thomas_r. wrote:
KeRanger is not a virus, and it cannot spread on its own.
That will be something to look forward to in an upgraded version. The Transmission hack is just one variant of KeRanger. It is under active development and there will be a new version.
Actually, in my testing with this malware, which I also verified with Claud Xiao (who discovered the malware), although it does copy the executable file to that location, it is then deleted after the process is running. Don't ask me why. There is also no method of persistence, meaning that the only way to get the malware running again after a restart is to open the infected Transmission app. Again, don't ask me why. Seems like a rather odd design to me.
It sounds pretty clever to me. The best way to hide a malicious executable is to delete it. It only needs to reside on disk to be launched. After that, it can be deleted. On a UNIX OS, any file can be unlinked while open. That is how temporary files work. The file handle will remain active and valid, even though the actual file pointer has been removed from the filesystem.
People may complain about Apple's GateKeeper, Developer ID, and even its so-called "review" system for Mac App Store apps. While I agree that those systems are all pretty easy to bypass, they must be bypassed first. They are future-facing technologies. Any future malware must first figure out a way around them. The malware author in this case did that, but now that must be re-done. Any research that people have done on this particular version of KeRanger will also have to be re-done after the next exploit. Welcome to your future, Mac users.