Over the last 15 years or so, Apple's Mac platform has traditionally been a much safer computing environment than Windows. Of course, this wasn't necessarily due to OS X having incredibly stronger security protections, but was rather a reflection of the fact that hackers were prone to targeting Windows given its stature as the most commonly used OS on the planet.
But the times they are a chagin'. As the Mac has become more popular in recent years, hackers are increasingly setting their sights on OS X users who may now be operating with false sense of security as it pertains to malware.
Illustrating this changing dynamic, OS X over the weekend was hit with its first piece of malware. This past Saturday, Transmissionbt.com issued a warning indicating that version 2.9 of Transmission - a popular and easy to use BitTorrent client - was infected with ransomware. As such, victims of the attack were greeted with messages stating that their hard drive had been encrypted and that the only way to decrypt it was to pay a fee of about $400.
The warning from Transimssionbt reads:
Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file.
Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users//Library/kernel_service”. If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”
According to reports, the type of ransomware used in this case is designed to remain dormant for three days before springing into action. In other words, Transmission users should upgrade to a more recent version of the software immediately.
Notably, Transmissionbt has added that version 2.92 of Transmission is not only 100% malware free, but will also remove any ransomeware that may have been inadvertently installed over the past few days.
As to how the malware managed to sneak into the offending files, Palo Alto Networks reports:
Attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. When we identified the issue, the infected DMG files were still available for downloading from the Transmission site... Transmission is an open source project. It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred.
The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system.
As we've highlighted before, malware isn't a new phenomenon as it pertains to Apple or OS X. Nonetheless, the recent saga involving Transmission may suggest that Mac users will increasingly be targeted in future malware attacks.