Transmission BitTorrent client might contain malware

6 March 2016, 08:59

Oops! Many sources (including us here at Mac Kung Fu) were cock-a-hoop a few days ago when the much-anticipated 2.90 release of the Transmission BitTorrent client was released. Unfortunately, it’s been discovered that the OSX.KeRanger.A malware might’ve got into the update.

The folks behind Transmission are advising that users either delete the app immediately or upgrade to 2.91, which can be done by downloading the latest update direct from their website.

The front page of the Transmission website contains the following advice:

Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file.

Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users/Library/kernel_service”. If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.

However, these instructions don’t quite make sense because the malware path would probably be /Users/[username]/Library/kernel_service. There’s also a handful of legitimate built-in OS X processes with similar names: KernelEventAgent, and Kernel_Task. You shouldn’t attempt to quit these.

Additionally, a discussion on Transmission’s forum indicates that the malware concerned is likely caught by OS X’s built-in Xprotect system.

Whatever the case, here’s our advice in order of importance:

1. Install the 2.91 release of Transmission. It will overwrite the existing version.
2. Run a virus scanner and undertake a Deep System Scan. Then scan your Users directory, as well as the main Applications folder.
3. Install and run Malwarebytes Anti-Malware.
4. Run Etrecheck to see if any abnormal apps are running on your Mac.
5. (Optional) Install the free BlockBlock app to protect against future infections.

If any malware is found, undertake the standard procedure of changing all your passwords.

Update: Reuters is reporting that OSX.KeRanger.A malware is the first known instance of ransomware found on a Mac. Palo Alto Networks provides a technical rundown of the malware. However, you should backup your files as a priority to removable storage – and actually remove that storage! – before attempting the steps above.

Leave a comment...

Also worth making backups if you’re at all unsure. It’s being reported that this is ransomware style malware, and designed to encrypt your files 3 days after infection.

So if you’re at all unsure, make sure you have safe copies of anything you might miss.

— Shaun · Mar 6, 11:39 AM · #