
Transmission BitTorrent app contained malware - mroling
https://forum.transmissionbt.com/viewtopic.php?f=4&t=17834
======
pilif
The fact that the binary was infected, I can somewhat understand. However, the
way communication happened/is happening on this issue is very disconcerning
and basically makes it impossible to know whether it's safe to currently
download 2.92 from their site.

Questions like

\- how did the compromised binary get there? Was the source code hijacked or
was the binary altered after it had been built?

\- Were the SHA256 hashes on the site also compromised (btw: Having hashes on
the site is good enough for making sure you're not installing a corrupted
binary. It doesn't do anything against intentional alterations of the binary
though. These hashes need to be stored on an external site)?

\- How did the compromise happen?

\- what steps were taken to ensure that the same compromise doesn't happen to
new binaries posted?

\- Did the attacker leave any foothold on the compromised system(s)?

\- How were such footholds removed?

All questions that need to be answered before it's safe to upgrade
transmission either from the website or with the AutoUpdate feature. A red
warning telling me that one binary was infected and that I have to download
another binary isn't good enough.

I know the transmission people are volunteer developers and no PR people and I
can totally accept that, but there's some things that just need to be made
clear before we can safely update to later versions (and thankfully, 2.8 keeps
running just fine)

~~~
gwbas1c
It will probably take time to get all of the answers, but in this case,
automatic updates are safe.

Although I'm not a Transmission developer, I develop software that uses the
same automatic update mechanism. It appears that the hacker did not update the
MD5 present in the automatic update mechanism. (Sparkle) Thus, when the
automatic update mechanism downloaded the hacked version of Transmission, it
reported it as a corrupted download.

You can see the comment here:
[https://forum.transmissionbt.com/viewtopic.php?f=4&t=17834#p...](https://forum.transmissionbt.com/viewtopic.php?f=4&t=17834#p73036)

~~~
pilif
> It appears that the hacker did not update the MD5 present in the automatic
> update mechanism. (Sparkle) Thus, when the automatic update mechanism
> downloaded the hacked version of Transmission, it reported it as a corrupted
> download

yeah. But not knowing how the attacker got access, we have no idea whether
they have changed the current 2.92 binary again, this time remembering to
update the hash in the appcast or whether this time around the binary is
actually pristine.

The fact that the site was never down between this happening and the red
warning text appearing makes me suspect that only a hasty cleanup was
performed and that the actual security flaw might still exist.

~~~
zZorgz
An attacker would need the private key to update the signature in the app
cast. It's possible the devs store their private key on the server, although
that would be silly.

Although that doesn't discount the recent MITM vulnerability Sparkle had and
if transmission is still using an old version of the framework.

------
moyix
VirusTotal has some more info, including the files it writes:

[https://www.virustotal.com/en/file/d1ac55a4e610380f0ab239fcc...](https://www.virustotal.com/en/file/d1ac55a4e610380f0ab239fcc1c5f5a42722e8ee1554cba8074bbae4a5f6dbe1/analysis/)

(Look under the "Behavioural information" tab)

Written Files and Created Processes are interesting:

[Transmission] /Users/user1/Library/kernel_service (successful)

[unknown] /Users/user1/Library/.kernel_pid (successful)

[unknown] /Users/user1/Library/Saved Application
State/org.m0k.transmission.savedState/window_1.data (successful)

[Transmission] /Users/user1/Library/Saved Application
State/org.m0k.transmission.savedState/data.data (successful)

[Transmission] /Users/user1/Library/Saved Application
State/org.m0k.transmission.savedState/windows.plist (successful)

[kernel_service] /Users/user1/Library/.kernel_time (successful)

Created processes

/Volumes/Transmission/Transmission.app/Contents/MacOS/Transmission
(successful)

/Users/user1/Library/kernel_service (successful)

kernel_service (successful)

 __Edited to add: __If anyone has a copy of the DMG, sha1
5f8ae46ae82e346000f366c3eabdafbec76e99e9, please link me a copy via email
(brendandg@nyu.edu) or twitter DM (@moyix).

~~~
noondip
Here's an analysis of the malware -
[http://researchcenter.paloaltonetworks.com/2016/03/new-
os-x-...](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-
ransomware-keranger-infected-transmission-bittorrent-client-installer/)

~~~
Sammi
Copy/pasting the helpful parts of that article:

How to Protect Yourself

Users who have directly downloaded Transmission installer from official
website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016,
may be been infected by KeRanger. If the Transmission installer was downloaded
earlier or downloaded from any third party websites, we also suggest users
perform the following security checks. Users of older versions of Transmission
do not appear to be affected as of now.

We suggest users take the following steps to identify and remove KeRanger
holds their files for ransom:

1\. Using either Terminal or Finder, check whether
/Applications/Transmission.app/Contents/Resources/ General.rtf or
/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist.
If any of these exist, the Transmission application is infected and we suggest
deleting this version of Transmission.

2\. Using “Activity Monitor” preinstalled in OS X, check whether any process
named “kernel_service” is running. If so, double check the process, choose the
“Open Files and Ports” and check whether there is a file name like
“/Users/<username>/Library/kernel_service” (Figure 12). If so, the process is
KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.

3\. After these steps, we also recommend users check whether the files
“.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing
in ~/Library directory. If so, you should delete them.

~~~
why-el
You have a typo: "Applicaions". Usually not a problem but in this case it will
say "No file/folder found" when it's just a typo.

~~~
Sammi
Thanks. Fixed it. I only copy/pasted originally though :)

------
oxguy3
Do the developers have an explanation anywhere as to how this happened? The
homepage ( [https://transmissionbt.com/](https://transmissionbt.com/) ) has a
big red warning to upgrade to 2.91, but I can't find any info about how
someone went about putting malware in the download.

~~~
carlosrg
Yep, this deserves a more detailed explanation (or maybe they still don't know
what happened). I updated from the previous version to 2.90 through the app
built-in update, and I don't seem to have any "kernel_service" process
running. Can someone that has that process in their system tell us where they
downloaded the program?

~~~
s_kilk
> I updated from the previous version to 2.90 through the app built-in
> update...

Same, and I also don't see any `kernel_service` process running.

Fingers crossed for the in-app update not being affected by the hack.

~~~
DavideNL
I'd definitely run a virus scan to be sure... If you don't have one just
install a Trial version and remove it again after a week.

~~~
s_kilk
Noted: I've gone with BitDefender from the Map App Store. Will report back
results.

EDIT: welp, BitDefender found nothing, all clear.

~~~
s_kilk
(reply to noondip): if anyones got a better suggestion I'd love to hear it :)

~~~
arm
Back when Apple still made Mac OS X Server as a separate operating system,
they included ClamAV¹ to scan for malware in mail. They don’t include it
anymore, but ClamXav² (been around since 2004³) is a nice GUI for ClamAV that
I’ve been using for a while now.

――――――

¹ —
[https://en.wikipedia.org/wiki/Clam_AntiVirus#Mac_OS_X](https://en.wikipedia.org/wiki/Clam_AntiVirus#Mac_OS_X)

² — [http://clamxav.com/index.html](http://clamxav.com/index.html)

³ — [http://clamxav.com/birthday.html](http://clamxav.com/birthday.html)

~~~
uxp
I run a private mail server and swear by ClamAV to help reduce noise and
pollution that accumulates and spreads through my server, but I don't think
I've ever had any luck with it being a good front line defense against up-and-
coming malware, whether it targets Windows or Mac. I don't think I would
recommend it as a primary malware scanner for a Mac, or Windows.

------
dave2000
All that stuff - bittorrent, soulseek, calibre etc - lives in a vm, with
access to the host only via samba shares. I'll decide what you see and where
you can write. Yes, it's great you download stuff. No, you can't write to the
stuff I'm sharing. Yes, having a web-server serving up books to the outside
world is great. No, you can't serve up anything from my filesystem to anyone
who feels like it.

When you can't (be bothered to) vet the source code, stick it in a vm. On a
sensible machine with an ssd it's only 10 seconds away. Why risk it.
Especially if the software you want/need to run only works under windows.

~~~
TazeTSchnitzel
Beware that VMs are not necessarily secure. They can be escaped!

~~~
nikanj
This argument is similar to "a condom can always break". Technically you are
correct, but I'd still use one.

~~~
feld
This argument is only similar if the condom is known to have huge design flaws

VMs have tons of well documented issues. If you want a smaller attack surface,
try OS virtualization technologies (zones/jails)

~~~
lawnchair_larry
This makes no sense. VMs are by far the most secure form of isolation. No one
is going to get infected with malware that escapes VMs - it is far too
valuable.

~~~
feld
How can you honestly think VMs are the most secure form of isolation?

------
sandstrom
CNBC isn't a website I'd expect to read anything tech-related on, but there
are actually a few details in this article:

[http://www.cnbc.com/2016/03/06/reuters-america-apple-
users-t...](http://www.cnbc.com/2016/03/06/reuters-america-apple-users-
targeted-in-first-known-mac-ransomware-campaign.html)

\- It's Ransomware.

\- Seems to be a 3 day grace-period (chance to remove it, possibly).

\- The Transmission developer certificate [Gatekeeper] has been revoked.

------
zymhan
Along with the recent Linux Mint hijack, this really illustrates the need for
people to verify programs they download. Though I think most people can't be
bothered to verify the checksum on a file every time they download it.

On the other hand, the Windows and OS X App Stores are awful. Linux package
managers are looking like one of the only straightforward ways to distribute
applications securely.

~~~
resoluteteeth
> Along with the recent Linux Mint hijack, this really illustrates the need
> for people to verify programs they download. Though I think most people
> can't be bothered to verify the checksum on a file every time they download
> it.

Barring a situation where a CDN hosting the download is compromised but the
main site is not hosted on the CDN, it's extremely unlikely that someone would
have the ability to inject malware into the download and not have the ability
to make the checksum match. Posting checksums is actually pretty useless, and
was something that used to be used to deal with the possibility of malicious
_mirrors_ , but doesn't provide any security against mitm attacks (unless the
main site is secure but the downloads aren't which is idiotic by 2016
standards anyway), the site getting hacked, etc.

Digital signatures are a little bit better if the key is kept safe, since
hacking the site and replacing the binary won't allow a random person to
produce a valid signature, although ability to modify the source code would
still allow someone to introduce backdoors into the next version, but there's
still a huge problem where you need some way to determine what key was
supposed to be used to sign the binary in the first place, so just posting a
signature on a website is also basically useless.

Digital signatures can work if there's some sort of centralized distribution
method, or for safely updating software that's already installed.

~~~
sd8f9iu
I thought only apps signed by "identified developers" are run by default on
Macs with Gatekeeper now. Shouldn't code-signing have prevented this? Unless
they inserted the malware before the signing process.

~~~
zyxley
The malware version was signed with the Transmission developer key.

~~~
arm
No, it wasn’t:

“ _The two KeRanger infected Transmission installers were signed with a
legitimate certificate issued by Apple. The developer ID in this certificate
is “POLISAN BOYA SANAYI VE TICARET ANONIM SIRKETI (Z7276PX673)”, which was
different from the developer ID used to sign previous versions of the
Transmission installer. In the code signing information, we found that these
installers were generated and signed on the morning of March 4._ ”

From: [http://researchcenter.paloaltonetworks.com/2016/03/new-
os-x-...](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-
ransomware-keranger-infected-transmission-bittorrent-client-installer/)

~~~
lottin
> which was different from the developer ID used to sign previous versions of
> the Transmission installer

and that didn't ring any alarm bells?

~~~
arm
For the end user? No, it wouldn’t. As _thesimon_ and _jakobegger_ ,
respectively, said:

“ _And according to the analysis, this is exactly what they did. They used a
different cert to sign their malware. I have to admit that Windows ' UAC is
better in that regard, as it shows the signees name. But of course this is
only useful if you know the "right" name._”

“ _Yeah, I think this is a major issue on OS X. For the average user it is
impossible to tell who signed an app, if it is sandboxed, and what permissions
it has. Hell, using the codesign command to extract entitlements from all
binaries in a package is hard even for advanced users... (There is third party
tool named RB App Checker which does make these tasks a bit easier, though)_ ”

…in this comment thread:
[https://news.ycombinator.com/item?id=11234966](https://news.ycombinator.com/item?id=11234966)

------
justsaysmthng
I've become increasingly paranoid lately, given that things like these happen
and major bugs are uncovered in software that I use almost every day.

It's good that the Transmission developer reacted quickly and made waves so
that people can at least be aware that they might have been exposed..

But I wonder how many more applications from the hundreds that I have
installed on my machines contain weird stuff - either intentional (for money)
or unintentionally (result of a hack).

Open source software is especially vulnerable to this kind of stuff.

If a hacker gets access to a server holding the binaries for an open source
app (which most people download), the hacker can just compile the program from
sources and add his own code in there and place the installer online.

Given that many big governments are now involved in the information wars, this
scenario is quite likely.

~~~
SwellJoe
_" Open source software is especially vulnerable to this kind of stuff."_

I'm not sure I follow on this front. Proprietary software could be compromised
(whether intentionally by the vendor or unintentionally by some outsider
working on the software) effectively forever with no one noticing. At least
with OSS, the number of eyes on the source makes it less likely that an
exploit will exist for long (though the definition of "long" could vary wildly
dependent on popularity and the skill level of the software's normal users).

 _" Given that many big governments are now involved in the information wars,
this scenario is quite likely."_

Again, this one seems to point more to proprietary software then OSS. A
government only needs to compromise a single company to make an exploit happen
in commercial software. OSS exploits can be caught by the Linux distribution
vendors that package the software, the users, the developers themselves (who
are often working at different companies and in different nations), etc.

So, it may seem easier to compromise an OSS project, by attacking the
distribution server and uploading a compromised binary built from source with
patches...but, there are many good ways to guard against that (though any
single mitigation, like signing with developer keys, can be compromised, the
more eyes the less likely it is to succeed for long). But, if a government
compromises a company, or someone within that company, all bets are off, and
the problem literally may never be found.

~~~
justsaysmthng
I was thinking more about the users on Macs and Windows who use open source
software..

The risk is not in the sources, but in the server which hosts the installers.
A hacker could just build the software from sources (adding his backdoor) and
replace the original installers with his own.

~~~
snom380
..and the same is true for closed source software. Replacing installers and
patching binaries isn't difficult.

------
ikeboy
Hm.
[https://trac.transmissionbt.com/wiki/Changes#version-2.91](https://trac.transmissionbt.com/wiki/Changes#version-2.91)
lists the following under Mac changes for 2.90

>Allow downloading files from http servers (not https) on OS X 10.11+

Mac version affected in OP was 10.10, though.

Maybe it had something to do with

>Change Sparkle Update URL to use HTTPS instead of HTTP (addresses Sparkle
vulnerability) ?

Edit: it appears the infection was downloaded from a website, in which case
this doesn't help. But one did say the in-app update failed on incorrect
signature first.

~~~
wlesieutre
>Allow downloading files from http servers (not https) on OS X 10.11+

This reads like they disabled Apple's "App Transport Security", which only
allows HTTPS connections unless a program explicitly makes an exception.
Introduced in iOS 9 and OS 10.11 (El Capitan). I bet the failing HTTP
connections caused a bug in Transmission, and it was an easier fix to disable
ATS than to transition whatever connection to HTTPS.

[https://developer.apple.com/library/prerelease/ios/documenta...](https://developer.apple.com/library/prerelease/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33)

~~~
the_mitsuhiko
> and it was an easier fix to disable ATS than to transition whatever
> connection to HTTPS.

Pretty sure this is for arbitrary downloads. Unless you want to prevent
transmission to download from http based sources out of principle it makes no
sense to do anything other than opting out of this behavior.

~~~
wlesieutre
Right, being a web connected app based on a distributed community of other
clients, it's very possible that the encryption isn't possible to implement on
their end. IIRC it's only blocking HTTP connections, so the torrent transfers
themselves aren't affected (unless it's masking that as HTTP traffic to avoid
easy inspection?), but there may be other things that require HTTP.
Connections to trackers maybe?

On the other hand, El Capitan came out last September. If this just changed in
2.9.0, the restricted HTTP connections can't have been _that_ big of a
problem.

------
nodesocket
If the file
/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist
contains:

    
    
            <dict>
                    <key>Description</key>
                    <string>OSX.KeRanger.A</string>
                    <key>LaunchServices</key>
                    <dict>
                            <key>LSItemContentType</key>
                            <string>com.apple.application-bundle</string>
                    </dict>
                    <key>Matches</key>
                    <array>
                            <dict>
                                    <key>MatchFile</key>
                                    <dict>
                                            <key>NSURLTypeIdentifierKey</key>
                                            <string>public.unix-executable</string>
                                    </dict>
                                    <key>MatchType</key>
                                    <string>Match</string>
                                    <key>Pattern</key>
                                    <string>488DBDD0EFFFFFBE00000000BA0004000031C04989D8*31F64C89E7*83F8FF7457C785C4EBFFFF00000000</string>
                            </dict>
                    </array>
            </dict>
    

Does that mean I am infected?

~~~
unfamiliar
What does the <string> match pattern mean exactly, how is it used to identify
the executable?

~~~
tomschlick
The match type is saying that to match a file it must be fingerprint (hash)
match using the Key provided below it.

------
azernik
Looking more at this issue, it seems like the problem _may_ have been (hard to
tell, not a lot of information) a compromise of a third-party mirror to which
[https://www.transmissionbt.com/](https://www.transmissionbt.com/) redirected
users; the checksum on the HTTPS site was unaltered, and was used to identify
the altered download.

Perhaps a defense against this kind of attack would be an altered version of
HSTS - one that protected the content of download links, and not just of sub-
resources included on the page.

------
teamhappy
2.90 was released a couple of days ago[1], so if you haven't used Transmission
in a couple of weeks this doesn't affect you.

[1]:
[https://en.wikipedia.org/wiki/Transmission_%28BitTorrent_cli...](https://en.wikipedia.org/wiki/Transmission_%28BitTorrent_client%29)

------
marvel_boy
It seems that is a ransomware campaign [http://www.reuters.com/article/us-
apple-ransomware-idUSKCN0W...](http://www.reuters.com/article/us-apple-
ransomware-idUSKCN0W80VX) Next monday, tomorrow could pave terror on the
office.

------
chimeracoder
It might be worth updating the title to specify the vulnerable version (2.90)
and the platform (OS X - from what I can tell, this is not a vulnerability on
Linux or Windows).

------
darfs
Isn't it quite popular on Debian and derivates too? It's Pre-installed with
GNOME there as far as I know. Fair enough, it's extremly interesteing. Never
saw such an infection in the "free World", outside the laboratory. I hope they
can find the source.

~~~
mhurron
It's quite popular everywhere. Interesting that 2.90 just showed up in Fedora
updates.

~~~
cesarb
At least Linux distributions usually compile from source. I wonder if the
source was also modified, or only the binaries.

EDIT: I downloaded the Transmission 0.90 and 0.91 source code and took a look.
The diff between them is quite small, with nothing suspicious being removed,
and the 0.90 .tar.xz MD5 matches what Fedora used (according to
[http://pkgs.fedoraproject.org/cgit/rpms/transmission.git/com...](http://pkgs.fedoraproject.org/cgit/rpms/transmission.git/commit/?h=f23&id=640c669434ea7f7b92449a50aba118f4b7335354)).
So, unless there was also a malicious source code change the developer didn't
catch, Fedora's package should be clean.

~~~
mhurron
> I wonder if the source was also modified, or only the binaries.

Personally, pending further information, I've removed Transmission from my
machine.

------
svetly0
Transmission put up a new version - 2.92 that supposedly checks for and
removes the malware.

~~~
jariz
Threw away Transmission as soon as I read this (even though I was running a
old version), my trust is pretty much gone now, never installing it again.
Shame because it really was a nice app.

~~~
jsn117
flying the day after 9/11 was the safest time, I really doubt this sort of
thing will happen again to the same software

~~~
theinternetman
This would be true if they knew how it was compromised, they've been silent on
that issue so far.

The current version could be being compromised this minute for all we know.

~~~
mordocai
Not an official comment, but from other parts of the hacker news thread it
sounds like one of the mirrors the main site redirects to was hacked, not the
main site itself. The SHA sums on the main site where apparently unaltered. So
it sounds like the only fault on the developers is trusting that mirror.

------
diebir
This is a good illustration of why you should not install apps as
administrator. Specifically, you should not install Mac OS packages, which
allow for arbitrary pre- and post- install scripts to be executed as root.

Same is true for Windows and Linux.

There are privilege escalation bugs in any OS, but it is usually not a given.
Throw the application into ~/Applications as a Mac bundle, worst that will
happen is your account will be compromised. Much easier to detect and clean.
Most trojans won't even succeed.

We are going to have these problems until the developer community realizes
that executing a randomly downloaded package installer as a privileged user is
giving away the keys to the kingdom.

Application stores is one solution, but really is not an open one. I'd rather
see the apps distributed in a form similar to Apple app bundles, where a non-
privileged user can just install the app into their home.

~~~
0x0
I think it's a poor illustration. You could install and run this app as a
regular user (and never escalate to administrator) and the app's bundled
malware would still absolutely destroy anything of value on your computer.

It's the stuff inside $HOME (and $HOME/Documents) that's valuable. Not system
binaries in {/bin,/sbin,/Applications} that can be re-downloaded in a second.

The problem is that any non-sandboxed app runs with the same uid and full
read/write permissions to all of $HOME as well as all the other running
processes, even if it only needs read/write access to $HOME/Documents/Appname/
and none of the other pids.

~~~
diebir
First, obviously you can make an account for running the untrusted software,
like Bittorrent clients (which are known to carry malware frequently).

Second, most malware requires and counts on having admin privileges on target
machine. The task of auditing, cleaning and finding out that malware is
present is significantly easier if malware is limited to a non-privileged
account. With malware running as a non-privileged user you still have to clean
up and recover, but you can easily switch an account, compare, audit and
trace. The anti-malware tools also still have a chance when OS is not
compromised, otherwise it's all lost the moment you ran a malicious post-
install script.

The more common problem, however, is a regular app install. The goal of the
application packager is to make their application work first, and preserve
your environment second. So, in many cases even not malware does bad things to
your OS. The scripts are usually written by devs that are fairly clueless,
which leads to some pretty awful stuff in them. Almost 100% of the time the
install/uninstall action is not idempotent, although it should be.

What really needs to happen is a shift in a mentality that accepts the idea
that apps need to be installed as an administrator (unless the apps are a part
of the main OS distro).

~~~
ricardobeat
His comment went right past you. What you care about the most on your computer
is your personal data, and all of it sits under $HOME. Any script running as
$USER can steal sensitive data, wipe out personal and work files, maybe even
cloud storage services. None of that requires admin rights.

The only solution is sandboxing everything.

~~~
diebir
For things that are likely to carry malware, use a separate account. Probably
a good idea for a Bittorent client in any case.

In practice, however, it is much easier to deal with malware if there's no
admin rights. It matters even for a clueless user, since the OS mechanisms of
detection can't be altered and more much so for a power user.

This specific malware installs a kernel module, as far I can tell. I am
guessing it would be harder to encrypt data and not be noticed and removed
quickly.

Of course, there are even more obvious reasons, like sharing a computer
with... kids that tend to bring malware at every turn.

We really need to educate the devs and change the culture. There's no reason
for something like a word processor and file sharing app to require full
access to the system. That's why we have access controls in the first place.

------
s_kilk
While we're here, can anyone recommend a good antivirus for OSX?

I've just been looking at BitDefender, which looks promising, but would rather
get this right than faff around with potentially crappy AV tools.

~~~
noondip
> can anyone recommend a good antivirus for OSX?

Common Sense 2016, see [https://github.com/drduh/OS-X-Security-and-Privacy-
Guide](https://github.com/drduh/OS-X-Security-and-Privacy-Guide)

~~~
x0
Common Sense 2016 would not have prevented a malicious Transmission update
though

~~~
noondip
Agreed - it would not defend against this presumed watering-hole attack.
However, neither would have AV:
[https://www.virustotal.com/en/file/d1ac55a4e610380f0ab239fcc...](https://www.virustotal.com/en/file/d1ac55a4e610380f0ab239fcc1c5f5a42722e8ee1554cba8074bbae4a5f6dbe1/analysis/)

Nevertheless, I still believe Common Sense to be a better alternative to
bloated, vulnerable anti-virus programs.

------
julie1
The strength of a chain is the strength of its weakest link, and the more
"apps" are provided as _the system_ the longer and more vulnerable is the
chain.

When it comes to checksums with have the chicken egg problem plus the
collision attack of md5.

MD5 has been the standard for too long (and is deprecated since 10 years for
crypto checksum). And for next generation of softwares to install that don't
do modern checksum how can they trust the download of the package required to
check for whatever the new format? Plus the new format is less likely to be
checked without errors. A off by one character could easily be discarded in
checking given the number of packages that are now required to be installed
and the human limitation in focus.

Human are the limiting factors, and security is modeling the user in a kind of
grotesque caricature of a robot that can check thousands of informations
perfectly and remember 20 characters passwords for tens of appliances.

There is a tyranny of computer engineers regarding what is safe for people
having a life not concerned about geeky technology that is a tad annoying.

People have the right to be human and to fail is human. The burden put on
human to make the system safe in order to avoid costly for the bosses human
interactions is way to high.

And since computer security always blame failure on human behaviour I begin to
positively dislike it.

~~~
Razengan
> There is a tyranny of computer engineers regarding what is safe for people
> having a life not concerned about geeky technology that is a tad annoying.

You know you can make that complaint about _any_ tool or technology, right?

"Gosh why do I have to follow all these rules and observe traffic lights to
drive a car?" (something that actually intimidates me, in fact, because I've
never driven a car.)

"Why do I have to worry about cutting or burning myself or someone else while
trying to cook a meal?"

"Why are all these procedures and protocols, like schools and banks and taxes,
required to function at all in contemporary society?"

Until computers advance to the point of being artificially intelligent
familiars that can figure out exactly what we want from a simple vocal command
and do something even better, we're gonna have to put in a little effort from
our end to make them work the way we want them to.

~~~
julie1
You know all engineers do not always blame users?

There are fields of engineering where an accident even due to human causes is
systematically seen as an engineering problem.

And that may be the reason why traveling by plane and train are safer than by
car.

But US engineers made a great job at convincing legal department that poorly
engineered goods where not the causes of accidents.

~~~
Razengan
> You know all engineers do not always blame users? > There are fields of
> engineering where an accident even due to human causes is systematically
> seen as an engineering problem.

In those other fields, such as automobiles, an accident by a person may cause
death of another.

On a computers your careless may not cause someone else to outright die (which
tends to cause a lax attitude on the part of users) but they can still cause
someone else harm, like inadvertently leaking someone's financial information
or causing malware on your device to participate in a DDOS attack on someone.
Time and again it's been proven that users are often the weakest link in this
field no matter how tight the security is. It's only understandable for the
engineers to be annoyed.

------
mmgutz
Does installing 2.9.1 remove it completely or just from the Transmission app?
I'm concerned the malware is still there.

~~~
wlesieutre
Additionally, what does the malware do? "OSX.KeRanger.A" appears to be a name
that Apple assigned it in their malware definitions, but Google doesn't know
anything except the pages about Transmission.

I'm curious what sort of malware we're looking at. Botnet? General remote
access/control? Harvesting keychains?

~~~
sandstrom
According to this article it's ransomware.

[http://www.cnbc.com/2016/03/06/reuters-america-apple-
users-t...](http://www.cnbc.com/2016/03/06/reuters-america-apple-users-
targeted-in-first-known-mac-ransomware-campaign.html)

~~~
wlesieutre
Thanks! Guess my search was too specific. The important bit:

> The malware is programmed to encrypt files on an infected personal computer
> three days after the original infection, according to Olson.

Anyone who may have been hit, update your backups _NOW_ so you can restore the
files.

~~~
joosters
Careful not to backup the malware infection though...

~~~
wlesieutre
Of course, and if you only have the one backup drive, be wary of connecting it
to an infected computer with read/write access. Link posted in another comment
suggests that this malware has encryption of Time Machine backups in
development (should be safe this time around?).

Safer option would be to create a write-only network share on another computer
and copy files to that.

------
rMBP
I'm on 2.90 and can't find any weird processes running. I'll hold off on 2.91
until they've explained what happened.

~~~
make3
that feels like a pretty week standard for knowing if your machine is
infected. I will look for a virus scanner myself, and seriously think about
reinstalling if it finds anything

~~~
rMBP
Yeah I know, it is the lowest effort. But I'm not running it on my main
system. Worst case I'll have to reinstall (unless it messes with the hardware,
firmware changes for example).

------
adidalal
If you installed/updated via Homebrew-Cask [1], you should not be affected.
2.90 was not always compromised, and looking at Caskroom history, the checksum
was only updated for the 2.84 -> 2.90 bump once [2].

It is updated and at 2.92 now, also [3].

(I'm one of the maintainers of Homebrew Cask)

[1] [https://github.com/caskroom/homebrew-
cask](https://github.com/caskroom/homebrew-cask)

[2] [https://github.com/caskroom/homebrew-
cask/issues/19504#issue...](https://github.com/caskroom/homebrew-
cask/issues/19504#issuecomment-192992223)

[3] [https://github.com/caskroom/homebrew-
cask/pull/19508](https://github.com/caskroom/homebrew-cask/pull/19508)

~~~
soraminazuki
Homebrew Cask is awesome, but I still think security is an issue here because
you still have to trust the upstream binaries are safe, each built and hosted
by totally different people. Verifying checksums is certainly better than not
checking them, but you still haven't escaped from the trust-whatever-binary-
you-downloaded-from-the-internet-style of doing things. I really wish package
managers like Homebrew Cask offer some level of trust by building applications
from source and signing them, like Debian.

~~~
adidalal
You are absolutely correct. Homebrew-Cask favors convenience and availability
of as many applications as possible, though we make reasonable efforts to
avoid malicious actors by verifying checksums, download links, and (soon) GPG
verification where possible.

You may be interested in [https://www.macports.org](https://www.macports.org)
for a build-from-source solution for OSS projects.

------
Philipp__
Can someone explain me what Xprotect.plist contains? Are those malware's that
are recognized by Apple and are blocked and dealt with?

I saw some post on forum where dude said how his Xprotect now contains at the
top OSX.KeRanger.A entry, and said how it means he got infected. It didn't
made much sense to me, but I checked mine this morning and found the same
entry? Does it mean I am infected too?

But I didn't download anything from their website like 3 months back, I just
did the update to 2.90 in Thursday or Friday can't remember, and yesterday as
soon as I saw the news I update everything and checked for malicious files and
processes which weren't present on my machine.

~~~
russjr08
If I recall correctly, they are file signatures that OS X uses to identify and
remove malware. Not sure when and how the files on your drive are checked
(potentially right before they are opened?), but the XProtect.plist file is
automatically updated by Apple, and that's what you're seeing.

The entry doesn't exactly mean you're infected, but just that your copy of the
file was updated.

I have the entry for instance, but I was never infected. You can check your
copy of XProtect with this command (I have 2076):

defaults read
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta
Version

Edit: Looks like you do get a message before launching an app, if it's
identified by XProtect/File Quarantine.

~~~
Philipp__
Yeah, I have 2076 too. Now after the update of Xprotect you get the message,
but what if you ran the app for example on Friday (4th) and got infected then?

Checked on IRC, it seems that sparkles prevented infection for those who
updated their app, like I did. Screw all this, as I read in one of the
comments here, I will run transmission through Docker container on RPi running
FreeBSD.

~~~
russjr08
If you ran the app before the XProtect definitions were updated, then it
would've ran with no problem and you would've been infected.

~~~
Philipp__
Now it bugs me cause i can't find info on when the file was edited... Stats
and defaults read display 20th January. wierd thing is that I ran the app
during problematic time interval but havent found any single process or file
that was mentioned in Palo Alto Security page, no kernel_services process or
any other misbehaving. Anyway I did Time Capsule backup 10 days ago, and
haven't plugged the drive into my computer since, so if anything happens I
will roll it back. We shall see, but it is kinda uncomfortable to keep using
"maybe infected" machine. Who knows what else may be left, supposedly
nothing... Thanks anyway for the help! Cheers

------
codezero
It looks like they've since changed the upgrade to 2.92 (it was previously
2.91 this morning), wonder why that happened?

~~~
switch007
The update dialog says:

"Everyone running 2.90 on OS X should immediately upgrade to and run 2.92, as
they may have downloaded a malware-infected file. This new version will make
sure that the “OSX.KeRanger.A” ransomware (more information available here) is
correctly removed from you're computer.

Users of 2.91 should also immediately upgrade to and run 2.92. Even though
2.91 was never infected, it did not automatically remove the malware-infected
file. "

~~~
codezero
Thanks, I dug out the diff and found that too :)

[https://trac.transmissionbt.com/changeset?old_path=%2F&old=1...](https://trac.transmissionbt.com/changeset?old_path=%2F&old=14711&new_path=%2F&new=14713&sfp_email=&sfph_mail=)

------
Matt3o12_
Can anyone tell me if this also applies to brew's cask's builds? I needed to
download CentOS the other day and wanted to go with a torrent. I got pretty
pissed after I realized that BitTorrent installed some adware called Spigot. I
tried to remove it as good as possible (I mainly killed the process, removed
`Library/Application Support/Spigot` and ran a `sudo find / | grep -i
Spigot`).

Ironically I decided to use the good, ol', trusted open source alternative
transmission because I just read on HN that Transmission gets updated again...

~~~
orik
My build from cask didn't start the process but force removed it anyways and
am waiting for cask room to point towards 2.91.

~~~
Amorymeltzer
homebrew-cask updated with version 2.92 and https

------
jws
Just an anecdatum: I got infected by this yesterday when I installed
Transmission to download a Debian install CD. When I read about this at
MacRumors I checked and had the kernel_service process running and the two
hidden files hiding in Library.

I've unplugged and archived the TimeMachine backup disk and done the
prescribed cleanup actions to remove he malware. I guess time will tell if it
had any other tricks up its sleeve.

~~~
leonroy
Do a search for any files in /Users and connected volumes which are suffixed
with __.encrypted __. Apparently that 's the interim filename suffix used by
the malware.

~~~
jws
Thanks, I appear to be clear of _.encrypted_ files.

The good of this mess is that I realized I only had one Time Machine backup
going on that machine. I had turned off the remote backup a month ago while
shoving backups around on the remote server to make more room and hadn't
restored it. One backup is too few.

The weakness exposed is that if the remote were mounted, this malware would
have nailed it too. I'll have to look at having the remote make filesystem
snapshots on its end so malware can't corrupt my older backups.

------
zZorgz
This is really bad but there are two good security defenses that came out of
that forum thread (which is better than not having them at all).

1\. Apple revoked the certificate already. Thus people that have gatekeeper on
are safer.

2\. Sparkle (for auto updater) denied the malware infected update. Thus
downloading from the main website is not necessarily safer, even with the
recent mitm sparkle vulnerability.

------
orionblastar
I used to Transmission in Linux but switched to qBitTorrent instead when I
switched to Windows 10. It has an OSX version if you don't trust Transmission
anymore.

[http://www.qbittorrent.org/](http://www.qbittorrent.org/)

[http://www.qbittorrent.org/download.php](http://www.qbittorrent.org/download.php)

------
dzhiurgis
Popular Mac rumour/news site 9to5mac (that is rapidly decreasing in quality)
actually posted about this malicious update few days ago.

Somehow I found it out of place, especially as they have never posted about
TransmissionBT before. They sure did get lots of people to update after
putting in on front page.

~~~
lukasb
Good for them.

------
nitrogen
The headline should probably say "at least Mac". I hope we soon learn the
source of the compromise, but nothing so far indicates that Linux
distributions' packages would be affected by a Mac malware.

~~~
logicrook
The headline should definitely say "at least Mac". It so annoying to hear
about "computer viruses"... (protip: it's Windows, Osx, well, maybe even Linux
virus).

------
Heis
Can someone please confirm that the in-app update is not affected by the hack?

~~~
Orizimal
I performed the in-app update to 2.90 last night. Just found about this.
Doesn't appear that I am infected, amazingly enough.

------
thrillgore
I checked my version of Transmission and i'm still on 2.84. I guess I dodged a
big bullet, but tonight i'll go through the diagnostics to see if any versions
prior to 2.90 were infected. I may do it sooner if I get a quiet moment at
work.

I'm also running the usual litany of tools to check for activity (Wireshark on
my WAN Tap, Anti-virus, etc)

My Synology NAS uses transmissiond for its BT Client, so I will be contacting
them to see if they are affected by this issue.

------
nodesocket
Something that is not entirely clear. Does updating to 2.9.2 attempt to clean
KeRanger up automatically? Or is some manual cleanup still needed after
updating?

~~~
russjr08
The newest update removes it automatically.

------
tomlong
Posted by one of the researchers that discovered the malware...

"#Transmission just pushed 2.92 update that includes code to > detect and to
remove the #KeRanger ransomware. Update it before Monday 11:00am."

[https://twitter.com/claud_xiao/status/706579264036950016](https://twitter.com/claud_xiao/status/706579264036950016)

~~~
voltagex_
I'm not sure how I feel about that. How long will that code live in
Transmission? It's not really Transmission's job to remove malware.

------
maknz
Checked my install of 2.9.0 from auto-update, it's clean (none of the suspect
files are in Contents/Resources). According to a post on the Transmission
forums, when a person was (probably) delivered an infected binary, there was a
checksum failure as you'd expect. So it seems as though you won't be infected
if you used the auto-updater.

------
flerchin
On a related note, Windows Defender detects malware when downloading the
windows putty installer. Trojan: Win32/Varpes.J!plock
[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.h...](http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)
Not sure how to report.

~~~
conceit
try uploading the file to virustotal, avira etc. Windows Defender should in
the alert have a button to report to microsoft.

~~~
Intermernet
Looks clean. Maybe false positive from Windows Defender...

[https://www.virustotal.com/en/url/73d82ff580cd445b907c6334c7...](https://www.virustotal.com/en/url/73d82ff580cd445b907c6334c7d7bd0b14107a6fc2a821cada334944edc7e25f/analysis/)

------
Philipp__
Oh dear god. Used 2.90 past week, when I saw the news I updated immediately,
checked for all the files, found nothing. I hope my MacBook will stay fine
tomorrow. I got it backed up on Time Machine anyway. Where do we go from here,
since I lost the trust, what are the alternatives? And from now one, I'll go
with Brew Cask for everything possible.

F __* GUI /s

~~~
kazazes
Would brew cask have helped you here? It doesn't build from source, it just
downloads a precompiled binary.

~~~
adidalal
In this case, yes, as it verifies the download against a (best-effort) known-
good checksum. It's not a perfect system, but did work out in this case.

GPG verification where available and refusing to install Casks without a
checksum is also in the pipeline.

(I'm one of the maintainers of Homebrew Cask)

------
jasonjei
If they indeed used a legit code signing certificate, what is the fix? It
seems very difficult to just blindly trust signed binaries anymore. Short of
setting up a registry of vetted code signing certificates, it seems that
signed code is just as easily manipulated as unsigned code. And even then, the
keys to the certificate could be mishandled.

------
finchisko
Wondering if brew cask can be solution for this.

~~~
Amorymeltzer
Inded, see my comment here: [https://github.com/caskroom/homebrew-
cask/pull/19508](https://github.com/caskroom/homebrew-cask/pull/19508)
Installation via brew cask was never at risk thanks to checksum verification,
and at anyrate is now updated.

~~~
finchisko
That's really nice. I was in doubt, because it downloads Transmission DMG from
their site, but checksums solves it. We should use it more. :-)

------
cabbeer
I uninstalled the app, but is there a way I can check if i've been affected?

~~~
joeblau
This article[1] says Transmission is doing to offer a way to check, but I'm
not sure it's on the site yet. Apparently tomorrow is the ransomware
activation date for people who installed the infected version on Friday.

[1] - [http://www.reuters.com/article/us-apple-ransomware-
idUSKCN0W...](http://www.reuters.com/article/us-apple-ransomware-
idUSKCN0W80VX)

------
ywecur
Sorry, but how did this happen? Was the website breached?

------
z3t4
Yet another reason why you should have a (offline) backup of all your
important files.

------
pjf
any reason why it's correlated with dht.transmissionbt.com loosing its AAAA
record? it's the only IPv6 DHT bootstrap node on the Internet

------
MichaelGG
It's not. Condoms aren't used against a hostile opponent. If your partner is
intent on exposing you, a condom won't provide any protection.

~~~
nikanj
I can't think of a more hostile opponent than an HIV virus. And we're still
not sure if Transmission was spreading the virii intentionally, making the
condom analogy even more fitting.

~~~
TazeTSchnitzel
HIV is not a threat crafted by an active adversary, it's a product of
evolution.

~~~
jdc
I think the point is that viruses can exploit properties of their hosts
regardless of how they came to do so.

~~~
tedks
But humans and viruses aren't competing in the same game. A better metaphor
for the adversary in that situation is the person you're having sex with
poking a hole in your condom.

~~~
uxp
These metaphors are hard to follow. Does anyone have a car analogy to phrase
this better? Seems like that's all we're missing in this thread.

~~~
mort96
It's like not putting a condom on your car. Sure, HIV might stick a hole in
it, but I'd still use one.

------
Dorian-Gray
Am I the only one who saw the app and thought "Why the heck is TPB releasing
an app?" Makes them more of a target, less stable platform, more easily
interfered with , ect.

