Slashdot Mirror

← Back to Stories (view on slashdot.org)

Transmission Malware On Mac, Strike 2 (macrumors.com)

Posted by msmash on from the security-woes dept.

New reader puenktli writes: Just five months after Transmission was infected with the first 'ransomware' ever found on the Mac, the popular BitTorrent client is again at the center of newly uncovered OS X malware. Researchers at security website We Live Security have discovered the malware, called OSX/Keydnap, was spread through a recompiled version of Transmission temporarily distributed through the client's official website. OSX/Keydnap executes itself in a similar manner as the previous Transmission ransomware KeRanger, by adding a malicious block of code to the main function of the app, according to the researchers. Likewise, they said a legitimate code signing key was used to sign the malicious Transmission app, different from the legitimate Transmission certificate, but still signed by Apple and thereby able to bypass Gatekeeper on OS X.

8 of 61 comments (clear)

  1. Gee.. I wonder why. by fish_in_the_c · · Score: 3

    Why would a platform which is hated by many multibillion dollar corporations for being used to violates their legal rights be a target for malware.
    ( ok.... I think I will go put on my tinfoil hat now :) but then again it does make you kind of wonder. Does anyone else know who or why people target this kind of system with malware. I suppose it is also a good target because the machines may already be using large amounts of bandwidth so there is less chance of detection. Seriously though, anybody out there know why malware makers pick specific targets, what makes some easier ect.

    --
    âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
    1. Re:Gee.. I wonder why. by Anonymous Coward · · Score: 3, Interesting

      I think it's more of a case of a "hacker" going down through the list of "Most popular Mac OS applications", and finding that number X (in this case, Transmission) had a good popularity to ease of hacking ratio. That is, it was easy to hack and popular enough to be a good infection vector.

      If number X-1 was easier to hack, it would've been that one instead.

      I don't believe that anyone would target transmission specifically because it is a bittorrent client, since there are a whole bunch of other clients (I use Deluge on Linux) and those haven't been hacked yet, popular or not. And if their intention was to disrupt bittorrent, then why would they target Mac OS? Targeting Windows would be far more damaging (more users).

      So, tl;dr, i don't think there's any conspiracy going on. The developers of Transmission are just crap at security.

    2. Re:Gee.. I wonder why. by poofmeisterp · · Score: 2

      Ya because corporations are just in business hoping to get bought by Microsoft.

      Made a little correction for ya.

  2. Re:Cert signed by central private authority = croc by Anubis+IV · · Score: 3, Insightful

    ...since all it confirms is that the malicious author has managed to bypass the extremely primitive identity verification methods.

    Unlikely. A far more likely scenario is that the build machine itself was compromised.

    We first started hearing widespread reports of fake versions of XCode making the rounds in China last year (apparently because download speeds in China from Apple's servers are atrocious, so people host local mirrors of XCode to help each other out), which were configured to inject malware at compilation into any software being built. At that point, the developer would then sign their app like normal and distribute it through their official channels, which is exactly what we saw happen here.

    I mean, at the end of the day, do you really think it's more likely that someone managed to crack the entire signing mechanism and decided that their first target should be a relative small-fry whose website they'd have to take the time to personally hack in order to distribute the software via official channels, or is it instead possibly just a bit more likely that a known vector that's been in the wild was used to compromise this particular dev's system somewhere upstream?

  3. Re: Cert signed by central private authority = cro by Rosyna · · Score: 3, Informative

    The build machine wasn't compromised. The Transmission web server was compromised and the Transmission binary was replaced on the server.

    This has absolutely nothing to do with Xcode.

  4. Re: 'infected Transmission app was signed on..' by Rosyna · · Score: 2

    The Dev ID used to sign it was not Transmission's Dev ID.

  5. Re: Cert signed by central private authority = cr by Rosyna · · Score: 4, Informative

    I read the article.

  6. Re: Cert signed by central private authority = cr by Rosyna · · Score: 5, Informative

    The Transmission app uses the Sparkle Software Update mechanism. Sparkle uses certificate pinning to prevent exactly this type of attack. The auto-updater will not permit an application to be updated if the update is signed by a different entity.

    So this malware only affected people that manually downloaded the app from the Transmission website.