The Ransomware in the Transmission v2.90 DMG found by Unit 42 certainly proves one thing, and that is that Gatekeeper and SIP in it’s current incarnation, are not good enough. Yes. SIP protects a lot of files, but not all of them. And sure. With Gatekeeper activated it won’t have been installed, but many people – I presume – have changed their Gatekeeper preference so that they can install software from anywhere. Not just the Mac App Store.
Some people even disable (parts of) SIP and this particular case shows us that disabling file system protection is not a smart thing to do. Not that it would protect you against this specific malware, but still.
Apple should also make it possible to add restrictions, yourself, and perhaps back-port some of the SIP changes it made for OS X 10.12 into the next release of El Capitan so that this is a none issue for future attacks.
Please note that the in-app update of Transmission are not affected, suggesting that (some of the) server(s) are/were hacked, or otherwise compromised, and that the developer certificate to sign the version of Transmission that included the malware, was that of a Turkish company (already revoked by Apple). Not the usual certificate from the Transmission developers. I don’t know if the company self was somehow involved, or someone from that company, but their certificate was used by some shady people.
And if only Gatekeeper would have checked the (origin) of the certificate, as it should IMHO, and showed you a warning that the certificate had changed, then at least some folks (not all) would have known about this malware long before it was widespread – the DMG with the ransomware was available for quite some time, but since you had to download the DMG yourself, it may be limited.
In short. It is time for Apple to act… or perhaps people like Craig Federighi should be careful with comments like: “That’s why my team works so hard to stay ahead.“. I mean. Torrent apps like Transmission won’t get accepted by Apple – for the App Store – so they basically expose people to attacks that could have been avoided. Don’t you agree?
Note: Transmission v2.92 will automatically remove the “kernel_service”