Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Opensource community hit again


  • Please log in to reply
16 replies to this topic

#1 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 08 March 2016 - 01:50 AM

First Linux Mint, and now Transmission. Transmission (an opensource bittorrent client), specifically the MAC release of version 2.90 was found to contain ransomware named "KeRanger". The official site currently has a warning message up, the infected download has been removed, and a new safe download version 2.92 is being provided. However, there seems to be no information on how the download was compromised in the first place (perhaps they don't know yet?). Seeing as Tranmission is also available for Linux, I thought I'd mention it here, though presumably Linux is unaffected since they are only warning OSX users. Personally, I wouldn't download anything directly from their site until they've had a bit more time to sort things out.

 

Related:

- http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

- https://www.transmissionbt.com/

- http://www.theregister.co.uk/2016/03/07/first_working_mac_ransomware_infects_transmission_users/

- http://www.infoworld.com/article/3041292/linux/transmission-torrenting-app-compromised-in-os-x-linux-users-unaffected.html

- http://www.bleepingcomputer.com/forums/t/607355/keranger-os-x-ransomware-support-and-help-topic/

- http://www.bleepingcomputer.com/news/security/information-about-the-keranger-os-x-ransomware-and-how-to-remove-it-/



BC AdBot (Login to Remove)

 


#2 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 880 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 08 March 2016 - 06:27 AM

Using torrents is risky ... period.

 

Doesn't matter what OS you use, the mechanisms used to torrent download leave you open to possible exploit, and torrent sites have long been the favourite hunting ground for malware distributors.

 

Mac and Linux have up to now been seen as a marginal "market", so have not been targeted, but it would seem that that may now be subject to change.

 

Pretty much all responsible Malware help sites warn people about their use. We don't do it without reason.


Edited by Gary R, 08 March 2016 - 06:27 AM.


#3 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 08 March 2016 - 07:22 AM

Gary R,

It is/was an infected direct download(link)!

Every software (installer) can be infected if the site/download is hacked, nothing to do with torrents...

 

Oh well...  :censored:

 

Greets!



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:12 PM

Posted 08 March 2016 - 07:43 AM

Gary R,
It is/was an infected direct download(link)!
Every software (installer) can be infected if the site/download is hacked, nothing to do with torrents...
 
Oh well...  :censored:
 
Greets!


Transmission is a torrent client, so yes, it still have to do with torrents.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 880 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 08 March 2016 - 12:00 PM

 

Every software (installer) can be infected if the site/download is hacked ...

 

Yes they can, but torrents are much more frequently targeted for distributing malware than other delivery/installation systems.

 

 

 



#6 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:05:12 PM

Posted 08 March 2016 - 12:54 PM

 

 

 

Yes they can, but torrents are much more frequently targeted for distributing malware than other delivery/installation systems.

 

Yes torrents are generally more frequently targeted because it is easy to load up a Trojan on XYZ pirated software. But this wasn't pirated software, this was a legit download from the makers website. The fact that it is a bit torrent downloader is kind of besides the point. There are plenty of legal and perfectly fine things to download via torrents (Linux ISO discs are one).

This could have been done, and has been, on other programs. Being a popular downloader program on Mac OSX (and Linux) is just icing on the cake, more people to reach.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#7 Naught McNoone

Naught McNoone

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Great White North
  • Local time:10:12 PM

Posted 08 March 2016 - 01:29 PM

I see this as an attack on Apple computers and devices.  Not as an attack on Transmission, or torrents in general.  The end target is the OSX user, not the torrent program, it's self.

 

The entertainment industry would have you believe that torrent software is evil.  They would have you believe that only copy write pirates use torrents, and that they should be banned.

 

It is a software tool, like any other, and can be abused, infected, or hacked, like any other.

 

I use Transmission as part of the Xubuntu package, in a legitimate way, to obtain the latest software .iso images from the various distro download pages.  It is faster than the traditional ftp/http download.  Torrents are used by many corporate networks, to transfer large files through their systems.

 

The people behind the hack found a weak spot and exploited it.  I suspect that other home pages for popular 3rd party software will become targets as well, as the traditional distribution through bogus email attachments starts to wear thin.

 

Tuppence,

 

Naught



#8 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:05:12 PM

Posted 08 March 2016 - 01:45 PM

I see this as an attack on Apple computers and devices.  Not as an attack on Transmission, or torrents in general.  The end target is the OSX user, not the torrent program, it's self.

 

The entertainment industry would have you believe that torrent software is evil.  They would have you believe that only copy write pirates use torrents, and that they should be banned.

 

Couldn't agree more.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#9 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 09 March 2016 - 01:23 AM

 

The fact that it is a bit torrent downloader is kind of besides the point.

 

No, the point of torrent files is they can only be scanned for infection when they're complete, and they're only complete once they've been reconstructed on the requesting computer, by which time it's too late.

 

It's one of several reasons that they're the favourite delivery vehicle for malware writers, and probably the reason that the legit torrent download was replaced rather than a legit non-torrent download of the same program.

 

No one is saying that there aren't legit reasons for using torrents, or that they should be "banned", just that there are risks using them, and people should be aware of them.


Edited by Gary R, 09 March 2016 - 01:26 AM.


#10 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,570 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:05:12 PM

Posted 09 March 2016 - 04:27 AM

 Some Malware removal sites ask you to remove P2P software. Legitimate torrent downloads would account for less than 1% of  files downloaded I think.

 

Torrents are risky at best you would never see me downloading the latest Game of Thrones as soon as its out. LOL



#11 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 09 March 2016 - 05:17 AM

 

The fact that it is a bit torrent downloader is kind of besides the point.

 
No, the point of torrent files is they can only be scanned for infection when they're complete, and they're only complete once they've been reconstructed on the requesting computer, by which time it's too late.

 

I fail to see any difference between torrents vs direct download in your statement...  :wink:
 
It's the source that matters (legitimate and official site) and what you download. Downloading "pirated content/software" is equally dangerous via torrent or direct download... The download protocol is irrelevant!
 
If you think "torrents" are per definition unsafe, you should give browsers and mail-clients the same (overboard) warning because they are the main source of infection...

Greets!



#12 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:10:12 PM

Posted 09 March 2016 - 08:05 AM

 

No, the point of torrent files is they can only be scanned for infection when they're complete, and they're only complete once they've been reconstructed on the requesting computer, by which time it's too late.

The downloader is not a torrent... the hackers didn't attack a torrent site and upload viruses to everything they could get their hands on, they attacked the piece of software you use to download a torrent. What you are saying is completely true for downloading torrents, yes you can't scan them until completion, but again you don't download Transmission via a torrent. So I don't see your point on this, we aren't discussing the torrents themselves (although yes I mentioned them), we are discussing the Transmission software - not a torrent.

 

Torrents are risky at best you would never see me downloading the latest Game of Thrones as soon as its out. LOL

That is why I use my DVR! Season six starts April 24th! Not sure when you Australian folks get it though, does it come out then as well?


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#13 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:12 AM

Posted 09 March 2016 - 08:36 AM

 

So I don't see your point on this, we aren't discussing the torrents themselves (although yes I mentioned them), we are discussing the Transmission software - not a torrent.

 

Sorry, I obviously misunderstood your earlier post. My understanding was that the program itself as well as being a downloader for torrents, was downloaded using torrent methods.

 

Apologies for any misunderstanding caused.



#14 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  

Posted 09 March 2016 - 08:39 AM

 ...we are discussing the Transmission software - not a torrent.

You just hit the nail on the head.  This whole thread got sidetracked.



#15 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:05:12 PM

Posted 09 March 2016 - 09:56 AM

 

 

So I don't see your point on this, we aren't discussing the torrents themselves (although yes I mentioned them), we are discussing the Transmission software - not a torrent.

 

Sorry, I obviously misunderstood your earlier post. My understanding was that the program itself as well as being a downloader for torrents, was downloaded using torrent methods.

 

Apologies for any misunderstanding caused.

 

Ah, no worries! I believe that the attackers got in to Transmissions website and uploaded a rouge installer of the software. So they hit it at the source.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users