The fact that the binary was infected, I can somewhat understand. However, the way communication happened/is happening on this issue is very disconcerning and basically makes it impossible to know whether it's safe to currently download 2.92 from their site.
Questions like
- how did the compromised binary get there? Was the source code hijacked or was the binary altered after it had been built?
- Were the SHA256 hashes on the site also compromised (btw: Having hashes on the site is good enough for making sure you're not installing a corrupted binary. It doesn't do anything against intentional alterations of the binary though. These hashes need to be stored on an external site)?
- How did the compromise happen?
- what steps were taken to ensure that the same compromise doesn't happen to new binaries posted?
- Did the attacker leave any foothold on the compromised system(s)?
- How were such footholds removed?
All questions that need to be answered before it's safe to upgrade transmission either from the website or with the AutoUpdate feature. A red warning telling me that one binary was infected and that I have to download another binary isn't good enough.
I know the transmission people are volunteer developers and no PR people and I can totally accept that, but there's some things that just need to be made clear before we can safely update to later versions (and thankfully, 2.8 keeps running just fine)
It will probably take time to get all of the answers, but in this case, automatic updates are safe.
Although I'm not a Transmission developer, I develop software that uses the same automatic update mechanism. It appears that the hacker did not update the MD5 present in the automatic update mechanism. (Sparkle) Thus, when the automatic update mechanism downloaded the hacked version of Transmission, it reported it as a corrupted download.
Edited to add: If anyone has a copy of the DMG, sha1 5f8ae46ae82e346000f366c3eabdafbec76e99e9, please link me a copy via email ([email protected]) or twitter DM (@moyix).
Do the developers have an explanation anywhere as to how this happened? The homepage ( https://transmissionbt.com/ ) has a big red warning to upgrade to 2.91, but I can't find any info about how someone went about putting malware in the download.
Yep, this deserves a more detailed explanation (or maybe they still don't know what happened). I updated from the previous version to 2.90 through the app built-in update, and I don't seem to have any "kernel_service" process running. Can someone that has that process in their system tell us where they downloaded the program?
If you release commercial or popular open-source software, it's probably a super-bad idea to keep your signing key on a notebook computer you use outside of the office.
Have a trusted machine kept in a secure location to sign it for you if that's practical.
All that stuff - bittorrent, soulseek, calibre etc - lives in a vm, with access to the host only via samba shares. I'll decide what you see and where you can write. Yes, it's great you download stuff. No, you can't write to the stuff I'm sharing. Yes, having a web-server serving up books to the outside world is great. No, you can't serve up anything from my filesystem to anyone who feels like it.
When you can't (be bothered to) vet the source code, stick it in a vm. On a sensible machine with an ssd it's only 10 seconds away. Why risk it. Especially if the software you want/need to run only works under windows.
You can also lease a VPS (anonymously even) and use Deluge with a webGUI. Said webGUI can be a Tor onion service, for better isolation.
But still, this is about malware in Transmission itself, not anything downloaded using it. So the fact that it's a BitTorrent client is rather beside the point, I think.
Along with the recent Linux Mint hijack, this really illustrates the need for people to verify programs they download. Though I think most people can't be bothered to verify the checksum on a file every time they download it.
On the other hand, the Windows and OS X App Stores are awful. Linux package managers are looking like one of the only straightforward ways to distribute applications securely.
I've become increasingly paranoid lately, given that things like these happen and major bugs are uncovered in software that I use almost every day.
It's good that the Transmission developer reacted quickly and made waves so that people can at least be aware that they might have been exposed..
But I wonder how many more applications from the hundreds that I have installed on my machines contain weird stuff - either intentional (for money) or unintentionally (result of a hack).
Open source software is especially vulnerable to this kind of stuff.
If a hacker gets access to a server holding the binaries for an open source app (which most people download), the hacker can just compile the program from sources and add his own code in there and place the installer online.
Given that many big governments are now involved in the information wars, this scenario is quite likely.
>Allow downloading files from http servers (not https) on OS X 10.11+
Mac version affected in OP was 10.10, though.
Maybe it had something to do with
>Change Sparkle Update URL to use HTTPS instead of HTTP (addresses Sparkle vulnerability)
?
Edit: it appears the infection was downloaded from a website, in which case this doesn't help. But one did say the in-app update failed on incorrect signature first.
>Allow downloading files from http servers (not https) on OS X 10.11+
This reads like they disabled Apple's "App Transport Security", which only allows HTTPS connections unless a program explicitly makes an exception. Introduced in iOS 9 and OS 10.11 (El Capitan). I bet the failing HTTP connections caused a bug in Transmission, and it was an easier fix to disable ATS than to transition whatever connection to HTTPS.
Looking more at this issue, it seems like the problem may have been (hard to tell, not a lot of information) a compromise of a third-party mirror to which https://www.transmissionbt.com/ redirected users; the checksum on the HTTPS site was unaltered, and was used to identify the altered download.
Perhaps a defense against this kind of attack would be an altered version of HSTS - one that protected the content of download links, and not just of sub-resources included on the page.
It might be worth updating the title to specify the vulnerable version (2.90) and the platform (OS X - from what I can tell, this is not a vulnerability on Linux or Windows).
Isn't it quite popular on Debian and derivates too? It's Pre-installed with GNOME there as far as I know.
Fair enough, it's extremly interesteing. Never saw such an infection in the "free World", outside the laboratory.
I hope they can find the source.
Threw away Transmission as soon as I read this (even though I was running a old version), my trust is pretty much gone now, never installing it again.
Shame because it really was a nice app.
This is a good illustration of why you should not install apps as administrator. Specifically, you should not install Mac OS packages, which allow for arbitrary pre- and post- install scripts to be executed as root.
Same is true for Windows and Linux.
There are privilege escalation bugs in any OS, but it is usually not a given. Throw the application into ~/Applications as a Mac bundle, worst that will happen is your account will be compromised. Much easier to detect and clean. Most trojans won't even succeed.
We are going to have these problems until the developer community realizes that executing a randomly downloaded package installer as a privileged user is giving away the keys to the kingdom.
Application stores is one solution, but really is not an open one. I'd rather see the apps distributed in a form similar to Apple app bundles, where a non-privileged user can just install the app into their home.
I went to a Mac developer's group a few years ago in Toronto. One of the devs was working on Mac antivirus software but basically had the attitude that it was unnecessary, and spent most of the meetup trashing Windows. Just really bizarre and inept behaviour. Not sure I trust his anti-virus software. Too bad I can't remember which one he was working on.
The strength of a chain is the strength of its weakest link, and the more "apps" are provided as the system the longer and more vulnerable is the chain.
When it comes to checksums with have the chicken egg problem plus the collision attack of md5.
MD5 has been the standard for too long (and is deprecated since 10 years for crypto checksum). And for next generation of softwares to install that don't do modern checksum how can they trust the download of the package required to check for whatever the new format?
Plus the new format is less likely to be checked without errors. A off by one character could easily be discarded in checking given the number of packages that are now required to be installed and the human limitation in focus.
Human are the limiting factors, and security is modeling the user in a kind of grotesque caricature of a robot that can check thousands of informations perfectly and remember 20 characters passwords for tens of appliances.
There is a tyranny of computer engineers regarding what is safe for people having a life not concerned about geeky technology that is a tad annoying.
People have the right to be human and to fail is human. The burden put on human to make the system safe in order to avoid costly for the bosses human interactions is way to high.
And since computer security always blame failure on human behaviour I begin to positively dislike it.
Additionally, what does the malware do? "OSX.KeRanger.A" appears to be a name that Apple assigned it in their malware definitions, but Google doesn't know anything except the pages about Transmission.
I'm curious what sort of malware we're looking at. Botnet? General remote access/control? Harvesting keychains?
that feels like a pretty week standard for knowing if your machine is infected. I will look for a virus scanner myself, and seriously think about reinstalling if it finds anything
[+] [-] pilif|10 years ago|reply
Questions like
- how did the compromised binary get there? Was the source code hijacked or was the binary altered after it had been built?
- Were the SHA256 hashes on the site also compromised (btw: Having hashes on the site is good enough for making sure you're not installing a corrupted binary. It doesn't do anything against intentional alterations of the binary though. These hashes need to be stored on an external site)?
- How did the compromise happen?
- what steps were taken to ensure that the same compromise doesn't happen to new binaries posted?
- Did the attacker leave any foothold on the compromised system(s)?
- How were such footholds removed?
All questions that need to be answered before it's safe to upgrade transmission either from the website or with the AutoUpdate feature. A red warning telling me that one binary was infected and that I have to download another binary isn't good enough.
I know the transmission people are volunteer developers and no PR people and I can totally accept that, but there's some things that just need to be made clear before we can safely update to later versions (and thankfully, 2.8 keeps running just fine)
[+] [-] gwbas1c|10 years ago|reply
Although I'm not a Transmission developer, I develop software that uses the same automatic update mechanism. It appears that the hacker did not update the MD5 present in the automatic update mechanism. (Sparkle) Thus, when the automatic update mechanism downloaded the hacked version of Transmission, it reported it as a corrupted download.
You can see the comment here: https://forum.transmissionbt.com/viewtopic.php?f=4&t=17834#p...
[+] [-] moyix|10 years ago|reply
https://www.virustotal.com/en/file/d1ac55a4e610380f0ab239fcc...
(Look under the "Behavioural information" tab)
Written Files and Created Processes are interesting:
[Transmission] /Users/user1/Library/kernel_service (successful)
[unknown] /Users/user1/Library/.kernel_pid (successful)
[unknown] /Users/user1/Library/Saved Application State/org.m0k.transmission.savedState/window_1.data (successful)
[Transmission] /Users/user1/Library/Saved Application State/org.m0k.transmission.savedState/data.data (successful)
[Transmission] /Users/user1/Library/Saved Application State/org.m0k.transmission.savedState/windows.plist (successful)
[kernel_service] /Users/user1/Library/.kernel_time (successful)
Created processes
/Volumes/Transmission/Transmission.app/Contents/MacOS/Transmission (successful)
/Users/user1/Library/kernel_service (successful)
kernel_service (successful)
Edited to add: If anyone has a copy of the DMG, sha1 5f8ae46ae82e346000f366c3eabdafbec76e99e9, please link me a copy via email ([email protected]) or twitter DM (@moyix).
[+] [-] hayleox|10 years ago|reply
[+] [-] carlosrg|10 years ago|reply
[+] [-] astrodust|10 years ago|reply
Have a trusted machine kept in a secure location to sign it for you if that's practical.
I bet someone's key leaked out here.
[+] [-] dave2000|10 years ago|reply
When you can't (be bothered to) vet the source code, stick it in a vm. On a sensible machine with an ssd it's only 10 seconds away. Why risk it. Especially if the software you want/need to run only works under windows.
[+] [-] Aleman360|10 years ago|reply
[+] [-] TazeTSchnitzel|10 years ago|reply
[+] [-] mirimir|10 years ago|reply
But still, this is about malware in Transmission itself, not anything downloaded using it. So the fact that it's a BitTorrent client is rather beside the point, I think.
[+] [-] 542458|10 years ago|reply
Neat. Never heard of this one before - what makes it special?
[+] [-] touristtam|10 years ago|reply
[+] [-] kobayashi|10 years ago|reply
[+] [-] frozenport|10 years ago|reply
[+] [-] sandstrom|10 years ago|reply
http://www.cnbc.com/2016/03/06/reuters-america-apple-users-t...
- It's Ransomware.
- Seems to be a 3 day grace-period (chance to remove it, possibly).
- The Transmission developer certificate [Gatekeeper] has been revoked.
[+] [-] zymhan|10 years ago|reply
On the other hand, the Windows and OS X App Stores are awful. Linux package managers are looking like one of the only straightforward ways to distribute applications securely.
[+] [-] justsaysmthng|10 years ago|reply
It's good that the Transmission developer reacted quickly and made waves so that people can at least be aware that they might have been exposed..
But I wonder how many more applications from the hundreds that I have installed on my machines contain weird stuff - either intentional (for money) or unintentionally (result of a hack).
Open source software is especially vulnerable to this kind of stuff.
If a hacker gets access to a server holding the binaries for an open source app (which most people download), the hacker can just compile the program from sources and add his own code in there and place the installer online.
Given that many big governments are now involved in the information wars, this scenario is quite likely.
[+] [-] ikeboy|10 years ago|reply
>Allow downloading files from http servers (not https) on OS X 10.11+
Mac version affected in OP was 10.10, though.
Maybe it had something to do with
>Change Sparkle Update URL to use HTTPS instead of HTTP (addresses Sparkle vulnerability) ?
Edit: it appears the infection was downloaded from a website, in which case this doesn't help. But one did say the in-app update failed on incorrect signature first.
[+] [-] wlesieutre|10 years ago|reply
This reads like they disabled Apple's "App Transport Security", which only allows HTTPS connections unless a program explicitly makes an exception. Introduced in iOS 9 and OS 10.11 (El Capitan). I bet the failing HTTP connections caused a bug in Transmission, and it was an easier fix to disable ATS than to transition whatever connection to HTTPS.
https://developer.apple.com/library/prerelease/ios/documenta...
[+] [-] nodesocket|10 years ago|reply
[+] [-] brians|10 years ago|reply
[+] [-] unfamiliar|10 years ago|reply
[+] [-] azernik|10 years ago|reply
Perhaps a defense against this kind of attack would be an altered version of HSTS - one that protected the content of download links, and not just of sub-resources included on the page.
[+] [-] teamhappy|10 years ago|reply
[1]: https://en.wikipedia.org/wiki/Transmission_%28BitTorrent_cli...
[+] [-] marvel_boy|10 years ago|reply
[+] [-] chimeracoder|10 years ago|reply
[+] [-] darfs|10 years ago|reply
[+] [-] svetly0|10 years ago|reply
[+] [-] jariz|10 years ago|reply
[+] [-] diebir|10 years ago|reply
Same is true for Windows and Linux.
There are privilege escalation bugs in any OS, but it is usually not a given. Throw the application into ~/Applications as a Mac bundle, worst that will happen is your account will be compromised. Much easier to detect and clean. Most trojans won't even succeed.
We are going to have these problems until the developer community realizes that executing a randomly downloaded package installer as a privileged user is giving away the keys to the kingdom.
Application stores is one solution, but really is not an open one. I'd rather see the apps distributed in a form similar to Apple app bundles, where a non-privileged user can just install the app into their home.
[+] [-] s_kilk|10 years ago|reply
I've just been looking at BitDefender, which looks promising, but would rather get this right than faff around with potentially crappy AV tools.
[+] [-] tarsinge|10 years ago|reply
[+] [-] noondip|10 years ago|reply
Common Sense 2016, see https://github.com/drduh/OS-X-Security-and-Privacy-Guide
[+] [-] JabavuAdams|10 years ago|reply
[+] [-] julie1|10 years ago|reply
When it comes to checksums with have the chicken egg problem plus the collision attack of md5.
MD5 has been the standard for too long (and is deprecated since 10 years for crypto checksum). And for next generation of softwares to install that don't do modern checksum how can they trust the download of the package required to check for whatever the new format? Plus the new format is less likely to be checked without errors. A off by one character could easily be discarded in checking given the number of packages that are now required to be installed and the human limitation in focus.
Human are the limiting factors, and security is modeling the user in a kind of grotesque caricature of a robot that can check thousands of informations perfectly and remember 20 characters passwords for tens of appliances.
There is a tyranny of computer engineers regarding what is safe for people having a life not concerned about geeky technology that is a tad annoying.
People have the right to be human and to fail is human. The burden put on human to make the system safe in order to avoid costly for the bosses human interactions is way to high.
And since computer security always blame failure on human behaviour I begin to positively dislike it.
[+] [-] mmgutz|10 years ago|reply
[+] [-] wlesieutre|10 years ago|reply
I'm curious what sort of malware we're looking at. Botnet? General remote access/control? Harvesting keychains?
[+] [-] mixologic|10 years ago|reply
[+] [-] rMBP|10 years ago|reply
[+] [-] make3|10 years ago|reply
[+] [-] SG-|10 years ago|reply