Transmission Malware On Mac, Strike 2

New reader puenktli writes: Just five months after Transmission was infected with the first 'ransomware' ever found on the Mac, the popular BitTorrent client is again at the center of newly uncovered OS X malware. Researchers at security website We Live Security have discovered the malware, called OSX/Keydnap, was spread through a recompiled version of Transmission temporarily distributed through the client's official website. OSX/Keydnap executes itself in a similar manner as the previous Transmission ransomware KeRanger, by adding a malicious block of code to the main function of the app, according to the researchers. Likewise, they said a legitimate code signing key was used to sign the malicious Transmission app, different from the legitimate Transmission certificate, but still signed by Apple and thereby able to bypass Gatekeeper on OS X.

Re: Cert signed by central private authority = cro

[Rosyna]

The build machine wasn't compromised. The Transmission web server was compromised and the Transmission binary was replaced on the server.

This has absolutely nothing to do with Xcode.

Re: Cert signed by central private authority = cr

[Rosyna]

I read the article.

Re: Cert signed by central private authority = cr

[Rosyna]

The Transmission app uses the Sparkle Software Update mechanism. Sparkle uses certificate pinning to prevent exactly this type of attack. The auto-updater will not permit an application to be updated if the update is signed by a different entity.

So this malware only affected people that manually downloaded the app from the Transmission website.