Transmission BitTorrent app contained malware

The fact that the binary was infected, I can somewhat understand. However, the way communication happened&#x2F;is happening on this issue is very disconcerning and basically makes it impossible to know whether it&#x27;s safe to currently download 2.92 from their site.<p>Questions like<p>- how did the compromised binary get there? Was the source code hijacked or was the binary altered after it had been built?<p>- Were the SHA256 hashes on the site also compromised (btw: Having hashes on the site is good enough for making sure you&#x27;re not installing a corrupted binary. It doesn&#x27;t do anything against intentional alterations of the binary though. These hashes need to be stored on an external site)?<p>- How did the compromise happen?<p>- what steps were taken to ensure that the same compromise doesn&#x27;t happen to new binaries posted?<p>- Did the attacker leave any foothold on the compromised system(s)?<p>- How were such footholds removed?<p>All questions that need to be answered before it&#x27;s safe to upgrade transmission either from the website or with the AutoUpdate feature. A red warning telling me that one binary was infected and that I have to download another binary isn&#x27;t good enough.<p>I know the transmission people are volunteer developers and no PR people and I can totally accept that, but there&#x27;s some things that just need to be made clear before we can safely update to later versions (and thankfully, 2.8 keeps running just fine)

VirusTotal has some more info, including the files it writes:<p><a href="https:&#x2F;&#x2F;www.virustotal.com&#x2F;en&#x2F;file&#x2F;d1ac55a4e610380f0ab239fcc1c5f5a42722e8ee1554cba8074bbae4a5f6dbe1&#x2F;analysis&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.virustotal.com&#x2F;en&#x2F;file&#x2F;d1ac55a4e610380f0ab239fcc...</a><p>(Look under the &quot;Behavioural information&quot; tab)<p>Written Files and Created Processes are interesting:<p>[Transmission] &#x2F;Users&#x2F;user1&#x2F;Library&#x2F;kernel_service (successful)<p>[unknown] &#x2F;Users&#x2F;user1&#x2F;Library&#x2F;.kernel_pid (successful)<p>[unknown] &#x2F;Users&#x2F;user1&#x2F;Library&#x2F;Saved Application State&#x2F;org.m0k.transmission.savedState&#x2F;window_1.data (successful)<p>[Transmission] &#x2F;Users&#x2F;user1&#x2F;Library&#x2F;Saved Application State&#x2F;org.m0k.transmission.savedState&#x2F;data.data (successful)<p>[Transmission] &#x2F;Users&#x2F;user1&#x2F;Library&#x2F;Saved Application State&#x2F;org.m0k.transmission.savedState&#x2F;windows.plist (successful)<p>[kernel_service] &#x2F;Users&#x2F;user1&#x2F;Library&#x2F;.kernel_time (successful)<p>Created processes<p>&#x2F;Volumes&#x2F;Transmission&#x2F;Transmission.app&#x2F;Contents&#x2F;MacOS&#x2F;Transmission (successful)<p>&#x2F;Users&#x2F;user1&#x2F;Library&#x2F;kernel_service (successful)<p>kernel_service (successful)<p><i></i>Edited to add:<i></i> If anyone has a copy of the DMG, sha1 5f8ae46ae82e346000f366c3eabdafbec76e99e9, please link me a copy via email (brendandg@nyu.edu) or twitter DM (@moyix).

Do the developers have an explanation anywhere as to how this happened? The homepage ( <a href="https:&#x2F;&#x2F;transmissionbt.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;transmissionbt.com&#x2F;</a> ) has a big red warning to upgrade to 2.91, but I can&#x27;t find any info about how someone went about putting malware in the download.

All that stuff - bittorrent, soulseek, calibre etc - lives in a vm, with access to the host only via samba shares. I&#x27;ll decide what you see and where you can write. Yes, it&#x27;s great you download stuff. No, you can&#x27;t write to the stuff I&#x27;m sharing. Yes, having a web-server serving up books to the outside world is great. No, you can&#x27;t serve up anything from my filesystem to anyone who feels like it.<p>When you can&#x27;t (be bothered to) vet the source code, stick it in a vm. On a sensible machine with an ssd it&#x27;s only 10 seconds away. Why risk it. Especially if the software you want&#x2F;need to run only works under windows.

CNBC isn&#x27;t a website I&#x27;d expect to read anything tech-related on, but there are actually a few details in this article:<p><a href="http:&#x2F;&#x2F;www.cnbc.com&#x2F;2016&#x2F;03&#x2F;06&#x2F;reuters-america-apple-users-targeted-in-first-known-mac-ransomware-campaign.html" rel="nofollow">http:&#x2F;&#x2F;www.cnbc.com&#x2F;2016&#x2F;03&#x2F;06&#x2F;reuters-america-apple-users-t...</a><p>- It&#x27;s Ransomware.<p>- Seems to be a 3 day grace-period (chance to remove it, possibly).<p>- The Transmission developer certificate [Gatekeeper] has been revoked.

Along with the recent Linux Mint hijack, this really illustrates the need for people to verify programs they download. Though I think most people can&#x27;t be bothered to verify the checksum on a file every time they download it.<p>On the other hand, the Windows and OS X App Stores are awful. Linux package managers are looking like one of the only straightforward ways to distribute applications securely.

I&#x27;ve become increasingly paranoid lately, given that things like these happen and major bugs are uncovered in software that I use almost every day.<p>It&#x27;s good that the Transmission developer reacted quickly and made waves so that people can at least be aware that they might have been exposed..<p>But I wonder how many more applications from the hundreds that I have installed on my machines contain weird stuff - either intentional (for money) or unintentionally (result of a hack).<p>Open source software is especially vulnerable to this kind of stuff.<p>If a hacker gets access to a server holding the binaries for an open source app (which most people download), the hacker can just compile the program from sources and add his own code in there and place the installer online.<p>Given that many big governments are now involved in the information wars, this scenario is quite likely.

Hm. <a href="https:&#x2F;&#x2F;trac.transmissionbt.com&#x2F;wiki&#x2F;Changes#version-2.91" rel="nofollow">https:&#x2F;&#x2F;trac.transmissionbt.com&#x2F;wiki&#x2F;Changes#version-2.91</a> lists the following under Mac changes for 2.90<p>&gt;Allow downloading files from http servers (not https) on OS X 10.11+<p>Mac version affected in OP was 10.10, though.<p>Maybe it had something to do with<p>&gt;Change Sparkle Update URL to use HTTPS instead of HTTP (addresses Sparkle vulnerability) ?<p>Edit: it appears the infection was downloaded from a website, in which case this doesn&#x27;t help. But one did say the in-app update failed on incorrect signature first.

If the file &#x2F;System&#x2F;Library&#x2F;CoreServices&#x2F;XProtect.bundle&#x2F;Contents&#x2F;Resources&#x2F;XProtect.plist contains:<p><pre><code> &lt;dict&gt; &lt;key&gt;Description&lt;&#x2F;key&gt; &lt;string&gt;OSX.KeRanger.A&lt;&#x2F;string&gt; &lt;key&gt;LaunchServices&lt;&#x2F;key&gt; &lt;dict&gt; &lt;key&gt;LSItemContentType&lt;&#x2F;key&gt; &lt;string&gt;com.apple.application-bundle&lt;&#x2F;string&gt; &lt;&#x2F;dict&gt; &lt;key&gt;Matches&lt;&#x2F;key&gt; &lt;array&gt; &lt;dict&gt; &lt;key&gt;MatchFile&lt;&#x2F;key&gt; &lt;dict&gt; &lt;key&gt;NSURLTypeIdentifierKey&lt;&#x2F;key&gt; &lt;string&gt;public.unix-executable&lt;&#x2F;string&gt; &lt;&#x2F;dict&gt; &lt;key&gt;MatchType&lt;&#x2F;key&gt; &lt;string&gt;Match&lt;&#x2F;string&gt; &lt;key&gt;Pattern&lt;&#x2F;key&gt; &lt;string&gt;488DBDD0EFFFFFBE00000000BA0004000031C04989D8*31F64C89E7*83F8FF7457C785C4EBFFFF00000000&lt;&#x2F;string&gt; &lt;&#x2F;dict&gt; &lt;&#x2F;array&gt; &lt;&#x2F;dict&gt; </code></pre> Does that mean I am infected?

Looking more at this issue, it seems like the problem <i>may</i> have been (hard to tell, not a lot of information) a compromise of a third-party mirror to which <a href="https:&#x2F;&#x2F;www.transmissionbt.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.transmissionbt.com&#x2F;</a> redirected users; the checksum on the HTTPS site was unaltered, and was used to identify the altered download.<p>Perhaps a defense against this kind of attack would be an altered version of HSTS - one that protected the content of download links, and not just of sub-resources included on the page.

2.90 was released a couple of days ago[1], so if you haven&#x27;t used Transmission in a couple of weeks this doesn&#x27;t affect you.<p>[1]: <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Transmission_%28BitTorrent_client%29" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Transmission_%28BitTorrent_cli...</a>

It seems that is a ransomware campaign <a href="http:&#x2F;&#x2F;www.reuters.com&#x2F;article&#x2F;us-apple-ransomware-idUSKCN0W80VX" rel="nofollow">http:&#x2F;&#x2F;www.reuters.com&#x2F;article&#x2F;us-apple-ransomware-idUSKCN0W...</a> Next monday, tomorrow could pave terror on the office.

It might be worth updating the title to specify the vulnerable version (2.90) and the platform (OS X - from what I can tell, this is not a vulnerability on Linux or Windows).

Isn&#x27;t it quite popular on Debian and derivates too? It&#x27;s Pre-installed with GNOME there as far as I know. Fair enough, it&#x27;s extremly interesteing. Never saw such an infection in the &quot;free World&quot;, outside the laboratory. I hope they can find the source.

Transmission put up a new version - 2.92 that supposedly checks for and removes the malware.

This is a good illustration of why you should not install apps as administrator. Specifically, you should not install Mac OS packages, which allow for arbitrary pre- and post- install scripts to be executed as root.<p>Same is true for Windows and Linux.<p>There are privilege escalation bugs in any OS, but it is usually not a given. Throw the application into ~&#x2F;Applications as a Mac bundle, worst that will happen is your account will be compromised. Much easier to detect and clean. Most trojans won&#x27;t even succeed.<p>We are going to have these problems until the developer community realizes that executing a randomly downloaded package installer as a privileged user is giving away the keys to the kingdom.<p>Application stores is one solution, but really is not an open one. I&#x27;d rather see the apps distributed in a form similar to Apple app bundles, where a non-privileged user can just install the app into their home.

While we&#x27;re here, can anyone recommend a good antivirus for OSX?<p>I&#x27;ve just been looking at BitDefender, which looks promising, but would rather get this right than faff around with potentially crappy AV tools.

The strength of a chain is the strength of its weakest link, and the more &quot;apps&quot; are provided as <i>the system</i> the longer and more vulnerable is the chain.<p>When it comes to checksums with have the chicken egg problem plus the collision attack of md5.<p>MD5 has been the standard for too long (and is deprecated since 10 years for crypto checksum). And for next generation of softwares to install that don&#x27;t do modern checksum how can they trust the download of the package required to check for whatever the new format? Plus the new format is less likely to be checked without errors. A off by one character could easily be discarded in checking given the number of packages that are now required to be installed and the human limitation in focus.<p>Human are the limiting factors, and security is modeling the user in a kind of grotesque caricature of a robot that can check thousands of informations perfectly and remember 20 characters passwords for tens of appliances.<p>There is a tyranny of computer engineers regarding what is safe for people having a life not concerned about geeky technology that is a tad annoying.<p>People have the right to be human and to fail is human. The burden put on human to make the system safe in order to avoid costly for the bosses human interactions is way to high.<p>And since computer security always blame failure on human behaviour I begin to positively dislike it.

Does installing 2.9.1 remove it completely or just from the Transmission app? I&#x27;m concerned the malware is still there.

I&#x27;m on 2.90 and can&#x27;t find any weird processes running. I&#x27;ll hold off on 2.91 until they&#x27;ve explained what happened.

If you installed&#x2F;updated via Homebrew-Cask [1], you should not be affected. 2.90 was not always compromised, and looking at Caskroom history, the checksum was only updated for the 2.84 -&gt; 2.90 bump once [2].<p>It is updated and at 2.92 now, also [3].<p>(I&#x27;m one of the maintainers of Homebrew Cask)<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;caskroom&#x2F;homebrew-cask" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;caskroom&#x2F;homebrew-cask</a><p>[2] <a href="https:&#x2F;&#x2F;github.com&#x2F;caskroom&#x2F;homebrew-cask&#x2F;issues&#x2F;19504#issuecomment-192992223" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;caskroom&#x2F;homebrew-cask&#x2F;issues&#x2F;19504#issue...</a><p>[3] <a href="https:&#x2F;&#x2F;github.com&#x2F;caskroom&#x2F;homebrew-cask&#x2F;pull&#x2F;19508" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;caskroom&#x2F;homebrew-cask&#x2F;pull&#x2F;19508</a>

Can someone explain me what Xprotect.plist contains? Are those malware&#x27;s that are recognized by Apple and are blocked and dealt with?<p>I saw some post on forum where dude said how his Xprotect now contains at the top OSX.KeRanger.A entry, and said how it means he got infected. It didn&#x27;t made much sense to me, but I checked mine this morning and found the same entry? Does it mean I am infected too?<p>But I didn&#x27;t download anything from their website like 3 months back, I just did the update to 2.90 in Thursday or Friday can&#x27;t remember, and yesterday as soon as I saw the news I update everything and checked for malicious files and processes which weren&#x27;t present on my machine.

It looks like they&#x27;ve since changed the upgrade to 2.92 (it was previously 2.91 this morning), wonder why that happened?

Can anyone tell me if this also applies to brew&#x27;s cask&#x27;s builds? I needed to download CentOS the other day and wanted to go with a torrent. I got pretty pissed after I realized that BitTorrent installed some adware called Spigot. I tried to remove it as good as possible (I mainly killed the process, removed `Library&#x2F;Application Support&#x2F;Spigot` and ran a `sudo find &#x2F; | grep -i Spigot`).<p>Ironically I decided to use the good, ol&#x27;, trusted open source alternative transmission because I just read on HN that Transmission gets updated again...

Just an anecdatum: I got infected by this yesterday when I installed Transmission to download a Debian install CD. When I read about this at MacRumors I checked and had the kernel_service process running and the two hidden files hiding in Library.<p>I&#x27;ve unplugged and archived the TimeMachine backup disk and done the prescribed cleanup actions to remove he malware. I guess time will tell if it had any other tricks up its sleeve.

This is really bad but there are two good security defenses that came out of that forum thread (which is better than not having them at all).<p>1. Apple revoked the certificate already. Thus people that have gatekeeper on are safer.<p>2. Sparkle (for auto updater) denied the malware infected update. Thus downloading from the main website is not necessarily safer, even with the recent mitm sparkle vulnerability.

I used to Transmission in Linux but switched to qBitTorrent instead when I switched to Windows 10. It has an OSX version if you don&#x27;t trust Transmission anymore.<p><a href="http:&#x2F;&#x2F;www.qbittorrent.org&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.qbittorrent.org&#x2F;</a><p><a href="http:&#x2F;&#x2F;www.qbittorrent.org&#x2F;download.php" rel="nofollow">http:&#x2F;&#x2F;www.qbittorrent.org&#x2F;download.php</a>

Popular Mac rumour&#x2F;news site 9to5mac (that is rapidly decreasing in quality) actually posted about this malicious update few days ago.<p>Somehow I found it out of place, especially as they have never posted about TransmissionBT before. They sure did get lots of people to update after putting in on front page.

The headline should probably say &quot;at least Mac&quot;. I hope we soon learn the source of the compromise, but nothing so far indicates that Linux distributions&#x27; packages would be affected by a Mac malware.

Can someone please confirm that the in-app update is not affected by the hack?

I checked my version of Transmission and i&#x27;m still on 2.84. I guess I dodged a big bullet, but tonight i&#x27;ll go through the diagnostics to see if any versions prior to 2.90 were infected. I may do it sooner if I get a quiet moment at work.<p>I&#x27;m also running the usual litany of tools to check for activity (Wireshark on my WAN Tap, Anti-virus, etc)<p>My Synology NAS uses transmissiond for its BT Client, so I will be contacting them to see if they are affected by this issue.

Something that is not entirely clear. Does updating to 2.9.2 attempt to clean KeRanger up automatically? Or is some manual cleanup still needed after updating?

Posted by one of the researchers that discovered the malware...<p>&quot;#Transmission just pushed 2.92 update that includes code to &gt; detect and to remove the #KeRanger ransomware. Update it before Monday 11:00am.&quot;<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;claud_xiao&#x2F;status&#x2F;706579264036950016" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;claud_xiao&#x2F;status&#x2F;706579264036950016</a>

Checked my install of 2.9.0 from auto-update, it&#x27;s clean (none of the suspect files are in Contents&#x2F;Resources). According to a post on the Transmission forums, when a person was (probably) delivered an infected binary, there was a checksum failure as you&#x27;d expect. So it seems as though you won&#x27;t be infected if you used the auto-updater.

On a related note, Windows Defender detects malware when downloading the windows putty installer. Trojan: Win32&#x2F;Varpes.J!plock <a href="http:&#x2F;&#x2F;www.chiark.greenend.org.uk&#x2F;~sgtatham&#x2F;putty&#x2F;download.html" rel="nofollow">http:&#x2F;&#x2F;www.chiark.greenend.org.uk&#x2F;~sgtatham&#x2F;putty&#x2F;download.h...</a> Not sure how to report.

Oh dear god. Used 2.90 past week, when I saw the news I updated immediately, checked for all the files, found nothing. I hope my MacBook will stay fine tomorrow. I got it backed up on Time Machine anyway. Where do we go from here, since I lost the trust, what are the alternatives? And from now one, I&#x27;ll go with Brew Cask for everything possible.<p>F<i></i>* GUI &#x2F;s

If they indeed used a legit code signing certificate, what is the fix? It seems very difficult to just blindly trust signed binaries anymore. Short of setting up a registry of vetted code signing certificates, it seems that signed code is just as easily manipulated as unsigned code. And even then, the keys to the certificate could be mishandled.

Wondering if brew cask can be solution for this.

I uninstalled the app, but is there a way I can check if i&#x27;ve been affected?

Sorry, but how did this happen? Was the website breached?

Yet another reason why you should have a (offline) backup of all your important files.

any reason why it&#x27;s correlated with dht.transmissionbt.com loosing its AAAA record? it&#x27;s the only IPv6 DHT bootstrap node on the Internet

It&#x27;s not. Condoms aren&#x27;t used against a hostile opponent. If your partner is intent on exposing you, a condom won&#x27;t provide any protection.

Am I the only one who saw the app and thought &quot;Why the heck is TPB releasing an app?&quot; Makes them more of a target, less stable platform, more easily interfered with , ect.