OSX.KeRanger.A malware in 2.90?

Ask for help and report issues with the Mac OS X version of Transmission
hmrq
Posts: 2
Joined: Sat Mar 05, 2016 11:03 pm

OSX.KeRanger.A malware in 2.90?

Post by hmrq »

Hi! I downloaded transmission from official link below, copied to Applications and after running it I get "contains malware" message from OSX. Image attached (sorry it is in russian), it reads:
File "Transmission.app" will hurt your computer. Put it in Trash.
It contains "OSX.KeRanger.A" malware.
Safari downloaded this file today 2:05 from http://www.transmissionbt.com.
[v] Report to Apple to protect other users.
<Cancel> / <Move to Trash>
OS: OSX 10.10.5, Recipe: download, copy to /Applications, run.
I also tried to repeat entire recipe — no luck. Google doesn't know about that strange "OSX.KeRanger.A".

Official link:
https://download.transmissionbt.com/fil ... n-2.90.dmg

Message did not appear for latest build, it started normally:

https://build.transmissionbt.com/job/trunk-mac/
https://build.transmissionbt.com/job/tr ... -14708.dmg
Attachments
Screenshot.png
Screenshot.png (54.83 KiB) Viewed 201460 times
mmnw
Posts: 3
Joined: Sun Mar 06, 2016 7:42 am

Re: OSX.KeRanger.A malware in 2.90?

Post by mmnw »

I had the exact same message with my Download on friday. I'm already a Transmission user, so I usually do the update within Transmission. Friday, though, my update in Transmission failed due to a wrong signature. I then proceeded to a download through the web page. That download produced the same message the OP had.

I checked the signature against the one posted on the web-page, and of course it was wrong:

Code: Select all

$ openssl sha1 Transmission-2.90.dmg 
SHA1(Transmission-2.90.dmg)= 5f8ae46ae82e346000f366c3eabdafbec76e99e9
I'm not sure, if I downloaded the file through the https site or with an http url at the time. Safari does think it was https, though, and I can't remember any warnings. As a source for the offending file Safari stored

Code: Select all

https://download.transmissionbt.com/files/Transmission-2.90.dmg, https://www.transmissionbt.com/download/
in the file metadata. Not sure how accurate that is, though.

I re-downloaded again this morning, this time the file was ok and the sha1 was correct. Although, Safari lists cachefly as the source of the correct file, not transmissionbt.com:

Code: Select all

https://transmission.cachefly.net/Transmission-2.90.dmg, https://www.transmissionbt.com/download/
For reference: my computer is not on a public network, it was hooked up with a lan cable to my router.
Last edited by mmnw on Sun Mar 06, 2016 8:03 am, edited 1 time in total.
mmnw
Posts: 3
Joined: Sun Mar 06, 2016 7:42 am

Re: OSX.KeRanger.A malware in 2.90?

Post by mmnw »

I just checked my XProtect.plist, and the OSX.KERanger.A malware is definitely in there, it's the first entry in my list:

Code: Select all

	<dict>
		<key>Description</key>
		<string>OSX.KeRanger.A</string>
		<key>LaunchServices</key>
		<dict>
			<key>LSItemContentType</key>
			<string>com.apple.application-bundle</string>
		</dict>
		<key>Matches</key>
		<array>
			<dict>
				<key>MatchFile</key>
				<dict>
					<key>NSURLTypeIdentifierKey</key>
					<string>public.unix-executable</string>
				</dict>
				<key>MatchType</key>
				<string>Match</string>
				<key>Pattern</key>
				<string>488DBDD0EFFFFFBE00000000BA0004000031C04989D8*31F64C89E7*83F8FF7457C785C4EBFFFF00000000</string>
			</dict>
		</array>
	</dict>
My xprotect.plist was last changed on January 25th and it has 57 entries, I guess that was the date of the last OS X update. Can't say if KeRanger was the recent addition, though, as I don't backup my System folder.
livings124
Transmission Developer
Posts: 3142
Joined: Fri Jan 13, 2006 8:08 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by livings124 »

Everyone should update to 2.92. There are more directions on transmissionbt.com if you are infected.
Last edited by livings124 on Sun Mar 06, 2016 11:44 pm, edited 1 time in total.
hmrq
Posts: 2
Joined: Sat Mar 05, 2016 11:03 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by hmrq »

That is not the official link.

This is:
https://www.transmissionbt.com/
This forum adds "http://" automatically to all http://www.example.com after you click Preview.
0e295e78
Posts: 7
Joined: Thu Jan 21, 2016 9:09 am

Re: OSX.KeRanger.A malware in 2.90?

Post by 0e295e78 »

mmnw wrote:My xprotect.plist was last changed on January 25th and it has 57 entries, I guess that was the date of the last OS X update. Can't say if KeRanger was the recent addition, though, as I don't backup my System folder.
My xprotect.plist was changed and created at 2016.03.05, and there is no any OSX.KeRanger.A, so guessing now is i'm infected?

Code: Select all

mdls ...XProtect.plist
kMDItemFSContentChangeDate = 2016-03-05 17:27:50 +0000
kMDItemFSCreationDate      = 2016-03-05 17:27:50 +0000
kMDItemFSSize              = 63419
mixologic
Posts: 2
Joined: Sun Mar 06, 2016 8:02 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by mixologic »

Additional information regarding the security report: http://researchcenter.paloaltonetworks. ... installer/
techietrash
Posts: 1
Joined: Sun Mar 06, 2016 8:07 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by techietrash »

jshier
Posts: 1
Joined: Sun Mar 06, 2016 10:11 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by jshier »

So, how did this happen?
0e295e78
Posts: 7
Joined: Thu Jan 21, 2016 9:09 am

Re: OSX.KeRanger.A malware in 2.90?

Post by 0e295e78 »

Is 2.92 sure safe? I'm afraid to install it. How can i find out exact SHA1 of 2.92?
MagicBoy
Posts: 7
Joined: Thu Feb 17, 2011 10:43 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by MagicBoy »

jshier wrote:So, how did this happen?
A fine question, and one that I would like answering.
mixologic
Posts: 2
Joined: Sun Mar 06, 2016 8:02 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by mixologic »

0e295e78 wrote:How can i find out exact SHA1 of 2.92?
If you mouse over the .dmg link on https://www.transmissionbt.com/download/, it shows the sha1.

Not that it matters, as md5/sha1/sha256 of downloaded files only matter if the files are stored separate from the website telling you the sha1 of the file. i.e. if both the website and the download filesystem were hacked, the hackers can just change the sha1 to match their file. What's needed to verify file download integrity is digital signing. Something like https://jedisct1.github.io/minisign/ for example.
Hawkeye
Posts: 2
Joined: Mon Mar 07, 2016 12:39 am

Re: OSX.KeRanger.A malware in 2.90?

Post by Hawkeye »

I have read this with some alarm and yes it would be interesting to see how this occurred.

A few questions:
1) Does it occur with the in program update as I never received any of the gatekeeper errors
2) I read the PaloAlto document but what Application folder should I be looking at user/applications or the top level applications as there is only a transmission.app there....how do I drill down (for the unixly illiterate).
3) The information (command i) box still states that it is version 2.90 but when opening the App info states 2.92 (small thing but adds uncertainty but the fix is more important).

Just as an aside might be good PR if someone writes a small check program for people who are a bit Unixly illiterate and sees if they are infected.

Cheers Hawkeye
boltronics
Posts: 1
Joined: Mon Mar 07, 2016 1:49 am

Re: OSX.KeRanger.A malware in 2.90?

Post by boltronics »

From the article, it sounds like the affected transmission installers were signed using a different key. If true, I would imagine this was the result of a server compromise.

In any case, I continue to strongly advise people to never install anything they downloaded from the web if they haven't validated a GPG signature. This is especially true of non-HTTPS downloads, but certainly true either way. As a Debian GNU/Linux user, I'm accustomed to all my downloads being signed, and this just seems common sense... but today I learned Transmission doesn't seem to sign their downloads. It's a shame, as doing so would easily have prevented this disaster for anyone who cared to check.
Cheddar4
Posts: 1
Joined: Mon Mar 07, 2016 3:52 am

Re: OSX.KeRanger.A malware in 2.90?

Post by Cheddar4 »

Hawkeye wrote: 2) I read the PaloAlto document but what Application folder should I be looking at user/applications or the top level applications as there is only a transmission.app there....how do I drill down (for the unixly illiterate).
Right-click on the Transmission.app, select "Show package contents", then go to Contents/Resources and see if "General.rtf" exists. And, incidentally, if I choose "Get info" on Transmission.app, mine reports as being 2.92 with a size of 10,568,680 bytes.
Post Reply