The recent news that the popular torrenting app Transmission had been compromised to include ransomware shocked many OS X users. This is one of the first times that OS X has been directly targeted for such a malware attack.
And it has some OS X users, myself included, wondering if it might be a better idea to stick with the Mac App Store instead of downloading software from third party Web sites.
I'll share my thoughts about that below, but first here's some information from Palo Alto Networks on the OS X ransomware in Transmission:
On March 4, we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware “KeRanger.” The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.
Attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. When we identified the issue, the infected DMG files were still available for downloading from the Transmission site (https://download.transmissionbt.com/files/Transmission-2.90.dmg) Transmission is an open source project. It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred.
The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.
Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems.
A clean install of OS X El Capitan to purge software from third party sites
When I first heard about the Transmission ransomware in OS X, I did a bit of a double take. I've had Transmission on all of my Macs for ages, though I didn't use it very often. But it was one of the better torrenting apps, so I liked having it handy in case I needed it.
I was fortunate in that I had updated to Transmission 2.90 via the in-app updater, not the Transmission site. But just to be on the safe side, I grabbed my home folder and put it on an external drive to backup all of my data. I then did a clean install of OS X El Capitan to make extra sure that I would not have any problems.
I had already deleted Transmission, despite the fact that I had apparently not been infected. But I prefer to be safer than sorry, so a clean install of OS X El Capitan was an easy way to do that. And it also eliminated all other software that had been installed from sources other than the Mac App Store (more on that below).
Why I'm sticking with the Mac App Store for all of my software
I know that a lot of people are down on the Mac App Store, and some developers have even removed their software for one reason or another. But I still think it can be quite useful and I've tried to get most of my software there for the last few years.
However, until the Transmission ransomware, I didn't think twice about installing software from outside of the Mac App Store. But those days are over. After I did my clean install of OS X El Capitan, I changed my security settings to allow app installs only from the Mac App Store.
This is very easy to do, here's how:
1. Open the Settings app.
2. Click on Security and Privacy.
3. Click on the General Tab.
4. Click the lock at the bottom of the window and then type in your password.
5. Click on Mac App Store under the "Allow apps downloaded from:" section.
This way I can easily make sure that all of the software installed on my iMac comes solely from the Mac App Store. While no security mechanism is perfect, it will help eliminate any potential repeat of the Transmission ransomware situation.
And yes, I know that torrenting apps apparently are not allowed in the Mac App Store but I'm fine with that. As I said, I didn't use Transmission all that much anyway so not having such an app on my Mac is no great loss to me.
The important thing here though is to eliminate the possibility of security weaknesses of a third party's web site putting my Mac at risk for malware. I don't want to wonder if some software vendor's site is easily hackable, and if I'll download something from them that could contain ransomware or malware.
OS X wasn't the only target of this kind of attack in recent days. The popular Linux distribution Linux Mint also had its site and discussion forum hacked, and some folks downloaded versions of Linux Mint that had been tampered with by the hackers.
This kind of attack seems to be becoming more and more popular with malware hackers, and I think we're going to see a lot more of it in the future. Some web sites have very poor security practices, and that makes them an easy target for hackers, and it puts any user who downloads something from such a site at risk in a very direct way.
Transition to the Mac App Store for your software
So I think it makes sense for Mac users to look at the software they actually need and use each day. And then see if you can get that software or acceptable substitutes from the Mac App Store instead of third party web sites. If you can then it's a good idea to change your app install permissions to only allow Mac App Store software.
Perhaps some of you reading this might think I'm paranoid, and maybe I am. But the situation with Transmission is a huge warning shot across the bow of all Mac users. OS X and the Macs that run it are now a target. This is the price that we all must pay for the increase in popularity of the Mac in recent years.
One app that I frequently use is VLC, and it's not in the Mac App Store. But I was delighted to find Elmedia Video Player, and so far it's been a terrific substitute. I also need to snag an image resizer too, and I'll be deciding on one later this morning since my other app isn't in the Mac App Store either. But I did see a number of potentially acceptable apps, so I'll try one of them in just a bit.
Anyway, the gist of this is that you should take another look at the Mac App Store and see if you can transition over to it as your sole software source on the Mac. I know that not everybody will be able to do that, but if you can you might go a long way toward eliminating potential security headaches like the one that happened with Transmission.
Update: According to an article in Macworld, hacker Kevin Mitnick has actually changed his mom's default app download setting to default to the Mac App Store only:
Mitnick told me how he secured his own mother’s computer by taking advantage of Apple’s code signing model for security. He said his mother used to call him every week to fix her Windows PC because the machine was constantly getting infected. His mother would “fall hook, line and sinker... for social engineering attacks” and he had to re-install Windows every week.
So he bought her an iMac, installed an anti-virus utility. And then he locked down the device.
In the “Security and Privacy” settings in OS X, there’s a “General” tab. At the bottom, there’s a setting labeled “Allow apps downloaded from.” The default setting is: “Mac App Store and identified developers.” For his mother’s Mac, Mitnick changed that setting to “Mac App Store,” which means she can download only apps approved by Apple.
Mitnick points out that the default setting isn’t very secure because “it’s a hundred bucks to become a developer.”
Mitnick certainly knows what he's talking about when it comes to computer security. So taking a cue from him isn't a bad idea at all if you want to avoid malware and other malicious downloads from making their way onto your Mac.
Did you miss a post? Check the Eye On Apple home page to get caught up with the latest news, discussions and rumors about Apple.
This article is published as part of the IDG Contributor Network. Want to Join?