Slashdot Mirror
Transmission Malware On Mac, Strike 2 (macrumors.com)
New reader puenktli writes: Just five months after Transmission was infected with the first 'ransomware' ever found on the Mac, the popular BitTorrent client is again at the center of newly uncovered OS X malware. Researchers at security website We Live Security have discovered the malware, called OSX/Keydnap, was spread through a recompiled version of Transmission temporarily distributed through the client's official website. OSX/Keydnap executes itself in a similar manner as the previous Transmission ransomware KeRanger, by adding a malicious block of code to the main function of the app, according to the researchers. Likewise, they said a legitimate code signing key was used to sign the malicious Transmission app, different from the legitimate Transmission certificate, but still signed by Apple and thereby able to bypass Gatekeeper on OS X.
Why would a platform which is hated by many multibillion dollar corporations for being used to violates their legal rights be a target for malware. :) but then again it does make you kind of wonder. Does anyone else know who or why people target this kind of system with malware. I suppose it is also a good target because the machines may already be using large amounts of bandwidth so there is less chance of detection. Seriously though, anybody out there know why malware makers pick specific targets, what makes some easier ect.
( ok.... I think I will go put on my tinfoil hat now
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
Does it have a master backdoor login to give easy access to very unpleasant people? (movie reference for people that remember which one)
...since all it confirms is that the malicious author has managed to bypass the extremely primitive identity verification methods.
Unlikely. A far more likely scenario is that the build machine itself was compromised.
We first started hearing widespread reports of fake versions of XCode making the rounds in China last year (apparently because download speeds in China from Apple's servers are atrocious, so people host local mirrors of XCode to help each other out), which were configured to inject malware at compilation into any software being built. At that point, the developer would then sign their app like normal and distribute it through their official channels, which is exactly what we saw happen here.
I mean, at the end of the day, do you really think it's more likely that someone managed to crack the entire signing mechanism and decided that their first target should be a relative small-fry whose website they'd have to take the time to personally hack in order to distribute the software via official channels, or is it instead possibly just a bit more likely that a known vector that's been in the wild was used to compromise this particular dev's system somewhere upstream?
This.
Solving Unix problems since 1989...
could be confusing. Transmission of some malware? two strikes? how many balls? Whose on first?
I suppose the Apple car will be kind of like the original iPod - just a steering wheel with one button in the center and no other controls.
Carrying a Mac 512K uphill sounds challenging. But not as challenging as swapping floppies all day long because you didn't have a harddrive.
“Common sense is not so common.” — Voltaire
The build machine wasn't compromised. The Transmission web server was compromised and the Transmission binary was replaced on the server.
This has absolutely nothing to do with Xcode.
The Dev ID used to sign it was not Transmission's Dev ID.
I didn't read the article, so I don't know if it's mentioned there or not, but where did you get that info?
I read the article.
My Mac SE was the most powerful computer on campus that the average student had access to.
Only way I could do fusion modeling in advanced physics.
This was in 1988.
There are two types of people in the world: Those who crave closure
This is one of those moments where I wish I could post a retraction to my comment. It may provide some useful info regarding an actual issue that's been happening, but it's inapplicable in this particular situation, as you pointed out, so I certainly appreciate the correction.
For anyone else reading this far, it's worth summarizing what the actual problem was. It was neither what the AC suggested nor what I suggested. Rather, what actually happened was that a different dev's certificate was used to sign the malicious app, which was then uploaded to the Transmission servers. Basically, the malware dev had their own valid certificate, signed their malicious binary with it, and then uploaded it to the Transmission dev's servers. At this point, the obvious next step would be for Apple to revoke the malware dev's certificate and add the binary's signature to their XProtect malware definitions list. Also, if it doesn't already do so, it would be beneficial for Transmission to disallow automatic updating from binaries that are signed by a certificate other than their own, but that's on them to do, not Apple, since they're distributing it outside of the Mac App Store.
Anyway, thanks again, Rosyna, both for the correction and the response.
Mac SE is 3 or 4 models after the 512K/fatmac, so it's no surprise that it is more advance. (SE/30 would be my favorite of that era)
Most students couldn't justify the expense of a Mac SE. An Amiga 500 was around $1000, versus almost $4k for a Mac SE, and was similar in terms of raw performance. But most people got the Amiga over the Mac to play games, there wasn't as much academic software for the Amiga (that I recall).
I was a PC guy, so for me a 386DX with FPU would have been preferable to a Mac SE. (but then we're talking like $8k-$10k. portable 386 was like $12k back then, significantly more than a new car)
“Common sense is not so common.” — Voltaire
The Transmission app uses the Sparkle Software Update mechanism. Sparkle uses certificate pinning to prevent exactly this type of attack. The auto-updater will not permit an application to be updated if the update is signed by a different entity.
So this malware only affected people that manually downloaded the app from the Transmission website.
You're just going above and beyond at this point. People need to be modding you up.
It's really hard to pull people out of a good hate-circlejerk.
Eat the rich.
Plus only the Mac (mine actually was an SE/30, I had forgotten!) ran Excel decently back then. Which is what I was doing my fusion modeling on.
There are two types of people in the world: Those who crave closure
I didn't need Excel/Multiplan, in the 80's there were a lot of alternatives: Lotus 1-2-3, Super Calc, pfs:First Choice, MaxiPlan and a bunch of others. Probably only a few would have been powerful enough for your needs, Lotus 1-2-3, Excel, Quattro Pro and maybe pfs:Professional Plan. (I'm not including that one for the Osborne that got sued into oblivion for looking too much like Lotus 1-2-3. Lotus was suing everyone back then).
“Common sense is not so common.” — Voltaire
If you are looking for a new BitTorrent client, then avoid Vuze. It used to be a superb client but recently they switched to the malware model. Last update it infected all my broswers with redirecting ad ware. My search engines were all set to Yahoo and it installed multiple extensions. It was painful to remove it all.
I'm not making this up since the company fully admits they do this on their own forum web pages. Well they don't use the word malware, but if it quacks like a duck.
Some drink at the fountain of knowledge. Others just gargle.
To do multi thousand (calculated) point graphing?
There are two types of people in the world: Those who crave closure
Lotus 1-2-3 was pretty capable, even back then it could access 16MB on an 286 or 386, allowing for very large data sets to be worked on without thrashing to disk. I think around '86 or so it has enough features to be considered a pretty serious piece of software.
“Common sense is not so common.” — Voltaire