Ransomware found in transmission 2.90

Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file.

Using “ Activity Monitor ” preinstalled in OS X, check whether any process named “ kernel_service ” is running. If so, double check the process, choose the “ Open Files and Ports ” and check whether there is a file name like “/Users//Library/kernel_service ”. If so, the process is KeRanger ’ s main process. We suggest terminating it with “ Quit -> Force Quit ”

Apple is aware of the issue and has already revoked "a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs."

If you don't use the Transmission software, there is nothing you need to do at this time.

via http://www.macrumors.com/2016/03/06/mac-ransomware-transmission/

是个有点狠的恶意软件啊，加密用户数据然后勒索。

正好下了 2.90 版 Transmission 并运行了，万幸的是暂时没有发现 kernel_service 进程和其他异常

完了，我下载，并运行过了，虽然暂时没发现 kernel_service 进程，也没发现 kernel_service 文件
但是心理虚虚的，天之道它生成的进程名是否固定的，以及是否定时被唤醒的

出现问题的是从这个网址 https://download.transmissionbt.com/files/Transmission-2.90.dmg 下载的，我从这 https://transmission.cachefly.net/Transmission-2.90.dmg 下载的就没发现 kernel_service 进程和文件，官网出通告了，让更新到 2.92 了。。

我还特意进 transmission.app 里看过了，并没有这个文件？

我觉得部分人不需要担心？我 2 月 28 日下载安装的 2.90 ……

@liyiecho 我也是 cachefly.net ，当时开了全局代理才得以下载

Seven pages and no one has mentioned the very specific conditions required for you to self-infect?

1) You'd have to had download the dmg from the from the website between 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016
2) Have opened the General.rtf file on the dmg
3) Have actively blocked gatekeeper from updating

These are all very specific conditions. If you have used Transmission before and auto-updated you are safe. If you don't open read me files you are safe.

Which makes me wonder why people are panicking over this. And also, if the hackers could compromise the official website with a dmg, why not poison the executable itself instead of relying on the user clicking a fake text file?

打开 caskroom ruby 脚本，看了下，是从 https://download.transmissionbt.com 下载的...
我好像就是周五下午通过 caskroom 更新
但是目前没发现 http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/ 这个网址说的特征文件存在
去 launchagent 目录转了一圈，也没发现自启动项..
心理还是虚啊，工作电脑，再考虑要不要 timemachine 会滚了

@JackBlack2006 谢谢，安心了

1 号就升级并运行了 没中毒痕迹

看样子 KeRanger 的后续版本还有可能破坏 Time Machine