For the second time in under a year, security researchers have spotted a particularly nasty bit of malware in popular Mac BitTorrent client, ‘Transmission.’ The discovery came just five months after its last brush with malware — the first viable ransomware ever found on the Mac.
Security researchers at ESET discovered the newest bug, called OSX/Keydnap. Apparently, the malware was being spread through a recompiled version of Transmission that was temporarily distributed through its own website. OSX/Keydnap executes in a similar fashion to Transmission’s last malware infection, KeRanger, in that it adds a malicious block of code to the core function of the app. The difference, however, is in what comes next.
A new era of tech events has begun
We’re back in New York this November for the 4th edition of our growth-focused technology event.
Rather than attempting to seek a ransom from the user, OSX/Keydnap is out to steal your passwords from the OS X keychain.
Unfortunately, Apple didn’t spot the infection, as it was signed by the legitimate Transmission security certificate and thus able to pass through Gatekeeper on OS X without issue. The researchers have since notified Transmission’s security team about the infection, and within minutes they removed the offending file from the server.
Of course, the damage was already done, and is still being done. ESET believes, however, this damage may be limited to those who downloaded the application on August 29. To be sure you’re not running the infected client, check your system for the presence of any of the following files or directories:
- /Applications/Transmission.app/Contents/Resources/License.rtf
- /Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id
- $HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
- /Library/Application Support/com.apple.iCloud.sync.daemon/
- $HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist
OSX/Keydnap spreads via signed Transmission application on ESET
:
