31 06:22 · Score: 0
  
  Expect the malware that infected the machines to disable certificate revocations already, leaving machines compromised for additional spreading purposes.
headline... by e432776 · 2016-08-31 03:59 · Score: 1

could be confusing. Transmission of some malware? two strikes? how many balls? Whose on first?
1. Re:headline... by 93+Escort+Wagon · 2016-08-31 04:15 · Score: 1
  
  I don't know. - Third base!
  
  --
  #DeleteChrome
2. Re:headline... by Anonymous Coward · 2016-08-31 04:48 · Score: 0
  
  two strikes? how many balls?
  None. All the balls were put into holes earlier.
  Hey, yeah, baby, I wanna Shoop!
Re:Mac by Anonymous Coward · 2016-08-31 03:59 · Score: 0

Oh, John Oliver, you are the funniest!
Hi, I'm a Mac... And I'm a PC... by Anonymous Coward · 2016-08-31 04:27 · Score: 0

The good old days, when Macs didn't get sick, and we had to walk uphills 25 miles to school. In a blizzard. Both ways!
Now get off my lawn.
--sf
1. Re:Hi, I'm a Mac... And I'm a PC... by OrangeTide · 2016-08-31 05:25 · Score: 1
  
  Carrying a Mac 512K uphill sounds challenging. But not as challenging as swapping floppies all day long because you didn't have a harddrive.
  
  --
  “Common sense is not so common.” — Voltaire
2. Re:Hi, I'm a Mac... And I'm a PC... by NatasRevol · 2016-08-31 05:42 · Score: 1
  
  My Mac SE was the most powerful computer on campus that the average student had access to.
  Only way I could do fusion modeling in advanced physics.
  This was in 1988.
  
  --
  There are two types of people in the world: Those who crave closure
3. Re:Hi, I'm a Mac... And I'm a PC... by OrangeTide · 2016-08-31 06:08 · Score: 1
  
  Mac SE is 3 or 4 models after the 512K/fatmac, so it's no surprise that it is more advance. (SE/30 would be my favorite of that era)
  Most students couldn't justify the expense of a Mac SE. An Amiga 500 was around $1000, versus almost $4k for a Mac SE, and was similar in terms of raw performance. But most people got the Amiga over the Mac to play games, there wasn't as much academic software for the Amiga (that I recall).
  I was a PC guy, so for me a 386DX with FPU would have been preferable to a Mac SE. (but then we're talking like $8k-$10k. portable 386 was like $12k back then, significantly more than a new car)
  
  --
  “Common sense is not so common.” — Voltaire
4. Re:Hi, I'm a Mac... And I'm a PC... by NatasRevol · 2016-08-31 07:46 · Score: 1
  
  Plus only the Mac (mine actually was an SE/30, I had forgotten!) ran Excel decently back then. Which is what I was doing my fusion modeling on.
  
  --
  There are two types of people in the world: Those who crave closure
5. Re:Hi, I'm a Mac... And I'm a PC... by OrangeTide · 2016-08-31 08:50 · Score: 1
  
  I didn't need Excel/Multiplan, in the 80's there were a lot of alternatives: Lotus 1-2-3, Super Calc, pfs:First Choice, MaxiPlan and a bunch of others. Probably only a few would have been powerful enough for your needs, Lotus 1-2-3, Excel, Quattro Pro and maybe pfs:Professional Plan. (I'm not including that one for the Osborne that got sued into oblivion for looking too much like Lotus 1-2-3. Lotus was suing everyone back then).
  
  --
  “Common sense is not so common.” — Voltaire
6. Re:Hi, I'm a Mac... And I'm a PC... by NatasRevol · 2016-08-31 11:27 · Score: 1
  
  To do multi thousand (calculated) point graphing?
  
  --
  There are two types of people in the world: Those who crave closure
7. Re:Hi, I'm a Mac... And I'm a PC... by OrangeTide · 2016-08-31 14:28 · Score: 1
  
  Lotus 1-2-3 was pretty capable, even back then it could access 16MB on an 286 or 386, allowing for very large data sets to be worked on without thrashing to disk. I think around '86 or so it has enough features to be considered a pretty serious piece of software.
  
  --
  “Common sense is not so common.” — Voltaire
8. Re:Hi, I'm a Mac... And I'm a PC... by Anonymous Coward · 2016-08-31 22:38 · Score: 0
  
  "My Mac SE was the most powerful computer on campus that the average student had access to.
  Only way I could do fusion modeling in advanced physics.
  This was in 1988."
  And then painlessly format the results, and print them out on a networked LaserWriter, which our Suns also talked to, in early 1989. The Plus was OK, but it was more a standalone machine, to be hooked up to a StyleWriter.
  Microsoft didn't _get_ networking for a few more years.
Inside by Anonymous Coward · 2016-08-31 04:56 · Score: 0

Man.
Re:Transmission Problems by Shadow+IT+Ninja · 2016-08-31 05:17 · Score: 1

I suppose the Apple car will be kind of like the original iPod - just a steering wheel with one button in the center and no other controls.
Re:Transmission Problems by npslider · 2016-08-31 05:28 · Score: 0

The transmission only goes in one direction... forward.
Driving in reverse, similar to right clicking on a mouse is too difficult for new drivers to learn.
Re: Cert signed by central private authority = cro by Rosyna · 2016-08-31 05:39 · Score: 3, Informative

The build machine wasn't compromised. The Transmission web server was compromised and the Transmission binary was replaced on the server.
This has absolutely nothing to do with Xcode.
Re: Cert signed by central private authority = cro by Anubis+IV · 2016-08-31 05:41 · Score: 1

I didn't read the article, so I don't know if it's mentioned there or not, but where did you get that info?
Re: Cert signed by central private authority = cr by Rosyna · 2016-08-31 05:42 · Score: 4, Informative

I read the article.
Re: Cert signed by central private authority = cr by Anubis+IV · 2016-08-31 06:03 · Score: 1

This is one of those moments where I wish I could post a retraction to my comment. It may provide some useful info regarding an actual issue that's been happening, but it's inapplicable in this particular situation, as you pointed out, so I certainly appreciate the correction.
For anyone else reading this far, it's worth summarizing what the actual problem was. It was neither what the AC suggested nor what I suggested. Rather, what actually happened was that a different dev's certificate was used to sign the malicious app, which was then uploaded to the Transmission servers. Basically, the malware dev had their own valid certificate, signed their malicious binary with it, and then uploaded it to the Transmission dev's servers. At this point, the obvious next step would be for Apple to revoke the malware dev's certificate and add the binary's signature to their XProtect malware definitions list. Also, if it doesn't already do so, it would be beneficial for Transmission to disallow automatic updating from binaries that are signed by a certificate other than their own, but that's on them to do, not Apple, since they're distributing it outside of the Mac App Store.
Anyway, thanks again, Rosyna, both for the correction and the response.
Re: Cert signed by central private authority = cr by Rosyna · 2016-08-31 06:13 · Score: 5, Informative

The Transmission app uses the Sparkle Software Update mechanism. Sparkle uses certificate pinning to prevent exactly this type of attack. The auto-updater will not permit an application to be updated if the update is signed by a different entity.
So this malware only affected people that manually downloaded the app from the Transmission website.
Re: Cert signed by central private authority = cr by Anubis+IV · 2016-08-31 06:16 · Score: 1

You're just going above and beyond at this point. People need to be modding you up.
Re: Transmission Problems by Anonymous Coward · 2016-08-31 07:00 · Score: 0

You realize back when Macs had no right click they had three different keyboard modifiers for shortcuts right? Right click was redundant.
Windows UI was simpler, with a right click context menu and fewer keyboard shortcuts.
Re:Transmission Problems by poofmeisterp · 2016-08-31 07:04 · Score: 0

The transmission only goes in one direction... forward.
Driving in reverse, similar to right clicking on a mouse is too difficult for new drivers to learn.
Without Jobs, it'll never fly. No, literally, it flies, but only if you're hip'n'cool enough to know that.
*ducks*
Re: Cert signed by central private authority = cr by KozmoStevnNaut · 2016-08-31 07:25 · Score: 1

It's really hard to pull people out of a good hate-circlejerk.

--
Eat the rich.
Vuze is malware too by goombah99 · 2016-08-31 08:58 · Score: 1

If you are looking for a new BitTorrent client, then avoid Vuze. It used to be a superb client but recently they switched to the malware model. Last update it infected all my broswers with redirecting ad ware. My search engines were all set to Yahoo and it installed multiple extensions. It was painful to remove it all.
I'm not making this up since the company fully admits they do this on their own forum web pages. Well they don't use the word malware, but if it quacks like a duck.

--
Some drink at the fountain of knowledge. Others just gargle.
1. Re:Vuze is malware too by ruir · 2016-08-31 16:00 · Score: 1
  
  Is Vuze there yet? I though it was years it turned into a useless program...
2. Re:Vuze is malware too by andymadigan · 2016-08-31 18:23 · Score: 1
  
  Vuze is terrible, and to be honest it was always kind of a pig.
  
  qBittorrent's been working great for me. The UI isn't pretty, but it's a lot like uTorrent back when it was good. Open source, runs on everything, no malware.
  
  --
  The right to protest the State is more sacred than the State.
3. Re:Vuze is malware too by basecastula+ · 2016-08-31 19:01 · Score: 1
  
  qBittorrent...Can it run in as a daemon? with a remote interface that allow script to be run. That is the reason i run transmission. Works on my NAS perfectly with my scripts for reseeding.
4. Re: Vuze is malware too by andymadigan · 2016-09-01 03:55 · Score: 1
  
  Yes, in Ubuntu I'm using the qbittorrent-nox package and running it as a daemon with a web UI. It can also monitor folders for torrent files, move them when it loads them, and have default directories for in progress and completed downloads. Or you can load torrents via the Web UI, or from the command line.
  
  --
  The right to protest the State is more sacred than the State.
5. Re: Vuze is malware too by basecastula+ · 2016-09-01 08:51 · Score: 1
  
  Thank for the info. I will check it out and see if I can port my tool to it.
Re: Transmission Problems by Anonymous Coward · 2016-08-31 20:55 · Score: 0

"Back when" they didn't? I'm pretty sure they still don't. My Macbook's trackpad certainly only has (well, is) one button, and as far as I can tell the OS treats right clicking on any external mice as identical to ctrl+click.
Re: Cert signed by central private authority = cr by Anonymous Coward · 2016-09-01 01:16 · Score: 0

I didn't read the article either, but I did read the summary. It was entirely clear to me that the program was signed by a legitimate (to Apple) but "incorrect" key (as in, not the key issues to the Transmission people).
Good thing you guys wasted a bunch of time debating it. You definitely made the comments relevant.
Does not "bypass gatekeeper" by Anonymous Coward · 2016-09-01 01:22 · Score: 0

This might be more correctly phrased as "satisfies gatekeeper."
The summary's claim is like saying that because a TLS Certificate Authority was compromised and issued illegitimate certificates for e.g. google.com, X509 has been broken.