A new malware briefly flared in the Macworld this weekend but there’s only an extremely slim chance your Mac has been affected. Don’t panic at the inevitable hype: here’s how to protect yourself.
Start here: Do you use Transmission?
If you don’t, you’ll be fine.
Synopsis
The Transmission 2.9 BitTorrent client release was undermined by malware writers who inserted ‘KeRanger’ code that encrypts all your Mac’s files and then demands around $400 to unlock your data. It takes three days until the malware strikes, so if you are impacted, there's probably still time.
Apple’s reaction
Apple reacted swiftly. Within hours of the release an important Apple-provided security certificate was withdrawn by Cupertino and a new version of Transmission was made available that did not include the criminal code. Apple will doubtless be strenuously investigating how this code gained certification.
Meanwhile if you try to open a version of the application that is known to be infected you will be given a warning message saying either, “Transmission.app will damage your computer. You should move it to the Trash,” or, “Transmission can’t be opened. You should eject the disk image.”
What you can do
Infected files were downloaded after 7pm on Friday, and before 2am Sunday morning. If you think you may have been impacted by the bug, don’t panic, here is what you can do to protect yourself, courtesy of Palo Alto Networks:
Step One
Using either Terminal or Spotlight, check to see if either of these files exist:
/Applications/Transmission.app/Contents/Resources/ General.rtf /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist.
Step two
If those files do exist you are using an infected version of Transmission and should delete the application once you have followed the next steps.
Step three
Launch Activity Monitor and search to see if a process called ‘kernel_service’ is running.
Step four
If kernel_service is running double click it in order to see more information about the process and then select the ‘Open Files and Ports’ pane to the right.
Step five
In Open Files and Ports check for a file name that should look like: ‘/Users/<username>/Library/kernel_service’. If this exists then you’ve found KeRanger’s main process.
Step six
Terminate the process using Quit>Force Quit
Step seven
You should now use Spotlight to find out if any of the following files exist in the ~/Library directory:
.kernel_pid,
.kernel_time,
.kernel_complete
kernel_service
If you find them, delete them.
Step seven
You should also delete this version of the app. Do so following these instructions (complex) or using an application like AppCleaner, which will also find and delete all associated files.
Opinion
It seems inevitable the usual critics will wave this swiftly addressed security vulnerability around as some kind of proof that the Mac is becoming less secure. It could be taken that way, but it can also serve as proof that the nature of software security threats is constantly changing – those things which kept us safe last year don’t necessarily keep us safe now. This is why Apple invests a great deal of time and effort in security – and this is also why any computer user on any platform (and certainly any enterprise using IT) should get behind Apple in its battle with the FBI over encryption. As Apple’s VP software engineering, Craig Federighi, explains this weekend in the Washington Post:
“The encryption technology built into today’s iPhone represents the best data security available to consumers. And cryptographic protections on the device don’t just help prevent unauthorized access to your personal data — they’re also a critical line of defense against criminals who seek to implant malware or spyware and to use the device of an unsuspecting person to gain access to a business, public utility or government agency.”
Removing this essential line of defense will place every computer user under threat and utterly undermine digital business. Far from making us safer, it will make us more insecure – and the level of threat posed by this ransomware event will look trivial in comparison.
Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic's Kool Aid Corner community and join the conversation as we pursue the spirit of the New Model Apple?
Got a story?Drop me a line via Twitter or in comments below and let me know. I'd like it if you chose to follow me on Twitter so I can let you know when fresh items are published here first on Computerworld.