OSX.KeRanger.A malware in 2.90?

[hmrq]

Hi! I downloaded transmission from official link below, copied to Applications and after running it I get "contains malware" message from OSX. Image attached (sorry it is in russian), it reads:

File "Transmission.app" will hurt your computer. Put it in Trash.
It contains "OSX.KeRanger.A" malware.
Safari downloaded this file today 2:05 from http://www.transmissionbt.com.
[v] Report to Apple to protect other users.
<Cancel> / <Move to Trash>

OS: OSX 10.10.5, Recipe: download, copy to /Applications, run.
I also tried to repeat entire recipe — no luck. Google doesn't know about that strange "OSX.KeRanger.A".

Official link:
https://download.transmissionbt.com/fil ... n-2.90.dmg

Message did not appear for latest build, it started normally:

https://build.transmissionbt.com/job/trunk-mac/
https://build.transmissionbt.com/job/tr ... -14708.dmg

[x190]

File "Transmission.app" will hurt your computer. Put it in Trash.
It contains "OSX.KeRanger.A" malware.
Safari downloaded this file today 2:05 from http://www.transmissionbt.com.
[v] Report to Apple to protect other users.
<Cancel> / <Move to Trash>

That is not the official link.

This is:
https://www.transmissionbt.com/

I also can find no mention of OSX.KeRanger.A elsewhere. You say OS X produced the message, yet the message asks you to "Report to Apple to protect other users."!?

And, when you did use the official https site, you had no issues! Is your network secure? I would suggest you check your DNS settings.

Back in 2009, Apple made File Quarantine also check downloaded application files against a list stored in the System/Library/Core Services/CoreTypes.bundle/Contents/Resources/XProtect.plist file on your Mac. You can even open this file and see the list of malicious applications Mac OS X is checking for when you open downloaded application files.

When you open a downloaded application, File Quarantine checks if it matches any of the malware definitions in the XProtect file. If it does, you’ll see a nastier warning message that says running the file will damage your computer and informing you which malware definition it matches.

http://www.howtogeek.com/217043/xprotec ... are-works/

You can open the above file in TextEdit and search for 'OSX.KeRanger.A'. Let us know if you find it. Also, when you open this file in a Property List Editor, how many malware items are listed? I'm curious to know if my list is up-to-date with 59 items --- no 'OSX.KeRanger.A' though.

[mmnw]

I had the exact same message with my Download on friday. I'm already a Transmission user, so I usually do the update within Transmission. Friday, though, my update in Transmission failed due to a wrong signature. I then proceeded to a download through the web page. That download produced the same message the OP had.

I checked the signature against the one posted on the web-page, and of course it was wrong:

Code: Select all

$ openssl sha1 Transmission-2.90.dmg 
SHA1(Transmission-2.90.dmg)= 5f8ae46ae82e346000f366c3eabdafbec76e99e9

I'm not sure, if I downloaded the file through the https site or with an http url at the time. Safari does think it was https, though, and I can't remember any warnings. As a source for the offending file Safari stored

Code: Select all

https://download.transmissionbt.com/files/Transmission-2.90.dmg, https://www.transmissionbt.com/download/

in the file metadata. Not sure how accurate that is, though.

I re-downloaded again this morning, this time the file was ok and the sha1 was correct. Although, Safari lists cachefly as the source of the correct file, not transmissionbt.com:

Code: Select all

https://transmission.cachefly.net/Transmission-2.90.dmg, https://www.transmissionbt.com/download/

For reference: my computer is not on a public network, it was hooked up with a lan cable to my router.

[mmnw]

I just checked my XProtect.plist, and the OSX.KERanger.A malware is definitely in there, it's the first entry in my list:

Code: Select all

	<dict>
		<key>Description</key>
		<string>OSX.KeRanger.A</string>
		<key>LaunchServices</key>
		<dict>
			<key>LSItemContentType</key>
			<string>com.apple.application-bundle</string>
		</dict>
		<key>Matches</key>
		<array>
			<dict>
				<key>MatchFile</key>
				<dict>
					<key>NSURLTypeIdentifierKey</key>
					<string>public.unix-executable</string>
				</dict>
				<key>MatchType</key>
				<string>Match</string>
				<key>Pattern</key>
				<string>488DBDD0EFFFFFBE00000000BA0004000031C04989D8*31F64C89E7*83F8FF7457C785C4EBFFFF00000000</string>
			</dict>
		</array>
	</dict>

My xprotect.plist was last changed on January 25th and it has 57 entries, I guess that was the date of the last OS X update. Can't say if KeRanger was the recent addition, though, as I don't backup my System folder.

[livings124]

Everyone should update to 2.92. There are more directions on transmissionbt.com if you are infected.

[hmrq]

That is not the official link.

This is:
https://www.transmissionbt.com/

This forum adds "http://" automatically to all http://www.example.com after you click Preview.

[0e295e78]

My xprotect.plist was last changed on January 25th and it has 57 entries, I guess that was the date of the last OS X update. Can't say if KeRanger was the recent addition, though, as I don't backup my System folder.

My xprotect.plist was changed and created at 2016.03.05, and there is no any OSX.KeRanger.A, so guessing now is i'm infected?

Code: Select all

mdls ...XProtect.plist
kMDItemFSContentChangeDate = 2016-03-05 17:27:50 +0000
kMDItemFSCreationDate      = 2016-03-05 17:27:50 +0000
kMDItemFSSize              = 63419

[mixologic]

Additional information regarding the security report: http://researchcenter.paloaltonetworks. ... installer/

[x190]

READ CAREFULLY:

Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger. If the Transmission installer was downloaded earlier or downloaded from any third party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now.

http://researchcenter.paloaltonetworks. ... installer/

Devs are working on a v2.92 release which will attempt to remove OSX.KeRanger.A for you, however, you should still follow the instructions from the above link, if it applies to you.

See the "How to Protect Yourself" section of the article.

Thanks for the link, mixologic!

[techietrash]

2.92 was released. https://www.transmissionbt.com/download/

[jshier]

So, how did this happen?

[0e295e78]

Is 2.92 sure safe? I'm afraid to install it. How can i find out exact SHA1 of 2.92?

[MagicBoy]

So, how did this happen?

A fine question, and one that I would like answering.

[mixologic]

How can i find out exact SHA1 of 2.92?

If you mouse over the .dmg link on https://www.transmissionbt.com/download/, it shows the sha1.

Not that it matters, as md5/sha1/sha256 of downloaded files only matter if the files are stored separate from the website telling you the sha1 of the file. i.e. if both the website and the download filesystem were hacked, the hackers can just change the sha1 to match their file. What's needed to verify file download integrity is digital signing. Something like https://jedisct1.github.io/minisign/ for example.

[Hawkeye]

I have read this with some alarm and yes it would be interesting to see how this occurred.

A few questions:
1) Does it occur with the in program update as I never received any of the gatekeeper errors
2) I read the PaloAlto document but what Application folder should I be looking at user/applications or the top level applications as there is only a transmission.app there....how do I drill down (for the unixly illiterate).
3) The information (command i) box still states that it is version 2.90 but when opening the App info states 2.92 (small thing but adds uncertainty but the fix is more important).

Just as an aside might be good PR if someone writes a small check program for people who are a bit Unixly illiterate and sees if they are infected.

Cheers Hawkeye