Monday, March 7, 2016

KeRanger Transmission Ransomware

Jim Finkle (via Arnold Kim, Hacker News, Slashdot):

Ransomware, one of the fastest-growing types of cyber threats, encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data.

Security experts estimate that ransoms total hundreds of millions of dollars a year from such cyber criminals, who typically target users of Microsoft Corp’s Windows operating system.

[…]

Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog posted on Sunday afternoon.

Claud Xiao and Jin Chen:

Transmission is an open source project. It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred.

The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection.

[…]

Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website.

[…]

The two KeRanger infected Transmission installers were signed with a legitimate certificate issued by Apple. The developer listed this certificate is a Turkish company with the ID Z7276PX673, which was different from the developer ID used to sign previous versions of the Transmission installer.

Jeff Johnson:

Surprise, surprise. What I’ve said all along. Gatekeeper is only security theater, because attackers can easily acquire a Developer ID cert.

It’s not full protection, but it’s not useless because in theory Apple can add it to XProtect before it spreads too far.

Kuba Suder:

I guess technically Gatekeeper can’t detect changed developer when you replace the .app, but I think Sparkle does that

Paul McGrane:

Transmission and VLC really ought to be on the Mac App store except Apple has some puritanical fear of them

Ben Sandofsky:

The Transmission malware wouldn’t exist if it were distributed via the Mac App Store.

But the Mac App Store prohibits BitTorrent clients.

TorrentFreak:

Over the past years dozens of apps have been rejected from the App Store because they mention the word BitTorrent.

Apple defended this policy and told developers that their apps were not allowed “because this category of applications is often used for the purpose of infringing third-party rights.”

This is an interesting hypothetical. Would breaking into Transmission’s iTunes Connect account be harder than breaking into its Web site? At least the odds seem better that the developers would notice that this had happened. Would sandboxing help, or would the malicious app be able to trick the user into granting it access to non-BitTorrent data? Could such an app get through App Review?

Dino A. Dai Zovi:

Why couldn’t the ransomware encrypt files in TimeMachine backups? Mac OS X uses TMSafetyNet kext to make the files immutable after creation.

5 Comments RSS · Twitter

"The Transmission malware wouldn’t exist if it were distributed via the Mac App Store."

Fixing quickly the problem and informing end users would not be possible if the application was distributed via the Mac App Store.

----

@Michael "because in theory Apple can add it to XProtect before it spreads too far."

And then push it via a silent update that breaks the Ethernet ports. Oh wait…

Interesting corollary for this piece – apparently there are BitTorrent trackers running at Cupertino:

http://www.mackungfu.org/is-apple-running-bittorrent-trackers-at-cupertino

(This was posted on my blog.)

According to Macworld, Apple has shut it down before it could become active:

"Apple revoked the certificate after being notified on Friday, Palo Alto wrote. The company has also updated its XProtect antivirus engine."

https://twitter.com/felix_schwarz/status/706747436878995456

**Conspiracy theory alert**

I think Apple had to sell part of OS X's soul to get as much content as they've got on the iTunes TV, Movie, and Music Stores. I'm going to go waaaay out on a limb and say that's the reason a Mac no longer has separate audio in and out ports, why VGA adapters artificially limit their non-HDCP'd output resolution (AIA if the HTML comes through without formatting), and why you can't have BitTorrent on the App Store.

These decisions don't always have to make sense. They just have to be/have been bargaining chips with content producers.

/conspiracy

[…] Last year, something similar happened with Transmission, also from Eric Petit. However, the hacked Transmission was signed for Gatekeeper, whereas the hacked HandBrake was unsigned, like the normal HandBrake. […]

Leave a Comment