Infect me once, shame on you. Infect me twice...
Transmission, the popular Mac BitTorrent client that everyone only ever uses to download totally legit open source files, has once again been hijacked to serve malware. Perplexingly, it sounds like it was hijacked in the same way as last time.
ESET research reports:
Last month ESET researchers wrote an article about a new OS X malware called OSX/Keydnap, built to steal the content of OS X's keychain and maintain a permanent backdoor. At that time of the analysis, it was unclear how victims were exposed to OSX/Keydnap. To quote the original article: "It could be through attachments in spam messages, downloads from untrusted websites or something else."
During the last hours, OSX/Keydnap was distributed on a trusted website, which turned out to be "something else". It spread via a recompiled version of the otherwise legitimate open source BitTorrent client application Transmission and distributed on their official website.
I've never liked BitTorrent because it always felt like I was shoving a naked connection out onto the Internet. (I'm ridiculous that way.) This kind of thing only adds layers of tin to my foil hat. That's especially true because the way in which Transmission is being hijacked negates the defenses Apple builds into macOS (née OS X), including Gatekeeper.
Christina Warren, writing for Gizmodo (yup!):
It's not clear what is happening with Transmission, but at this point, I don't feel super comfortable recommending users use the software, at least, on the Mac. It's not acceptable for a major application—open source or not—to get hijacked this way twice in under six months.
If you think you might have downloaded Transmission while it was infected, Christina also tells you how you can check to make sure, and what you can do to disinfect if you have to.