Edited to add: If anyone has a copy of the DMG, sha1 5f8ae46ae82e346000f366c3eabdafbec76e99e9, please link me a copy via email ([email protected]) or twitter DM (@moyix).
Maybe take a look around https://build.transmissionbt.com/ - but then again maybe the svn repo wasn't compromised? I tried a "svn diff svn://svn.transmissionbt.com/Transmission/tags/2.90 svn://svn.transmissionbt.com/Transmission/tags/2.91" and didn't see anything suspicious on a fast scroll-through
Side topic: probably not a good idea to expose Jenkins externally, especially if you don't keep Jenkins up-to-date all the time (for transmission bt it is up-to-date right now). This Jenkins probably contain the key to the svn server, so if someone finds a hole...
I do not think it was the build server, though. According to this analysis[1], the developer used a different key to sign the build (all Mac apps need to be signed or the default behavior is to reject that App. You can permanently disable this behavior in settings, or just for on app by holding control while opening the App, which a lot users who use transmission probably do because not all legitimate Apps are signed). Anyways, since the app was signed by a third party's certificate (which was approved by Apple), chances are only the website was compromised. If the build server had been compromised, the attack would have had access to the developer's certificate and they would most likely have used that.
Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger. If the Transmission installer was downloaded earlier or downloaded from any third party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now.
We suggest users take the following steps to identify and remove KeRanger holds their files for ransom:
1. Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
2. Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users/<username>/Library/kernel_service” (Figure 12). If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.
3. After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.
"It will then sleep for three days. Note that, in a different sample of KeRanger we discovered, the malware also sleeps for three days, but also makes requests to the C2 server every five minutes."
Isn't it possible to fire a takedown notice to that server? I mean KeRanger committed a felony and Amazon (assuming you mean Amazon's EC2 server) might react quickly if they realize what has happened. It might save a lot of computers from getting destroyed. As long as the server is somewhere in the Western world, it should not be a problem.
The server isn't on EC2, it's hosted on Tor. The malware uses an HTTP-to-TOR gateway service (onion.nu and onion.link) to pull down the encryption key and README file from one of three different hidden services. In theory you could try to get the gateways to block the connections, but I'm not sure they're likely to be cooperative.
https://www.virustotal.com/en/file/d1ac55a4e610380f0ab239fcc...
(Look under the "Behavioural information" tab)
Written Files and Created Processes are interesting:
[Transmission] /Users/user1/Library/kernel_service (successful)
[unknown] /Users/user1/Library/.kernel_pid (successful)
[unknown] /Users/user1/Library/Saved Application State/org.m0k.transmission.savedState/window_1.data (successful)
[Transmission] /Users/user1/Library/Saved Application State/org.m0k.transmission.savedState/data.data (successful)
[Transmission] /Users/user1/Library/Saved Application State/org.m0k.transmission.savedState/windows.plist (successful)
[kernel_service] /Users/user1/Library/.kernel_time (successful)
Created processes
/Volumes/Transmission/Transmission.app/Contents/MacOS/Transmission (successful)
/Users/user1/Library/kernel_service (successful)
kernel_service (successful)
Edited to add: If anyone has a copy of the DMG, sha1 5f8ae46ae82e346000f366c3eabdafbec76e99e9, please link me a copy via email ([email protected]) or twitter DM (@moyix).