For the second time in five months, the Transmission BitTorrent client for Mac has been infected with malware. The malware, dubbed OSX/Keydnap, is pretty nasty. It's designed to steal the contents of the OS X system keychain and maintain a permanent backdoor. And for a few hours, that malware found its way into the popular Mac BitTorrent client, Transmission.
From the researchers at ESET who discovered the malware:
During the last hours, OSX/Keydnap was distributed on a trusted website, which turned out to be "something else". It spread via a recompiled version of the otherwise legitimate open source BitTorrent client application Transmission and distributed on their official website.
The good news is that "within minutes" of being notified that a rogue version of Transmission was discovered, the Transmission team removed the file from its web server. The bad news is that it's unclear how long the rogue version of Transmission was available or how many people could have downloaded the file.
The malware-infected version of Transmission has a digital signature of August 28, so ESET is advising anyone who downloaded Transmission 2.92 between Aug. 28-29 that their systems might be compromised.
If you think you might be affected, check for the existence of any of these files or directories:
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd
- $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id
- /Library/Application Support/com.apple.iCloud.sync.daemon/
If you see this stuff, ESET says it means that the malicious version of Transmission was executed and that "Keydnap is most likely running".
If you've got OSX/Keydnap running on your system, you can remove it by either running a virus scan from a trusted antivirus app like Norton AntiVirus or ESET CyberSecurity. There is also a gist on GitHub that you can run via OS X's terminal to delete the malware.
This would be a bad situation for any application. It's just a bad look for your app to spread malware. But in this case, it's even worse because this is the second time Transmission has been hijacked in less than six months. You may recall that in March, a rogue version of Transmission was bundled with ransomware.
Even worse, ESET says the way the bad guys injected the malware into the app was the same as last time.
In both cases, a malicious block of code is added to the main function of the Transmission application. The code responsible for dropping and running the malicious payload is astonishingly the same.
Just like in the KeRanger case, a legitimate code signing key was used to sign the malicious Transmission application bundle. It's different from the legitimate Transmission certificate, but is still signed by Apple and bypasses Gatekeeper protection.
In other words, not only was the malware attached to a file served from an official project website, it was code-signed by Apple so it could bypass OS X's Gatekeeper protection.
It's not clear what is happening with Transmission, but at this point, I don't feel super comfortable recommending users use the software -- at least, on the Mac. It's not acceptable for a major application -- open source or not -- to get hijacked this way twice in under six months.
If the Transmission team is committed to its users, it will do a full security audit of all of its web servers and source control systems. The fact that the vector for attack was the same as last time seems to paint the picture of a project that either doesn't know what it's doing from a technical level, or simply doesn't care. We' reached out to Transmission for comment but did not receive a response by time of writing.