OSX.KeRanger.A malware in 2.90?

Ask for help and report issues with the Mac OS X version of Transmission
hmrq
Posts: 2
Joined: Sat Mar 05, 2016 11:03 pm

OSX.KeRanger.A malware in 2.90?

Post by hmrq »

Hi! I downloaded transmission from official link below, copied to Applications and after running it I get "contains malware" message from OSX. Image attached (sorry it is in russian), it reads:
File "Transmission.app" will hurt your computer. Put it in Trash.
It contains "OSX.KeRanger.A" malware.
Safari downloaded this file today 2:05 from http://www.transmissionbt.com.
[v] Report to Apple to protect other users.
<Cancel> / <Move to Trash>
OS: OSX 10.10.5, Recipe: download, copy to /Applications, run.
I also tried to repeat entire recipe — no luck. Google doesn't know about that strange "OSX.KeRanger.A".

Official link:
https://download.transmissionbt.com/fil ... n-2.90.dmg

Message did not appear for latest build, it started normally:

https://build.transmissionbt.com/job/trunk-mac/
https://build.transmissionbt.com/job/tr ... -14708.dmg
Attachments
Screenshot.png
Screenshot.png (54.83 KiB) Viewed 152443 times
x190
Posts: 5094
Joined: Sun Nov 30, 2008 4:59 am

Re: OSX.KeRanger.A malware in 2.90?

Post by x190 »

File "Transmission.app" will hurt your computer. Put it in Trash.
It contains "OSX.KeRanger.A" malware.
Safari downloaded this file today 2:05 from http://www.transmissionbt.com.
[v] Report to Apple to protect other users.
<Cancel> / <Move to Trash>
That is not the official link.

This is:
https://www.transmissionbt.com/

I also can find no mention of OSX.KeRanger.A elsewhere. You say OS X produced the message, yet the message asks you to "Report to Apple to protect other users."!?

And, when you did use the official https site, you had no issues! Is your network secure? I would suggest you check your DNS settings.
Back in 2009, Apple made File Quarantine also check downloaded application files against a list stored in the System/Library/Core Services/CoreTypes.bundle/Contents/Resources/XProtect.plist file on your Mac. You can even open this file and see the list of malicious applications Mac OS X is checking for when you open downloaded application files.

When you open a downloaded application, File Quarantine checks if it matches any of the malware definitions in the XProtect file. If it does, you’ll see a nastier warning message that says running the file will damage your computer and informing you which malware definition it matches.
http://www.howtogeek.com/217043/xprotec ... are-works/

You can open the above file in TextEdit and search for 'OSX.KeRanger.A'. Let us know if you find it. Also, when you open this file in a Property List Editor, how many malware items are listed? I'm curious to know if my list is up-to-date with 59 items --- no 'OSX.KeRanger.A' though.
mmnw
Posts: 3
Joined: Sun Mar 06, 2016 7:42 am

Re: OSX.KeRanger.A malware in 2.90?

Post by mmnw »

I had the exact same message with my Download on friday. I'm already a Transmission user, so I usually do the update within Transmission. Friday, though, my update in Transmission failed due to a wrong signature. I then proceeded to a download through the web page. That download produced the same message the OP had.

I checked the signature against the one posted on the web-page, and of course it was wrong:

Code: Select all

$ openssl sha1 Transmission-2.90.dmg 
SHA1(Transmission-2.90.dmg)= 5f8ae46ae82e346000f366c3eabdafbec76e99e9
I'm not sure, if I downloaded the file through the https site or with an http url at the time. Safari does think it was https, though, and I can't remember any warnings. As a source for the offending file Safari stored

Code: Select all

https://download.transmissionbt.com/files/Transmission-2.90.dmg, https://www.transmissionbt.com/download/
in the file metadata. Not sure how accurate that is, though.

I re-downloaded again this morning, this time the file was ok and the sha1 was correct. Although, Safari lists cachefly as the source of the correct file, not transmissionbt.com:

Code: Select all

https://transmission.cachefly.net/Transmission-2.90.dmg, https://www.transmissionbt.com/download/
For reference: my computer is not on a public network, it was hooked up with a lan cable to my router.
Last edited by mmnw on Sun Mar 06, 2016 8:03 am, edited 1 time in total.
mmnw
Posts: 3
Joined: Sun Mar 06, 2016 7:42 am

Re: OSX.KeRanger.A malware in 2.90?

Post by mmnw »

I just checked my XProtect.plist, and the OSX.KERanger.A malware is definitely in there, it's the first entry in my list:

Code: Select all

	<dict>
		<key>Description</key>
		<string>OSX.KeRanger.A</string>
		<key>LaunchServices</key>
		<dict>
			<key>LSItemContentType</key>
			<string>com.apple.application-bundle</string>
		</dict>
		<key>Matches</key>
		<array>
			<dict>
				<key>MatchFile</key>
				<dict>
					<key>NSURLTypeIdentifierKey</key>
					<string>public.unix-executable</string>
				</dict>
				<key>MatchType</key>
				<string>Match</string>
				<key>Pattern</key>
				<string>488DBDD0EFFFFFBE00000000BA0004000031C04989D8*31F64C89E7*83F8FF7457C785C4EBFFFF00000000</string>
			</dict>
		</array>
	</dict>
My xprotect.plist was last changed on January 25th and it has 57 entries, I guess that was the date of the last OS X update. Can't say if KeRanger was the recent addition, though, as I don't backup my System folder.
livings124
Transmission Developer
Posts: 3142
Joined: Fri Jan 13, 2006 8:08 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by livings124 »

Everyone should update to 2.92. There are more directions on transmissionbt.com if you are infected.
Last edited by livings124 on Sun Mar 06, 2016 11:44 pm, edited 1 time in total.
hmrq
Posts: 2
Joined: Sat Mar 05, 2016 11:03 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by hmrq »

That is not the official link.

This is:
https://www.transmissionbt.com/
This forum adds "http://" automatically to all http://www.example.com after you click Preview.
0e295e78
Posts: 7
Joined: Thu Jan 21, 2016 9:09 am

Re: OSX.KeRanger.A malware in 2.90?

Post by 0e295e78 »

mmnw wrote:My xprotect.plist was last changed on January 25th and it has 57 entries, I guess that was the date of the last OS X update. Can't say if KeRanger was the recent addition, though, as I don't backup my System folder.
My xprotect.plist was changed and created at 2016.03.05, and there is no any OSX.KeRanger.A, so guessing now is i'm infected?

Code: Select all

mdls ...XProtect.plist
kMDItemFSContentChangeDate = 2016-03-05 17:27:50 +0000
kMDItemFSCreationDate      = 2016-03-05 17:27:50 +0000
kMDItemFSSize              = 63419
mixologic
Posts: 2
Joined: Sun Mar 06, 2016 8:02 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by mixologic »

Additional information regarding the security report: http://researchcenter.paloaltonetworks. ... installer/
x190
Posts: 5094
Joined: Sun Nov 30, 2008 4:59 am

Re: OSX.KeRanger.A malware in 2.90?

Post by x190 »

READ CAREFULLY:
Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger. If the Transmission installer was downloaded earlier or downloaded from any third party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now.
http://researchcenter.paloaltonetworks. ... installer/

Devs are working on a v2.92 release which will attempt to remove OSX.KeRanger.A for you, however, you should still follow the instructions from the above link, if it applies to you.

See the "How to Protect Yourself" section of the article.

Thanks for the link, mixologic!
techietrash
Posts: 1
Joined: Sun Mar 06, 2016 8:07 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by techietrash »

jshier
Posts: 1
Joined: Sun Mar 06, 2016 10:11 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by jshier »

So, how did this happen?
0e295e78
Posts: 7
Joined: Thu Jan 21, 2016 9:09 am

Re: OSX.KeRanger.A malware in 2.90?

Post by 0e295e78 »

Is 2.92 sure safe? I'm afraid to install it. How can i find out exact SHA1 of 2.92?
MagicBoy
Posts: 7
Joined: Thu Feb 17, 2011 10:43 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by MagicBoy »

jshier wrote:So, how did this happen?
A fine question, and one that I would like answering.
mixologic
Posts: 2
Joined: Sun Mar 06, 2016 8:02 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by mixologic »

0e295e78 wrote:How can i find out exact SHA1 of 2.92?
If you mouse over the .dmg link on https://www.transmissionbt.com/download/, it shows the sha1.

Not that it matters, as md5/sha1/sha256 of downloaded files only matter if the files are stored separate from the website telling you the sha1 of the file. i.e. if both the website and the download filesystem were hacked, the hackers can just change the sha1 to match their file. What's needed to verify file download integrity is digital signing. Something like https://jedisct1.github.io/minisign/ for example.
Hawkeye
Posts: 2
Joined: Mon Mar 07, 2016 12:39 am

Re: OSX.KeRanger.A malware in 2.90?

Post by Hawkeye »

I have read this with some alarm and yes it would be interesting to see how this occurred.

A few questions:
1) Does it occur with the in program update as I never received any of the gatekeeper errors
2) I read the PaloAlto document but what Application folder should I be looking at user/applications or the top level applications as there is only a transmission.app there....how do I drill down (for the unixly illiterate).
3) The information (command i) box still states that it is version 2.90 but when opening the App info states 2.92 (small thing but adds uncertainty but the fix is more important).

Just as an aside might be good PR if someone writes a small check program for people who are a bit Unixly illiterate and sees if they are infected.

Cheers Hawkeye
Post Reply