OSX.KeRanger.A malware in 2.90?

Ask for help and report issues with the Mac OS X version of Transmission
Jeremy_
Posts: 2
Joined: Mon Mar 07, 2016 5:45 am

Re: OSX.KeRanger.A malware in 2.90?

Post by Jeremy_ »

Can anyone in the know clarify whether copies of Transmission which were "auto-updated" (from within the app itself) are affected by this? I have another computer I am reluctant to turn on to check until I understand what's up. It may have auto-updated to 2.90 during the March 4 – March 7 time window.

Thanks for info. Sorry this happened to such a great program.
mmnw
Posts: 3
Joined: Sun Mar 06, 2016 7:42 am

Re: OSX.KeRanger.A malware in 2.90?

Post by mmnw »

Jeremy_ wrote:Can anyone in the know clarify whether copies of Transmission which were "auto-updated" (from within the app itself) are affected by this? I have another computer I am reluctant to turn on to check until I understand what's up. It may have auto-updated to 2.90 during the March 4 – March 7 time window.

Thanks for info. Sorry this happened to such a great program.
I'm not really in the know, but I tried auto update on March 4th and it failed for me with a signature mismatch. I'm not sure if this was due to the infection or some other unrelated mishap, but I know the updater is supposed to check signatures and hashes. So it might be fine.
Still, if you are infected I also like to reiterate to update as soon as possible, since the malware has some 3 day activation window implemented before it gets nasty. The sooner you update the better.
molestrangler
Posts: 28
Joined: Sun Nov 02, 2008 3:23 am

Re: OSX.KeRanger.A malware in 2.90?

Post by molestrangler »

I have a habit of downloading the source and compiling myself, cuz of some changes I make to the source code so TransmissionBT works nicer for me.

I did all the checks found no trace of OSX.KeRanger.A in my system.
essiw
Posts: 567
Joined: Sat Aug 23, 2008 10:40 am
Location: the Netherlands

Re: OSX.KeRanger.A malware in 2.90?

Post by essiw »

Jeremy_ wrote:Can anyone in the know clarify whether copies of Transmission which were "auto-updated" (from within the app itself) are affected by this? I have another computer I am reluctant to turn on to check until I understand what's up. It may have auto-updated to 2.90 during the March 4 – March 7 time window.

Thanks for info. Sorry this happened to such a great program.
To my knowledge only people who directly downloaded it from the website got infected, however you should check just in case.
ElCap
Posts: 1
Joined: Mon Mar 07, 2016 9:08 am

Re: OSX.KeRanger.A malware in 2.90?

Post by ElCap »

Here’s a thought for the conspirasists out there:
I notice this has gone mainstream in the press about 5 hours ago.
Couldn’t help thinking this could be a very good way to create strong ill-feeling toward BT sharing by, dare I say it, the DMCA?
Still seems to be many, many v2.90 clients running out there.
If these users don’t get their systems clear soon I can see some severe pain coming in the next few days. Tick tick tick...
cashFromChaos
Posts: 8
Joined: Sat Jan 18, 2014 8:57 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by cashFromChaos »

Last edited by cashFromChaos on Mon Mar 07, 2016 2:04 pm, edited 1 time in total.
cashFromChaos
Posts: 8
Joined: Sat Jan 18, 2014 8:57 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by cashFromChaos »

Does Palo Alto Networks mean the DMG files with "installers" or are there specific Transmission installers on OS X I don't know about?
cfpp2p
Posts: 290
Joined: Sat Aug 08, 2009 3:14 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by cfpp2p »

ElCap wrote:...this could be a very good way to create strong ill-feeling toward BT...
The last line of this tries to do just that
https://blog.malwarebytes.org/mac/2016/ ... e-spotted/
Koishki
Posts: 1
Joined: Mon Mar 07, 2016 5:39 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by Koishki »

Can such removal instructions help? http://macsecurity.net/view/113/
haroldipswich
Posts: 1
Joined: Mon Mar 07, 2016 6:03 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by haroldipswich »

Please also see this question on stack exchange, asked not long before the exploit happened: http://security.stackexchange.com/q/115872
agilecoyote
Posts: 3
Joined: Thu Jan 09, 2014 7:00 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by agilecoyote »

This may be pure coincidence, but my external HDDs, on two networked Macs, vanished on Sunday. Can't be found through Disk Utility or Terminal and changing from FireWire to USB makes no difference. I had Transmission 2.90 but I don't know if it was infected (I immediately installed 2.92). Regardless, could KeRanger be the cause? I've had no ransom demands and the internal drives seem fine.
Hawkeye
Posts: 2
Joined: Mon Mar 07, 2016 12:39 am

Re: OSX.KeRanger.A malware in 2.90?

Post by Hawkeye »

Cheddar4 wrote:
Hawkeye wrote: 2) I read the PaloAlto document but what Application folder should I be looking at user/applications or the top level applications as there is only a transmission.app there....how do I drill down (for the unixly illiterate).
Right-click on the Transmission.app, select "Show package contents", then go to Contents/Resources and see if "General.rtf" exists. And, incidentally, if I choose "Get info" on Transmission.app, mine reports as being 2.92 with a size of 10,568,680 bytes.
Thanks for that. Don't have the General.rtf file so seems all is good. Also I updated via the Application itself so that may have been a good version (not sure if the in app update version was good and the site one was bad or if they are even different.....an explanation I presume will come forth.)

After restarting the info panel now shows 2.92 now so update just needed a refresh as such.

Cheers Hawkeye
Jeremy_
Posts: 2
Joined: Mon Mar 07, 2016 5:45 am

Re: OSX.KeRanger.A malware in 2.90?

Post by Jeremy_ »

x190 wrote: You have to run Transmission for it to work, assuming you got a bad copy. Update to, and run 2.92 and you should be fine. [...] It is important to update NOW!
https://www.transmissionbt.com/download/
x190 wrote: Remove v2.90, restart your computer, and update to v2.92.
https://www.transmissionbt.com/download/
In two separate posts, x190 urgently advises users to download unsigned software from a website that may be compromised (according to the Palo Alto Networks analysis of this attack). This seems to me completely irresponsible. None of the developers have explained how this attack occurred and what all was compromised, nor have they provided any assurances that the web site statement urging download of 2.92 on the website is from them rather than the attackers, nor have they provided any assurances that the code base is verified to be unaffected. If transmissionbt.com was attacked, the responsible thing to do is tell users how to remove the software, rather than to run more software off that site.

How about some signed statements from developers declaring that 2.92 is legit, with checksums for the DMG files? How about the developers have a third party (such as Palo Alto) update their analysis to endorse the new version, and link to that statement, rather than a local, potentially compromised statement? As of now, users have nothing but bulletin board rumors and the admonitions of a compromised web site to work with.

I recommend anyone who might have been infected, at minimum:
1) immediately disconnect from the Internet (to halt malware communication with control servers)
2) delete "Transmission.app" from their Applications folder
3) kill any processes named "kernel_service" (in Activity Monitor) and delete ~/Library/kernel_service if it exists
4) reboot
5) do not reinstall Transmission until the smoke has cleared and third parties have analyzed things and certified the latest version
Last edited by Jeremy_ on Tue Mar 08, 2016 4:16 pm, edited 1 time in total.
mike.dld
Transmission Developer
Posts: 306
Joined: Wed Dec 25, 2013 10:56 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by mike.dld »

Jeremy_ wrote:How about some signed statements from developers declaring that 2.92 is legit, with checksums for the DMG files?
https://www.transmissionbt.com/ (for the statement)
https://www.transmissionbt.com/download/ (for the checksums)
Jeremy_ wrote:How about the developers have a third party (such as Palo Alto) update their analysis to endorse the new version, and link to that statement, rather than a local, potentially compromised statement?
https://twitter.com/claud_xiao/status/7 ... 4036950016 (for a word from Claud Xiao, Principal Security Researcher, Palo Alto Networks).
mike.dld
Transmission Developer
Posts: 306
Joined: Wed Dec 25, 2013 10:56 pm

Re: OSX.KeRanger.A malware in 2.90?

Post by mike.dld »

Jeremy_ wrote:In two separate posts, x190 urgently advises users to download unsigned software from a website that may be compromised (according to the Palo Alto Networks analysis of this attack). This seems to me completely irresponsible.
Each OS X build is properly signed by "Developer ID Application: Digital Ignition LLC" certificate. If people had a habit of checking the signature then they would've noticed that compromised binaries were signed by a different certificate. Since there is no way we could blame this on users, and we really shouldn't even think of this, I'd like to blame 1) us for letting users download those binaries in the first place and 2) Apple for not devising a system that warns user of running signed applications from developers who were not previously explicitly approved by the user himself (there're only so many programs a user runs, so that won't be a pain the way I see it).
Post Reply