Transmission Malware On Mac, Strike 2 (macrumors.com) 61
New reader puenktli writes: Just five months after Transmission was infected with the first 'ransomware' ever found on the Mac, the popular BitTorrent client is again at the center of newly uncovered OS X malware. Researchers at security website We Live Security have discovered the malware, called OSX/Keydnap, was spread through a recompiled version of Transmission temporarily distributed through the client's official website. OSX/Keydnap executes itself in a similar manner as the previous Transmission ransomware KeRanger, by adding a malicious block of code to the main function of the app, according to the researchers. Likewise, they said a legitimate code signing key was used to sign the malicious Transmission app, different from the legitimate Transmission certificate, but still signed by Apple and thereby able to bypass Gatekeeper on OS X.
Gee.. I wonder why. (Score:3)
Why would a platform which is hated by many multibillion dollar corporations for being used to violates their legal rights be a target for malware. :) but then again it does make you kind of wonder. Does anyone else know who or why people target this kind of system with malware. I suppose it is also a good target because the machines may already be using large amounts of bandwidth so there is less chance of detection. Seriously though, anybody out there know why malware makers pick specific targets, what makes some easier ect.
( ok.... I think I will go put on my tinfoil hat now
Re: (Score:3, Interesting)
I think it's more of a case of a "hacker" going down through the list of "Most popular Mac OS applications", and finding that number X (in this case, Transmission) had a good popularity to ease of hacking ratio. That is, it was easy to hack and popular enough to be a good infection vector.
If number X-1 was easier to hack, it would've been that one instead.
I don't believe that anyone would target transmission specifically because it is a bittorrent client, since there are a whole bunch of other clients (I us
Re: (Score:2)
ok, why was this moded as troll? Was it not obvious from the tinfoil hat comment that the first part was meant as humor? Although I was wondering how the target was picked and have heard from time to time of copywriter holders interfering with or hacking networks they didn't like. The Madonna hack of Napster comes to mind off the top of my head.
Re: (Score:2)
oh sorry. Most of the people I run with assume if anyone says "let me put on my tinfoil hat" they are making a joke about something. Usually a conspiracy theory because in the movies the stock 'wacko conspiracy theorist often wears a tinfoil hat to protect his mind from being read by THEM'
Re: (Score:2)
Ironically, Apple could buy just about any corporation that hates it.
I guess that's one definition of success.
Re: (Score:3)
Ya because corporations are just in business hoping to get bought by Microsoft.
Made a little correction for ya.
Vuze is malware too (Score:2)
If you are looking for a new BitTorrent client, then avoid Vuze. It used to be a superb client but recently they switched to the malware model. Last update it infected all my broswers with redirecting ad ware. My search engines were all set to Yahoo and it installed multiple extensions. It was painful to remove it all.
I'm not making this up since the company fully admits they do this on their own forum web pages. Well they don't use the word malware, but if it quacks like a duck.
Re: (Score:2)
Re: (Score:2)
qBittorrent's been working great for me. The UI isn't pretty, but it's a lot like uTorrent back when it was good. Open source, runs on everything, no malware.
Re: (Score:2)
Re: Vuze is malware too (Score:2)
Re: (Score:2)
Re: (Score:2)
No, wasn't serious, that was why I put the comment about the 'tinfoil hat' in there.
Re:Cert signed by central private authority = croc (Score:4, Insightful)
...since all it confirms is that the malicious author has managed to bypass the extremely primitive identity verification methods.
Unlikely. A far more likely scenario is that the build machine itself was compromised.
We first started hearing widespread reports of fake versions of XCode making the rounds in China last year (apparently because download speeds in China from Apple's servers are atrocious, so people host local mirrors of XCode to help each other out), which were configured to inject malware at compilation into any software being built. At that point, the developer would then sign their app like normal and distribute it through their official channels, which is exactly what we saw happen here.
I mean, at the end of the day, do you really think it's more likely that someone managed to crack the entire signing mechanism and decided that their first target should be a relative small-fry whose website they'd have to take the time to personally hack in order to distribute the software via official channels, or is it instead possibly just a bit more likely that a known vector that's been in the wild was used to compromise this particular dev's system somewhere upstream?
Re: Cert signed by central private authority = cro (Score:4, Informative)
The build machine wasn't compromised. The Transmission web server was compromised and the Transmission binary was replaced on the server.
This has absolutely nothing to do with Xcode.
Re: (Score:2)
I didn't read the article, so I don't know if it's mentioned there or not, but where did you get that info?
Re: Cert signed by central private authority = cr (Score:5, Informative)
I read the article.
Re: (Score:2)
This is one of those moments where I wish I could post a retraction to my comment. It may provide some useful info regarding an actual issue that's been happening, but it's inapplicable in this particular situation, as you pointed out, so I certainly appreciate the correction.
For anyone else reading this far, it's worth summarizing what the actual problem was. It was neither what the AC suggested nor what I suggested. Rather, what actually happened was that a different dev's certificate was used to sign the
Re: Cert signed by central private authority = cr (Score:5, Informative)
The Transmission app uses the Sparkle Software Update mechanism. Sparkle uses certificate pinning to prevent exactly this type of attack. The auto-updater will not permit an application to be updated if the update is signed by a different entity.
So this malware only affected people that manually downloaded the app from the Transmission website.
Re: (Score:2)
You're just going above and beyond at this point. People need to be modding you up.
Re: (Score:2)
It's really hard to pull people out of a good hate-circlejerk.
wait Gatekeeper ... (Score:2)
Re: (Score:2)
Sneakers?
Re: (Score:1)
Re: (Score:2)
Re: 'infected Transmission app was signed on..' (Score:3)
The Dev ID used to sign it was not Transmission's Dev ID.
headline... (Score:1)
Re: (Score:2)
I don't know. - Third base!
Re: (Score:2)
Carrying a Mac 512K uphill sounds challenging. But not as challenging as swapping floppies all day long because you didn't have a harddrive.
Re: (Score:2)
My Mac SE was the most powerful computer on campus that the average student had access to.
Only way I could do fusion modeling in advanced physics.
This was in 1988.
Re: (Score:2)
Mac SE is 3 or 4 models after the 512K/fatmac, so it's no surprise that it is more advance. (SE/30 would be my favorite of that era)
Most students couldn't justify the expense of a Mac SE. An Amiga 500 was around $1000, versus almost $4k for a Mac SE, and was similar in terms of raw performance. But most people got the Amiga over the Mac to play games, there wasn't as much academic software for the Amiga (that I recall).
I was a PC guy, so for me a 386DX with FPU would have been preferable to a Mac SE. (but t
Re: (Score:2)
Plus only the Mac (mine actually was an SE/30, I had forgotten!) ran Excel decently back then. Which is what I was doing my fusion modeling on.
Re: (Score:2)
I didn't need Excel/Multiplan, in the 80's there were a lot of alternatives: Lotus 1-2-3, Super Calc, pfs:First Choice, MaxiPlan and a bunch of others. Probably only a few would have been powerful enough for your needs, Lotus 1-2-3, Excel, Quattro Pro and maybe pfs:Professional Plan. (I'm not including that one for the Osborne that got sued into oblivion for looking too much like Lotus 1-2-3. Lotus was suing everyone back then).
Re: (Score:2)
To do multi thousand (calculated) point graphing?
Re: (Score:2)
Lotus 1-2-3 was pretty capable, even back then it could access 16MB on an 286 or 386, allowing for very large data sets to be worked on without thrashing to disk. I think around '86 or so it has enough features to be considered a pretty serious piece of software.
Re: (Score:2)
Re: (Score:1)
The transmission only goes in one direction... forward.
Driving in reverse, similar to right clicking on a mouse is too difficult for new drivers to learn.
Re: (Score:1)
The transmission only goes in one direction... forward.
Driving in reverse, similar to right clicking on a mouse is too difficult for new drivers to learn.
Without Jobs, it'll never fly. No, literally, it flies, but only if you're hip'n'cool enough to know that.
*ducks*