Mac OS X Ransomware Infects Transmission Bittorrent Client

By Lucian Armasu
published

Researchers from the Palo Alto Networks security company uncovered the "first fully functional” ransomware for Mac OS X within the popular open source Transmission Bittorrent client. The company named this ransomware “KeRanger.”

According to Palo Alto Networks, the attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. The company believes that it is likely that the project’s website was compromised, and then the clean versions of the software were replaced by infected ones.

The KeRanger application was signed with a valid Mac app development certificate so that it was able to bypass Apple’s Gatekeeper protection. Gatekeeper is supposed to restrict the sources from which software can be installed, to prevent users from downloading malware-infected applications. However, Gatekeeper allows apps to be installed if they are signed by a valid certificate.

After the users install the infected app, KeRanger waits for three days before contacting its command-and-control servers over Tor. After that, it begins encrypting files and documents on the users’ computers. The users are then asked to pay one Bitcoin (currently about $411 USD in value) to retrieve their files.

Palo Alto Networks said the malware developers appear to be working on an upgrade that would allow it to encrypt the Time Machine backup files, as well.

The company reported the malware to Apple on March 4, and since then, Apple has already revoked the certificate that was used to sign the infected Transmission installer. Apple also updated its XProtect antivirus to identify this malware’s signature. The Transmission project eliminated the infected files from its website, as well.

If you’ve downloaded the infected Transmission files, Apple will now warn you with these messages: “Transmission.app will damage your computer. You should move it to the Trash,” or “Transmission can’t be opened. You should eject the disk image.”

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
12 Comments Comment from the forums
  • jeremy2020
    Why would this article post an untruth. Everyone knows Mac is completely immune to any security threat. ;)
    Reply
  • Cousin IT
    Jeremy, you beat me too it. I clicked on this article only to post that exact comment :)
    Reply
  • beayn
    Why would this article post an untruth. Everyone knows Mac is completely immune to any security threat. ;)

    They also don't have any problems at all.... despite having a 15% market share and being 30% of my workshop repair jobs...
    Reply
  • alidan
    Why would this article post an untruth. Everyone knows Mac is completely immune to any security threat. ;)

    They also don't have any problems at all.... despite having a 15% market share and being 30% of my workshop repair jobs...

    im willing to bet money that's more on the people who buy macs over macs breaking more then pcs.
    Reply
  • Haravikk
    Jeremy, you beat me too it. I clicked on this article only to post that exact comment :)
    Then you're both idiots; Macs are no less susceptible to comprised software or websites or even viruses, except that it's usually very hard to do anything that requires root access (even harder under El Capitan). Anyone that repeats the notion that Macs are somehow invulnerable is also an idiot, but parroting the phrase every time a Mac related malware article comes up is just as idiotic.


    This ransomware can only encrypt the entire disk if the user enters an admin password (which Transmission doesn't need), so it's probably only encrypting files in their home folder, which can easily be recovered from a Time Machine backup.

    I'd be interested to find out how they intend to encrypt Time Machine backups as well, as tampering with those is hard to do even as root as you have to use a specific bypass tool to do anything to them, and even then 90% of what you do do will have unexpected (usually destructive) results, though I suppose for ransomware purposes that's enough. Point being though that this would also require an administrator password at the very least, which means that the OS X security model is working just fine.

    Gatekeeper is also not failing here; if you sign your software with a valid developer certificate then it'll let it pass, which is entirely by design so again, working correctly. However, Apple can revoke malicious certificates (and will presumably do-so in this case). You also have to pay for a developer license to get one, so unless they're using a stolen certificate Apple will also have details to track or send to law enforcement.

    There may be an argument here that OS X should track certificates used to sign apps and flag any that have changed to a different developer unexpectedly.
    Reply
  • Skunkwerx_6_Actual
    Mac OS X? Never heard of her.......
    Reply
  • apone
    @ Haravikk

    You do realize that Jeremy2020 and CousinIT were being sarcastic, right? They're basically pointing out the truth that countless idiots are clueless that the chance of infection ultimately comes down to the user's computing habits. But Mactards can't be bothered to understand that. According to them, infections happen because it's Windows but if it's OS X, then it's simply user error (ahem, "social engineering").

    Reply
  • ammaross
    Jeremy, you beat me too it. I clicked on this article only to post that exact comment :)
    Then you're both idiots; Macs are no less susceptible to comprised software or websites or even viruses, except that it's usually very hard to do anything that requires root access (even harder under El Capitan).
    Sarcasm. Heard of it?

    This ransomware can only encrypt the entire disk if the user enters an admin password (which Transmission doesn't need), so it's probably only encrypting files in their home folder, which can easily be recovered from a Time Machine backup.
    Privilege Escalation attacks. Heard of them? Thought not. Even easier to do from software already on the machine (as opposed to remote via open ports).

    I'd be interested to find out how they intend to encrypt Time Machine backups as well, as tampering with those is hard to do even as root as you have to use a specific bypass tool to do anything to them, and even then 90% of what you do do will have unexpected (usually destructive) results, though I suppose for ransomware purposes that's enough.
    I could dd to the sectors of the disk those time machine files are stored on and wipe them out quite easily....

    Point being though that this would also require an administrator password at the very least, which means that the OS X security model is working just fine.
    Until a rootkit or such nasty worms its way in via a privilege escalation vuln.

    Gatekeeper is also not failing here; if you sign your software with a valid developer certificate then it'll let it pass, which is entirely by design so again, working correctly. You also have to pay for a developer license to get one...
    So, a moderately useless security measure (no worse/better than Windows' code signing) and you have to buy a dev cert...

    ...so unless they're using a stolen certificate Apple will also have details to track or send to law enforcement.
    Of course they're using a stolen cert.

    There may be an argument here that OS X should track certificates used to sign apps and flag any that have changed to a different developer unexpectedly.
    Because the virus writers are going to sign it with a new company name perhaps? How's Apple going to know that a cert is signing code from a different project vs a new build of an existing one? Not much thought in your comment there.

    --- end retort --

    The biggest weakness is obviously the user. Even if there's no magic sauce and all it does is corrupt Time Machine and encrypt pictures and documents local to the user, it still does damage and is still malware. Remember Mac vs PC ads? Apple has had a history of indoctrinating its users that because you're using Mac and not Windows, you won't get malware or viruses. This is only the beginning.
    Reply
  • TEAMSWITCHER
    Before this article was even published Apple took action to protect users. This was a socially engineered Trojan Horse, the likes of which are a common everyday occurrence on Windows. Only a tiny few users were affected, and if they kept their data in iCloud drive ($1/month for 50 GB), they will be able to do a clean install over the web and be back up and running in less than one hour.

    I understand how much fun it is to poke Apple, but if you're using a Mac correctly...as most users are. Even when things go bad...it's not that bad. Can't say the same thing for Windows...just reinstalling Windows and applying updates could take hours....typing in long CD KEYS...reinstalling apps...Ugh.
    Reply
  • apone
    @ Teamswitcher

    Oh please, OS X has no shortage of critical security & bug fixes, OS updates, and it's funny how Apple is nonchalant about how indicating how critical it is to stay on top of installing them. At least Microsoft points out the urgency of getting it done.

    And the same thing can be said about Windows. If you use it correctly, then you shouldn't have any infection issues. You can also utilize a 3rd party back up software (e.g. EaseUS, Paragon) or a cloud-based solution (e.g. Microsoft One Drive) to take care backing up and restoring your computer. Funny how many of the same features Mac users praise end up being the same existing features Windows already has (or can be easily obtained).
    Reply