Rootkit code on MacBook

Photo via Christiaan Colen/Flickr (CC-BY-SA)

Don't transmit this.
BitTorrent clients are occasionally used to download some sketchy stuff, but usually by the choice of the user. For the second time this year, popular Mac BitTorrent client Transmission has been infected with malware.

Researchers at security firm ESET discovered a particularly nasty bit of Mac-targeting malware was being spread through a corrupted version of the otherwise legitimate open source BitTorrent client, hosted directly on the Transmission website. 

The malware, called OSX/Keydnap, is designed to steal passwords stored in an infected user's OS X keychain and attempts to create a permanent backdoor so it can maintain access.

ESET had been tracking the malicious program for awhile and brought its existence to light in July. At the time, a researcher from ESET said it was unclear how victims of the virus became infected. They theorized it could be through attachments in emails or downloads from untrusted websites.

As it turns out in the case of Transmission, it spread through a trusted source. The rogue version of the program was signed with a legitimate Mac app development certificate which allowed it to bypass the protection of Apple’s Gatekeeper, the security feature that protects users from installing an application from untrustworthy sources. 

The Transmission team removed the malicious file from their server as soon as ESET informed them of its presence, but that means a portion of users who have downloaded the app may have been infected. It's unclear when exactly the file became available to download from the site.

ESET suggested anyone who downloaded Transmission v2.92 between August 28 and August 29, 2016 to test their system to see if they have been compromised. According to ESET, if any of the files or directories listed below are present on your machine, then OSX/Keydnap is likely running:

  • /Applications/
  • /Volumes/Transmission/
  • $HOME/Library/Application Support/
  • $HOME/Library/Application Support/$HOME/Library/LaunchAgents/
  • /Library/Application Support/
  • $HOME/Library/LaunchAgents/

The files can be removed by using a trusted antivirus program, including ESET CyberSecurity. There is also a script available on GitHub that can be run through the OS X terminal to delete the malware.

For Transmission users, the latest infection of the BitTorrent client is likely to give them pause. It's the second time in just five months that the application has been infected. In March, researchers at Palo Alto Networks discovered the client had been corrupted by the first ever Mac ransomware to be found in the wild.


Promoted Stories Powered by Sharethrough
Pokémon Go texting scammers are trying to hack you
There’s been no shortage of Pokémon Go related spam since the app sensation launched last month. And much of it, security researchers warn, may be malicious.
From Our VICE Partners

Pure, uncut internet. Straight to your inbox.

Thanks for subscribing to our newsletter!