BitTorrent app was linked to Mac ransomware
BitTorrent app was linked to the first known instance of Mac ransomware, security researchers at ESET have pinpointed another form of malware taking advantage of Transmission to infect Mac users. Keydnap, as it's called, takes advantage of a modified version of Transmission (planted on the developer's site without its knowledge) to attack your computer. It's similar to the ransomware's approach in more ways than just its choice of host app -- it even uses a signing key to trick Apple's Gatekeeper safeguard into letting it through.
The malware's effect may be limited. Transmission only had the affected version available for about a day before they pulled it, and ESET has already told Apple about Keydnap about the relevant key. It's just a matter of blocking that key to prevent the malware from running. Nonetheless, this is a reminder that even stringent system-level protections won't always catch rogue code.
Literally minutes after being notified by ESET, the Transmission team removed the malicious file from their web server and launched an investigation to identify how this happened. At the time of writing, it was impossible to tell exactly when the malicious file was made available for download. According to the signature, the application bundle was signed on August 28th, 2016, but it seems to have been distributed only the next day. Thus, we advise anyone who downloaded Transmission v2.92 between August 28th and August 29th, 2016, inclusively, to verify if their system is compromised by testing the presence of any of the following file or directory:
Source: ESET
The malware's effect may be limited. Transmission only had the affected version available for about a day before they pulled it, and ESET has already told Apple about Keydnap about the relevant key. It's just a matter of blocking that key to prevent the malware from running. Nonetheless, this is a reminder that even stringent system-level protections won't always catch rogue code.
Literally minutes after being notified by ESET, the Transmission team removed the malicious file from their web server and launched an investigation to identify how this happened. At the time of writing, it was impossible to tell exactly when the malicious file was made available for download. According to the signature, the application bundle was signed on August 28th, 2016, but it seems to have been distributed only the next day. Thus, we advise anyone who downloaded Transmission v2.92 between August 28th and August 29th, 2016, inclusively, to verify if their system is compromised by testing the presence of any of the following file or directory:
- /Applications/Transmission.app/Contents/Resources/License.rtf
- /Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id
- $HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
- /Library/Application Support/com.apple.iCloud.sync.daemon/
- $HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist
Source: ESET
No comments
Post a Comment