Scroll Top

How to check if your Mac has been Keydnapped

If you downloaded Transmission v2.92 between August 28th and August 29th, 2016. The chances are your system might be infected. You can identify the infection by verifying if any of the following exists:

  • /Applications/Transmission.app/Contents/Resources/License.rtf
  • /Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
  • $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd
  • $HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id
  • $HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
  • /Library/Application Support/com.apple.iCloud.sync.daemon/
  • $HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist

Also note that the malicious disk image was named Transmission2.92.dmg while the legitimate one is Transmission-2.92.dmg (notice the hyphen).

How to remove Keydnap

To remove Keydnap v1.5, start by quitting Transmission. Then, in Activity Monitor, kill processes with any of the following names:

– icloudproc
– License.rtf
– icloudsyncd
– /usr/libexec/icloudsyncd -launchd netlogon.bundle

Remove the following files and directories:

– /Library/Application Support/com.apple.iCloud.sync.daemon/
– /Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
– /Users/$USER/Library/Application Support/com.apple.iCloud.sync.daemon/
– /Users/$USER/Library/Application Support/com.geticloud/
– /Users/$USER/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
– /Users/$USER/Library/LaunchAgents/com.geticloud.icloud.photo.plist

Remove Transmission from your system and redownload it from a trusted source. The Transmission website and binaries are now hosted on Github. You can verify the hash and the signature of the legitimate binary package with:

– “shasum -a 256” and compare with the one on the site and
– “codesign -dvvv” and verify if is signed by “Digital Ignition LLC” with team identifier 5DPYRBHEAR.

 

Originally posted on WeLiveSecurity