Here’s news for those interested in internet security, news about malware and Mac-based malware. This is also news for those who believe that fighting Mac virus is not just being armed with an antivirus for Mac. It’s basically the knowledge gained about malware and their functionality that counts…
Transmission, the very popular BitTorrent client, has been found distributing a Mac-based malware. This comes just a few months after it was used by malware authors to transmit the ransomware KeRanger.
It was early in March that the Transmission BitTorrent client installer for OS X was found infected with ransomware, which was named KeRanger. Now, almost six months later, security experts at cyber-security firm Eset have discovered another malware in Transmission. This malware, which was discovered earlier and named OSX/Keydnap, was supposed to spread “through attachments in spam messages, downloads from untrusted websites”. But now, Eset experts have found it in Transmission too.
In the ‘We Live Security blog’, which features, news, views etc from Eset experts, a post dated August 30 explains this in detail. The post begins as – “Last month ESET researchers wrote an article about a new OS X malware called OSX/Keydnap, built to steal the content of OS X’s keychain and maintain a permanent backdoor. At that time of the analysis, it was unclear how victims were exposed to OSX/Keydnap. To quote the original article: “It could be through attachments in spam messages, downloads from untrusted websites or something else.”…During the last hours, OSX/Keydnap was distributed on a trusted website, which turned out to be “something else”. It spread via a recompiled version of the otherwise legitimate open source BitTorrent client application Transmission and distributed on their official website.”
The post also says that the Transmission team removed the malicious file from their web server literally minutes after they were informed by Eset, and an investigation to detect how this happened has been launched.
The We Live Security Blog post further says-
“At the time of writing, it was impossible to tell exactly when the malicious file was made available for download. According to the signature, the application bundle was signed on August 28th, 2016, but it seems to have been distributed only the next day. Thus, we advise anyone who downloaded Transmission v2.92 between August 28th and August 29th, 2016, inclusively, to verify if their system is compromised by testing the presence of any of the following file or directory:
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id
- /Library/Application Support/com.apple.iCloud.sync.daemon/
If any of them exists, it means the malicious Transmission application was executed and that Keydnap is most likely running. Also note that the malicious disk image was named Transmission2.92.dmg while the legitimate one is Transmission-2.92.dmg (notice the hyphen).”
As already mentioned, the malware steals credentials as well as functions as a permanent backdoor program that can download and execute files from a remote URL.
The distribution technique and code in the case of OSX/Keydnap is the same as that of KeRanger.
So, as said in the beginning, it’s not just an antivirus for Mac or any other security tool that’s needed to combat malware. It’s detailed knowledge about different malware and the way they function that helps you understand things better…
Add new comment