Transmission 2.90 may be infected.

falcon413 · 19時間前

Just got the message right now too. There was no strange process running in my computer. I'm wondering whether the infected version was distributed via update or direct download.

edit So I was looking through the Transmission forums and there is one post related to the malware with only four replies. However, those reporting strange behavior had downloaded 2.90 directly from the site and not updated through the app.

squeezycheeseypeas · 19時間前

Thanks for the heads up, much appreciated

maniacdepressive · 19時間前

I updated through the app directly and have no kernel_service process. I'm guessing their website was hacked and the direct download link was compromised.

savoytruffle · 14時間前

Claud Xiao at Palo Alto Networks, which discovered the malware, just tweeted there's an automatic 2.92 update now that tries to help remove KeRanger.

https://twitter.com/claud_xiao/status/706579264036950016

i_spot_ads · 18時間前

For those of you who are infected, please, isolate the executable and send it me for inspection, (can't promise anything but I want to look into it)

upload it here: http://cloud.vatsaev.com/data/public/kernel_service

antoniocesarm · 19時間前

J-Christ, I got the popup to update to 2.90 yesterday I think, and I am quite lazy so I chose not to update then. Luckily I'm still on 2.84.

If you guys want to check whether you're on 2.90 or not without opening the app, just go to the Applications folder, select Transmission and press the space bar. Opening an infected app may not be a very smart idea.

MORE INFO REGARDING BACKUPS, FROM /u/wosmo! Click to read.

^sorry ^for ^hijacking ^my ^own ^comment

Please read this for your own safety.

According to this user (thank you /u/wosmo!) the malware embedded in Transmission 2.90, OSX.KeRanger.A, is ransomware - one of the first ramsomwares, if not the first, to affect a Mac!

More specifically, it will encrypt ALL of your data and "kidnap" it 3 days after infection (Monday to most users), demanding that you pay a ransom to have it back - potentially/certainly bitcoin, which is quite hard to track. Backup everything you have ASAP, run MBAM on your Mac and get rid of that ASAP or you'll either lose everything on your computer or suffer financial damage.

To be honest, that makes me believe the Transmission team may have received compensation and/or some kind of incentive to do that. They inject it there, some people don't see it coming, are successfully targeted and a part of the profits goes to the team. AFAIK as I know that piece of malware shows no worm behavior, which makes me think someone injected it there on purpose. I'm deleting Transmission from my MacBook, even tho I am on 2.84, and I recommend you do the same. That software is simply not trustable anymore.

more info here, in French

Two versions of the software developed on March 4 download are infected, reports Palo Alto Threat Intelligence. Three days after the installation of Transmission, the malware will connect to a command and control server (C2) via the Tor network. It will then encrypt certain files on the Mac, and then ask the victim to pay 1 bitcoin - € 375 - to send the decryption key.

The files that it tries to encrypt are many - more than 300 different types, some of which are here:

Documents: .doc, .docx, .docm, .dot, .dotm, .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsm, .ppsx, .xls, .xlsx, .xlsm, .xlt, .xltm, .xltx, .txt, .csv, .rtf, tex
Images: .jpg, .jpeg,
Audio and video: .mp3, .mp4, .avi, .mpg, .wav, .flac
Archives: .zip, .rar, tar, gzip.
Source Code: cpp, .asp, .csh, .class, .java, .lua
Database: .db, .sql
Email: .eml
Certificate: .pem

How to check the integrity of your Mac

To check if you have downloaded a compromised version of the software, go to the Utilities folder in your Applications and launch the Activity Monitor. In the search, enter:

kernel_service

If you find this process, click the "i" button in the window of the Activity Monitor, go to File, "Open Ports" (?) and search for:

Users//Library/kernel_service

If you find this, force-quit it and update Transmission. That is KeRanger, which you've eliminated by force-quitting and crushing the compromised version of Transmission.

More info in English here.

-iNfluence · 18時間前

What if the 2.90 d/l was clean, and this new 2.91 is the real infected build haha

FullFrontalNoodly · 18時間前

Can someone post an analysis of what exactly what happened here?

Random · 16時間前

This article:

http://ca.reuters.com/article/technologyNews/idCAKCN0W80VX

Says it is a 3-day-delay ransomware

bort_sampson · 15時間前

Holy shit, that's very troubling!

Transmission was always my go-to BT client because of the lack of ads (unlike, say, uTorrent).

Is there another way to scrub your mac to make sure this kind of shit isn't lingering?

Thundarrx · 17時間前

I downloaded 2.90 from the site. Let's see.

# sudo ps -ef | grep -i kernel   
(nothing like this is listed)

# sudo open /Applications/Utilities/Activity\ Monitor.app
(Nothing)

# sudo lsof | grep kernel_
(nada)

# openssl sha1 Transmission-2.90.dmg 
 SHA1(Transmission-2.90.dmg)= f54e7590e8d69ea86edc24564048d17de1fa7f96

So, it looks like there was a problem with one specific host. If you have the 2.90 with the real SHA1 you might want to keep it in case their server was infected and 2.91 is also toast.

gellis12 · 12時間前

Transmission 2.92 has been released, which completely purges KeRanger from your system.

osaka__sun · 18時間前

Only kernal_service? Kernal_task is OK, correct?

Thanks for posting this.

GhostalMedia · 18時間前

How the fuck does this even happen? This makes me never want to use this app again.

murrayhenson · 17時間前

Just checked with TaskExplorer and, post-upgrade to 2.91, it seems fine - no viruses detected. I didn't have kernel_service running beforehand.

If I recall correctly, I updated to 2.90 via Transmission's own automatic update service (and same for the 2.91).

MortalKHANbat · 14時間前

Transmission just pushed 2.92 update that includes code to detect and to remove the KeRanger ransomware

4nis · 16時間前

Here's guide about the infection http://pastebin.com/zMBbdyDH

machei · 10時間前

First off, thank goodness for Reddit. I'd have never known otherwise. Second, I found the kernel_service running on my Mac mini server, and I've gone through everything outlined to remove it. After a reboot, there's no sign it's running the kernel_service, and a search of the hard disk reveals no General.rtf file.

Does this mean that there's now nothing I need to worry about? i.e. this software lays dormant and does nothing at all until it proceeds to encrypt, and so having removed it all, I'm safe, or is there something it's done in the meantime that I need to now be concerned is going to come back and bite me in the ass about at some unknown time in the future?

TheMacMan · 17時間前

Mentioned this when 2.90 was released as people were using the vulnerable version of the updates engine in 2.84 to update but no one seemed concerned at the time.

RobertAPetersen · 13時間前

How to Protect Yourself

Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger. If the Transmission installer was downloaded earlier or downloaded from any third party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now.

We suggest users take the following steps to identify and remove KeRanger holds their files for ransom:

Using either Terminal or Finder, check whether /Applicaions/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.

Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users/<username>/Library/kernel_service” (Figure 12). If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.

After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.

Ensure you update to Transmission 2.92.

Malwarebytes for Mac is updated to scan for this ransomware as well:

https://www.malwarebytes.org/antimalware/mac/

In general even us Mac users should be running anti-virus/anti-malware as well.

I recommend either Avira:

http://www.avira.com/en/free-antivirus-mac

or Sophos:

http://www.sophos.com/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx

Extra recommended step for me personally, install BlockBlock:

Malware installs itself persistently, to ensure it's automatically re-executed at reboot. BlockBlock continually monitors common persistence locations and displays an alert whenever a persistent component is added to the OS.

https://objective-see.com/products/blockblock.html

This issue with Transmission only appears to have been for those who manually downloaded Transmission recently, if you've been using auto update within the application you should be OK, but even then run scans anyway to err on the side of caution.

Write-up with further information:

http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

rcrell · 19時間前

Shit, I just updated last night... Will have to check that

ready_1_take_1 · 14時間前

Ars Technica just posted an article about this.

The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.

Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems.

Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger. If the Transmission installer was downloaded earlier or downloaded from any third-party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now.

Mastacon · 17時間前

I downloaded Transmission yesterday... saw the update today. Mine was infected.. followed the directions and deleted the file. Downloaded the update.

edit: I downloaded from their website.

Maxxist · 17時間前

I downloaded my copy through the website shortly after reinstalling osx my mac last week. I've used transmission a couple times since, but i don't see the offending process in activity monitor. I just downloaded 2.91 from their site and replaced it. the 2.90 dmg is still in my downloads folder. 200KB size difference between the two version. 2.90 is 5.3MB and 2.91 is 5.1MB

schacks · 15時間前

More info on the KeRanger malware. Origin, internal workings and howto remove:

http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

ares623 · 19時間前

What are alternatives for Transmission?

notnick · 18時間前

I seem to be fine, I used the auto updater originally for 2.90, but updated to 2.91 just in case.

snotbot3000 · 14時間前

I backed up my laptop today with 2.90 on it, any recommendations on what to do?

transthrow203 · 13時間前

I assume those running 2.03 (it's the latest recognised client 'my' site allows) aren't in anyway effected by this?

TheRootsCrew · 13時間前

Alternative Tracker app suggestions?

pdmcmahon · 13時間前

Haven't used Transmission in a while, got this when I launched it just now.

CrazyEdward · 11時間前

It's amazing how much more informative this thread is than the article I just read over at Ars.

Thanks!

-HERO · 11時間前

Sorry if this is a stupid question, but can it affect files in the Dropbox folder?

kinkypussy · 19時間前

oh shii, i have that process running. What kind of malware is it?

hampa9 · 12時間前

This is why sandboxing is a really good idea for most apps.

binford2k · 17時間前

Friday, though, my update in Transmission failed due to a wrong signature. I then proceeded to a download through the web page.

And that was your mistake. Lol.

_asm · 17時間前

This is just speculation, but I think it might have been an attack on their HTTPS server, probably using this little devil: https://drownattack.com/

Which means just the folks that downloaded the app via their website may have been infected. The in-app update service doesn't seem to have been compromised.

TODO_getLife · 19時間前

Probably shouldn't have direct downloaded Transmission at work then. Going to have to do some cleanup on monday!

Zero_Waist · 15時間前

Looks like it's ransomware

Apple users targeted in first known Mac ransomware campaign - Reuters https://apple.news/AOkHXx3zOSOmoKH4HsxnyTA

TheMacMan · 10時間前

Would be funny if 2.91. and 2.92 were just the same hacker using the publicity this story got to encourage more to install compromised versions.

wuhkay · 7時間前

Not even kidding, as much as I would like to think that this is random occurrence, I wouldn't be shocked if some money from the music or film industry was behind this. Infect the popular bit torrent client.

bvhj · 17時間前

I'm running 2.90 (updating to 2.91 now), but updated to 2.90 yesterday through the app. I don't see kernel_service in my activity monitor, but also don't see kernel_task which a few people have mentioned as being something which should be there, am I alright or is there anywhere else I should check to make sure.

supercowrider · 17時間前

Can I be infected if I just opened the app from the .dmg to check it?

gorskiegangsta · 16時間前

I updated from within the app. No kernel_service running or in system files. Will definitely recheck over the course of next weeks regardless.

Maxxist · 16時間前

Anyone have the md5 sum for the official non infected 2.90? Their site is having some problems right now.

dat_pure_kid · 16時間前

Those who updated through the web server, they can control the web page.

odisseius · 16時間前

Sooo if I'm still on 2.81 should I update ? delete ? do nothing ? I used to use µtorrent but after the they use you for mining bitcoins shenanigans switched to transmission, should I switch to something else ?

edit: word

quinncom · 16時間前

If someone has an affected Transmission .dmg or .app, could they upload it to https://www.virustotal.com/ and post the link to the results?

I've just uploaded my Transmission.app v2.90 (I don't think it's affected) and the results look like this.

flybypost · 16時間前

users who updated within the app weren't affected

I didn't get that warning, just a window to update to 2.90 a few days ago when I started the app. The only difference I saw with 2.90 was that it crashed whenever it completed a download.

miloworld · 16時間前

Breaking on 9to5mac:

http://9to5mac.com/2016/03/06/first-os-x-ransomware-detected-in-the-wild-will-maliciously-encrypt-hard-drives-on-infected-macs

Ransomware bundled with download.

iscandr · 16時間前

Infected sample: https://www.virustotal.com/en/file/99792afc994b3a0652b23621ed12f42b2d78bef0b5891c7ec9b56e77b4cb46f9/analysis/1457291458/

McNuttyNutz · 14時間前

just checked mine and I'm clean from what i can tell i have Kernel_task but no services running i updated to the 2.9 through the app and again to 2.92

thepotatochronicles · 14時間前

I updated through the website (I checked that it was 2.90) but I don't see any kernel_service running. I scanned with sophos and uninstalled the app using cleanmymac. Should I still be worried?

edit: if it helps, I downloaded it off the website on the very hour it was announced

sfachime · 14時間前

It appears to be ransomware, Ars has a writeup here.

saint_whatever · 13時間前

"can’t confirm how this infection occurred."

notrodash · 12時間前

Damn, I downloaded the app from the website yesterday. It didn't want to launch so I gave up and downloaded a different client.

Event Name	9am ET
Tech Support Tuesday	Tuesday
What Should I Buy Wednesday	Wednesday
Tech Support Thursday	Thursday
Self-Promotion Saturday	Saturday

apple

Filter FBI News

Restore FBI News

Welcome!

New Product Release Dates

New to Mac?

Not sure what to buy?

Rules

Events

IRC Chatroom

Apple Subreddits

Mac Subreddits

iOS Subreddits

Beta Subreddits

Tech Subreddits

Content Philosophy

調停者