Jim Finkle (via Arnold Kim, Hacker News, Slashdot):
Ransomware, one of the fastest-growing types of cyber threats, encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data.
Security experts estimate that ransoms total hundreds of millions of dollars a year from such cyber criminals, who typically target users of Microsoft Corp’s Windows operating system.
[…]
Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog posted on Sunday afternoon.
Claud Xiao and Jin Chen:
Transmission is an open source project. It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred.
The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection.
[…]
Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website.
[…]
The two KeRanger infected Transmission installers were signed with a legitimate certificate issued by Apple. The developer listed this certificate is a Turkish company with the ID Z7276PX673, which was different from the developer ID used to sign previous versions of the Transmission installer.
Jeff Johnson:
Surprise, surprise. What I’ve said all along. Gatekeeper is only security theater, because attackers can easily acquire a Developer ID cert.
It’s not full protection, but it’s not useless because in theory Apple can add it to XProtect before it spreads too far.
Kuba Suder:
I guess technically Gatekeeper can’t detect changed developer when you replace the .app, but I think Sparkle does that
Paul McGrane:
Transmission and VLC really ought to be on the Mac App store except Apple has some puritanical fear of them
Ben Sandofsky:
The Transmission malware wouldn’t exist if it were distributed via the Mac App Store.
But the Mac App Store prohibits BitTorrent clients.
TorrentFreak:
Over the past years dozens of apps have been rejected from the App Store because they mention the word BitTorrent.
Apple defended this policy and told developers that their apps were not allowed “because this category of applications is often used for the purpose of infringing third-party rights.”
This is an interesting hypothetical. Would breaking into Transmission’s iTunes Connect account be harder than breaking into its Web site? At least the odds seem better that the developers would notice that this had happened. Would sandboxing help, or would the malicious app be able to trick the user into granting it access to non-BitTorrent data? Could such an app get through App Review?
Dino A. Dai Zovi:
Why couldn’t the ransomware encrypt files in TimeMachine backups? Mac OS X uses TMSafetyNet kext to make the files immutable after creation.