V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
leemail
V2EX  ›  macOS

Ransomware found in transmission 2.90

  •  
  •   leemail · 2016-03-07 05:05:37 +08:00 via iPad · 2973 次点击
    这是一个创建于 3174 天前的主题,其中的信息可能已经有所发展或是发生改变。
    13 条回复    2016-03-07 10:57:47 +08:00
    zwl2828
        1
    zwl2828  
       2016-03-07 06:39:13 +08:00
    Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file.

    Using “ Activity Monitor ” preinstalled in OS X, check whether any process named “ kernel_service ” is running. If so, double check the process, choose the “ Open Files and Ports ” and check whether there is a file name like “/Users//Library/kernel_service ”. If so, the process is KeRanger ’ s main process. We suggest terminating it with “ Quit -> Force Quit ”

    Apple is aware of the issue and has already revoked "a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs."

    If you don't use the Transmission software, there is nothing you need to do at this time.

    via http://www.macrumors.com/2016/03/06/mac-ransomware-transmission/
    steveshi
        2
    steveshi  
       2016-03-07 06:56:09 +08:00
    是个有点狠的恶意软件啊,加密用户数据然后勒索。
    ReSur
        3
    ReSur  
       2016-03-07 07:31:08 +08:00
    正好下了 2.90 版 Transmission 并运行了,万幸的是暂时没有发现 kernel_service 进程和其他异常
    Bardon
        4
    Bardon  
       2016-03-07 08:21:43 +08:00
    完了,我下载,并运行过了,虽然暂时没发现 kernel_service 进程,也没发现 kernel_service 文件
    但是心理虚虚的,天之道它生成的进程名是否固定的,以及是否定时被唤醒的
    liyiecho
        5
    liyiecho  
       2016-03-07 08:23:30 +08:00
    出现问题的是从这个网址 https://download.transmissionbt.com/files/Transmission-2.90.dmg 下载的,我从这 https://transmission.cachefly.net/Transmission-2.90.dmg 下载的就没发现 kernel_service 进程和文件,官网出通告了,让更新到 2.92 了。。
    JackBlack2006
        6
    JackBlack2006  
       2016-03-07 08:25:04 +08:00
    我还特意进 transmission.app 里看过了,并没有这个文件?
    JackBlack2006
        7
    JackBlack2006  
       2016-03-07 08:30:55 +08:00
    我觉得部分人不需要担心?我 2 月 28 日下载安装的 2.90 ……
    ReSur
        8
    ReSur  
       2016-03-07 08:32:59 +08:00
    @liyiecho 我也是 cachefly.net ,当时开了全局代理才得以下载
    JackBlack2006
        9
    JackBlack2006  
       2016-03-07 08:36:53 +08:00   ❤️ 3
    Seven pages and no one has mentioned the very specific conditions required for you to self-infect?

    1) You'd have to had download the dmg from the from the website between 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016
    2) Have opened the General.rtf file on the dmg
    3) Have actively blocked gatekeeper from updating

    These are all very specific conditions. If you have used Transmission before and auto-updated you are safe. If you don't open read me files you are safe.

    Which makes me wonder why people are panicking over this. And also, if the hackers could compromise the official website with a dmg, why not poison the executable itself instead of relying on the user clicking a fake text file?
    Bardon
        10
    Bardon  
       2016-03-07 08:42:59 +08:00
    打开 caskroom ruby 脚本,看了下,是从 https://download.transmissionbt.com 下载的...
    我好像就是周五下午通过 caskroom 更新
    但是目前没发现 http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/ 这个网址说的特征文件存在
    去 launchagent 目录转了一圈,也没发现自启动项..
    心理还是虚啊,工作电脑,再考虑要不要 timemachine 会滚了
    Bardon
        11
    Bardon  
       2016-03-07 08:44:30 +08:00
    @JackBlack2006 谢谢,安心了
    187j3x1
        12
    187j3x1  
       2016-03-07 08:53:02 +08:00
    1 号就升级并运行了 没中毒痕迹
    blanboom
        13
    blanboom  
       2016-03-07 10:57:47 +08:00
    看样子 KeRanger 的后续版本还有可能破坏 Time Machine
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   3056 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 28ms · UTC 14:15 · PVG 22:15 · LAX 06:15 · JFK 09:15
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.