A Word on the OS X Malware Attack

David Rees —  March 11, 2016 — Leave a comment

In our connected world, no one is safe from malware. All types of software are constantly under attack, making security a major issue for software developers everywhere, every day.

This week, the first ransomware on Mac was discovered in a release by the Transmission team. It’s understandable that this has made news, particularly given that this is the first direct malware attack to impact OS X users.

On behalf of our friends at Transmission, we would urge understanding and ask users to look at their body of work when judging them and not a single incident which they quickly and decisively handled.

By many accounts, this vulnerability for OS X has existed for some time. Every company, every website, is prone to vulnerabilities. There is no software vendor out there that has not done its fair share of firefighting. It is a credit to all the teams that can flag and address an issue quickly before it reaches consumers becomes widespread.

It was unfortunate that Transmission was the vector of this first attack, but kudos to the team for reacting quickly to release a fixed version that removes the malicious code. The issue was discovered on March 4th and addressed the next day. Having gone through a few of these fire drills myself, I understand what kind of effort it takes to react that quickly to an issue.  If you are reading this and you use Transmission, please download their latest version to remove the malware.

What is also important to note, and many news outlets have reported this correctly, is that the attack was not on the BitTorrent protocol nor on Transmission’s client. The attack does not affect other BitTorrent clients, nor does it affect the files you download via BitTorrent. This attack was directed at OS X itself via a packaged file within the installer tool used to download Transmission. Palo Alto Networks describes it here:

Attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. When we identified the issue, the infected DMG files were still available for downloading from the Transmission site (hxxps://download.transmissionbt.com/files/Transmission-2.90[.]dmg) Transmission is an open source project. It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred.

As developers of software used by millions of people, we have to be ever vigilant.  All of us take security seriously and try very hard to thwart attacks of any variety.  So once again, hats off to the Transmission team for dealing with this threat quickly.

David Rees


Dave Rees is the VP of Engineering at BitTorrent.