Apple Macs hit by ransomware for first time

[david555]

Apple users beware check this on bbc , as Apple Macs hit by ransomware 'for first time'........just published !!

 

http://www.bbc.com/news/technology-35744416

[Woofiee]

Ahh, the BBC - always scaremongering Apple whenever possible. 

Thanks david555 for the heads-up. It's unclear, but it is increasingly looking as through it wasn't the Transmission App or the updating process that was compromised, but their web site. Someone put a compromised version out which some people downloaded from the site, that was signed by a different developer's Certification, one apparently long-abandoned. It got snuck in somewhere in the days after release. Transmission is a volunteer app and it's not run through the app store, so one bad commit can cause problems, but Apple moved fast and cancelled the signing certificate for the developer, and so the bad app release should be dead now. 

There are a few good things to check for things before anyone starts freaking out: 

1. Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/General.rtf exist. If any of these exist, the Transmission application is infected and they suggest deleting this version of Transmission. If so, then...
    
2. Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users/<username>/Library/kernel_service”.
   
   
   
   If so, the process is KeRanger’s main process. They suggest terminating it with “Quit -> Force Quit”.
    
3. After these steps, They also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in your ~/Library directory. If so, you should delete them.

If the first one or two yield nothing, you're clean. The first should be enough but it's also good to look for footprints as well as fingerprints. Be sure to update to the latest Transmission at http://transmissionbt.com - the current version is 2.92. 

A good guide to any app that isn't in Apple's sandbox is to make an Applications folder in your own Home directory and move it into there. If you move it into the standard system Applications directory, it gets run as the System user, with all the high privileges that go with that. Without the sandbox clearance, this can br problematic, so put these apps into a lower-level folder owned by one user with standard, not admin, privileges. 

You do run as a standard user, don't you? Smart people do, for this particular reason right here, buckko... Without heightened privileges, Transmission couldn't embed and launch a subprocess, hosing your system and making you cry little girl tears. It'd have to pop up a panel asking for your admin login and password, and "...whoa! Wait a minute!!" You'd have caught it before it caught you. 

So - that we're all together now:

• Check the list above.
• Keep all non-AppStore apps in a seperate Applications folder in the user's home directory
• Do not run as an Admin. Run as a Standard user, never as an Admin. Create a seperate account for an Admin, then make sure you're Standard. Do not run as an Admin. 

One more thing. 

Do not run as an Admin. People who do make problems like this.