Slashdot Mirror

← Back to Stories (view on slashdot.org)

Transmission Malware On Mac, Strike 2 (macrumors.com)

Posted by msmash on from the security-woes dept.

New reader puenktli writes: Just five months after Transmission was infected with the first 'ransomware' ever found on the Mac, the popular BitTorrent client is again at the center of newly uncovered OS X malware. Researchers at security website We Live Security have discovered the malware, called OSX/Keydnap, was spread through a recompiled version of Transmission temporarily distributed through the client's official website. OSX/Keydnap executes itself in a similar manner as the previous Transmission ransomware KeRanger, by adding a malicious block of code to the main function of the app, according to the researchers. Likewise, they said a legitimate code signing key was used to sign the malicious Transmission app, different from the legitimate Transmission certificate, but still signed by Apple and thereby able to bypass Gatekeeper on OS X.

1 of 61 comments (clear)

  1. Re:Cert signed by central private authority = croc by Anubis+IV · · Score: 3, Insightful

    ...since all it confirms is that the malicious author has managed to bypass the extremely primitive identity verification methods.

    Unlikely. A far more likely scenario is that the build machine itself was compromised.

    We first started hearing widespread reports of fake versions of XCode making the rounds in China last year (apparently because download speeds in China from Apple's servers are atrocious, so people host local mirrors of XCode to help each other out), which were configured to inject malware at compilation into any software being built. At that point, the developer would then sign their app like normal and distribute it through their official channels, which is exactly what we saw happen here.

    I mean, at the end of the day, do you really think it's more likely that someone managed to crack the entire signing mechanism and decided that their first target should be a relative small-fry whose website they'd have to take the time to personally hack in order to distribute the software via official channels, or is it instead possibly just a bit more likely that a known vector that's been in the wild was used to compromise this particular dev's system somewhere upstream?