OSX.KeRanger.A malware in 2.90?

[hmrq]

Hi! I downloaded transmission from official link below, copied to Applications and after running it I get "contains malware" message from OSX. Image attached (sorry it is in russian), it reads:

File "Transmission.app" will hurt your computer. Put it in Trash.
It contains "OSX.KeRanger.A" malware.
Safari downloaded this file today 2:05 from http://www.transmissionbt.com.
[v] Report to Apple to protect other users.
<Cancel> / <Move to Trash>

OS: OSX 10.10.5, Recipe: download, copy to /Applications, run.
I also tried to repeat entire recipe — no luck. Google doesn't know about that strange "OSX.KeRanger.A".

Official link:
https://download.transmissionbt.com/fil ... n-2.90.dmg

Message did not appear for latest build, it started normally:

https://build.transmissionbt.com/job/trunk-mac/
https://build.transmissionbt.com/job/tr ... -14708.dmg

[mmnw]

I had the exact same message with my Download on friday. I'm already a Transmission user, so I usually do the update within Transmission. Friday, though, my update in Transmission failed due to a wrong signature. I then proceeded to a download through the web page. That download produced the same message the OP had.

I checked the signature against the one posted on the web-page, and of course it was wrong:

Code: Select all

$ openssl sha1 Transmission-2.90.dmg 
SHA1(Transmission-2.90.dmg)= 5f8ae46ae82e346000f366c3eabdafbec76e99e9

I'm not sure, if I downloaded the file through the https site or with an http url at the time. Safari does think it was https, though, and I can't remember any warnings. As a source for the offending file Safari stored

Code: Select all

https://download.transmissionbt.com/files/Transmission-2.90.dmg, https://www.transmissionbt.com/download/

in the file metadata. Not sure how accurate that is, though.

I re-downloaded again this morning, this time the file was ok and the sha1 was correct. Although, Safari lists cachefly as the source of the correct file, not transmissionbt.com:

Code: Select all

https://transmission.cachefly.net/Transmission-2.90.dmg, https://www.transmissionbt.com/download/

For reference: my computer is not on a public network, it was hooked up with a lan cable to my router.

[mmnw]

I just checked my XProtect.plist, and the OSX.KERanger.A malware is definitely in there, it's the first entry in my list:

Code: Select all

	<dict>
		<key>Description</key>
		<string>OSX.KeRanger.A</string>
		<key>LaunchServices</key>
		<dict>
			<key>LSItemContentType</key>
			<string>com.apple.application-bundle</string>
		</dict>
		<key>Matches</key>
		<array>
			<dict>
				<key>MatchFile</key>
				<dict>
					<key>NSURLTypeIdentifierKey</key>
					<string>public.unix-executable</string>
				</dict>
				<key>MatchType</key>
				<string>Match</string>
				<key>Pattern</key>
				<string>488DBDD0EFFFFFBE00000000BA0004000031C04989D8*31F64C89E7*83F8FF7457C785C4EBFFFF00000000</string>
			</dict>
		</array>
	</dict>

My xprotect.plist was last changed on January 25th and it has 57 entries, I guess that was the date of the last OS X update. Can't say if KeRanger was the recent addition, though, as I don't backup my System folder.

[livings124]

Everyone should update to 2.92. There are more directions on transmissionbt.com if you are infected.

[hmrq]

That is not the official link.

This is:
https://www.transmissionbt.com/

This forum adds "http://" automatically to all http://www.example.com after you click Preview.

[0e295e78]

My xprotect.plist was last changed on January 25th and it has 57 entries, I guess that was the date of the last OS X update. Can't say if KeRanger was the recent addition, though, as I don't backup my System folder.

My xprotect.plist was changed and created at 2016.03.05, and there is no any OSX.KeRanger.A, so guessing now is i'm infected?

Code: Select all

mdls ...XProtect.plist
kMDItemFSContentChangeDate = 2016-03-05 17:27:50 +0000
kMDItemFSCreationDate      = 2016-03-05 17:27:50 +0000
kMDItemFSSize              = 63419

[mixologic]

Additional information regarding the security report: http://researchcenter.paloaltonetworks. ... installer/

[techietrash]

2.92 was released. https://www.transmissionbt.com/download/

[jshier]

So, how did this happen?

[0e295e78]

Is 2.92 sure safe? I'm afraid to install it. How can i find out exact SHA1 of 2.92?

[MagicBoy]

So, how did this happen?

A fine question, and one that I would like answering.

[mixologic]

How can i find out exact SHA1 of 2.92?

If you mouse over the .dmg link on https://www.transmissionbt.com/download/, it shows the sha1.

Not that it matters, as md5/sha1/sha256 of downloaded files only matter if the files are stored separate from the website telling you the sha1 of the file. i.e. if both the website and the download filesystem were hacked, the hackers can just change the sha1 to match their file. What's needed to verify file download integrity is digital signing. Something like https://jedisct1.github.io/minisign/ for example.

[Hawkeye]

I have read this with some alarm and yes it would be interesting to see how this occurred.

A few questions:
1) Does it occur with the in program update as I never received any of the gatekeeper errors
2) I read the PaloAlto document but what Application folder should I be looking at user/applications or the top level applications as there is only a transmission.app there....how do I drill down (for the unixly illiterate).
3) The information (command i) box still states that it is version 2.90 but when opening the App info states 2.92 (small thing but adds uncertainty but the fix is more important).

Just as an aside might be good PR if someone writes a small check program for people who are a bit Unixly illiterate and sees if they are infected.

Cheers Hawkeye

[boltronics]

From the article, it sounds like the affected transmission installers were signed using a different key. If true, I would imagine this was the result of a server compromise.

In any case, I continue to strongly advise people to never install anything they downloaded from the web if they haven't validated a GPG signature. This is especially true of non-HTTPS downloads, but certainly true either way. As a Debian GNU/Linux user, I'm accustomed to all my downloads being signed, and this just seems common sense... but today I learned Transmission doesn't seem to sign their downloads. It's a shame, as doing so would easily have prevented this disaster for anyone who cared to check.

[Cheddar4]

2) I read the PaloAlto document but what Application folder should I be looking at user/applications or the top level applications as there is only a transmission.app there....how do I drill down (for the unixly illiterate).

Right-click on the Transmission.app, select "Show package contents", then go to Contents/Resources and see if "General.rtf" exists. And, incidentally, if I choose "Get info" on Transmission.app, mine reports as being 2.92 with a size of 10,568,680 bytes.