Trojan Found In Official Handbrake Downloads For Mac
- Trojan Found In Official Handbrake Downloads For Mac
- Trojan Found In Official Handbrake Downloads For Mac Windows 10
- Trojan Found In Official Handbrake Downloads For Macbook Pro
Handbrake’s Server Compromised, Download Installs Complex Trojan Posted on May 7th, 2017 by Handbrake, a popular open source video encoder, this weekend saying that their mirror download server was compromised. Anyone who downloaded Handbrake between May 2 and May 6 potentially grabbed a version that was infected with malware. Anti-virus identifies and eradicates this malware as OSX/Proton.B. What is the infection vector? Only those that downloaded Handbrake from their mirror server (download.handbrake.fr) received the malicious application. It was not distributed on any other websites.
How does Proton install? The Handbrake application arrives in a.dmg file as expected, and upon opening the file, nothing suspicious can be seen. The user will drag Handbrake to their Applications folder and launch it. At this point, the application does something unusual, which will immediately stick out to long time Handbrake users: It asks for administrator privileges. Under the guise of needing to install additional codecs, a malicious payload is installed instead. Once the password is entered, Handbrake will launch and it appears to be business as usual. In the background, however, a backdoor was installed, named 'activityagent.'
The backdoor was observed contacting 85.17.25.66, which is the IP address that hosts the handbrake website. The compromised server could have been used as a Command and Control (C&C) server as well. The backdoor application activityagents is placed in Users.your user. Library RenderFiles, and it is kept alive through restarts with a simple LaunchAgent. Keychain data, Safari stored form data, and Safari cookies are collected, compressed and stored on the system for later upload.
The activityagent does not appear to upload or download any data during our testing. Google Chrome, Firefox, Opera and likely other browsers are raided for sensitive information. Should Mac users be concerned about Proton? The malicious payload runs on any Mac with OS X 10.7 or newer.
May 8, 2017 - Hackers last week replaced the latest Mac version of the HandBrake. If the trojan is found to be present, the procedure for removing it is. The malicious installer's checksum hashes don't match those of the official version,. The developers of open source video transcoder app Handbrake have issued a security warning to Mac users after a mirror download server hosting the software was hacked. May 8, 2017 - If you downloaded the popular video converter Handbrake last week, your Mac may be infected with a nasty trojan. Developer's productivity tools for mac free. The developer said over the.
At the time of writing, the malware does not appear capable of uploading the sensitive user data to its server, but we should assume that it did successfully do so in the May 2-6 timeframe. Handbrake offers the following advice in its forum post: Based on the information we have, you must also change all the passwords that may reside in your OSX KeyChain or any browser password stores.
Good advice seeing as all the stored names, passwords, form data, and more, could now be in the hands of the bad guys. Handbrake notified Apple whom late afternoon added the signature to its XProtect database as OSX.Proton.B. Unfortunately, even with the latest XProtect update in place, Proton still installed and ran just fine, though some other researchers have reported that XProtect did in fact stop the DMG from being opened. However, without a server to offload its collected data to, it is currently not a major threat.
Trojan Found In Official Handbrake Downloads For Mac
What is worrying, however, is the way the attackers went about this. As with Transmission, not but, the download server was compromised and the application available for download was replaced with a malicious one. Going after servers, which are typically not updated or patched as often as they should be, will result in less users downloading your malware, but the fact that it comes from a trusted source will make those users not suspicious at all. If a user is not suspicious, they won't go looking for malware, and malware that goes undetected longer is typically more successful. If this becomes a trend, and even the servers of the trusted source can no longer be trusted, we may very well be in trouble.
One way to verify if the file you downloaded is the real deal, is by comparing checksums. In Handbrake's case, they maintain for available downloads, so anyone can verify the download is compromised. In reality, very few people actually do this, and a lot of websites that distribute software don't even offer these checksums for you to verify. Apple used to offer these checksums on their, but has since stopped doing so as well. For websites that do offer these checksums, verification is easy. Open the Terminal application (Applications Utilities) and type the following (include a space at the end): openssl sha1 Now, simply drag and drop the downloaded file onto the Terminal window and hit enter.
In the case of the malicious Handbrake download, this is the result: intego$ openssl sha1 /Users/intego/Desktop/HandBrake-1.0.7.dmg SHA1(/Users/intego/Desktop/HandBrake-1.0.7.dmg)= 0935a43ca90c6c419a49e4f8f1d75e68cd70b274 According to the Handbrake website the SHA1 checksum for this download should be '75c6204d7bd7d9c6e5b1fedb56697ae2f3857789,' they clearly do not match up. If any user got infected with Proton through Handbrake, they did not run this simple security check. How to tell if your Mac is infected (and removal instructions) Open Activity Monitor and search for a process named 'Activityagent.'
If this process is running, your Mac is infected. Click the process, and then close it with the X button in the menu bar. To clear the infection off your Mac, browse to the following folders and trash the following files:.
Applications - Delete the Handbrake application. Users.you.
Library VideoFrameworks - Delete this folder and everything in it. Users.you. Library RenderFiles - Delete the activityagent application.
Trojan Found In Official Handbrake Downloads For Mac Windows 10
Users.you. Library LaunchAgents - Delete ' fr.handbrake.activityagent.plist' and ' fr.handbrake.activityagent.plist-e'. Users.you.
Library Caches fr.handbrake.activityagent - Delete the folder With those files deleted, empty the trash and restart your Mac. Double-check the same locations again after the restart to ensure the infection is indeed cleared.
If a warning shows that some items cannot be deleted, because they are in use, you'll be able to empty the trash after the restart. For Intego's Mac anti-virus customers, protection comes in the form of updated malware definitions, which will detect and remove all of the Proton files. Proton components are detected by as OSX/Proton.B.
Trojan Found In Official Handbrake Downloads For Macbook Pro
How to protect yourself from Proton When the official server of the trusted source has been compromised, and the malware is coded to act much like the real application, there is very little to warn you something is amiss. Verifying your downloads will be the only way you can be sure the download was not compromised. Using the built-in updater, if an application provides one, is typically the best way to receive updates for an application. There is much still to be discovered about Proton.B as it is far more complex than it appears.
This malware is still under investigation and as new details emerge we will update this story. About Jay Vrijenhoek Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog. Follow him on Twitter at. This entry was posted in and tagged,.
Bookmark the. I ran a check earlier today and Virus Barrier flagged a file in VMWare Fusion as infected with OSX/Proton.B. It was Applications VMWare Fusion.app Contents Library isoimages tools-key.pub I did not download handbrake to my knowledge nor see its.dmg. I didn’t see any of the files mentioned here. After letting Virus Barrier repair the file, which then read 0 bytes, I trashed the VMWare Fusion app. I do have 2 folders named HandBrake and HandBrake71 but they have creation dates from 2011 and 2012.
Maybe they were from VLC Lan or Mamp? Hi Jay – I’m a novice computer user and have been doing lots of research on how to take our DVD collection and move all to digital.
Many articles suggest hand brake, your arcticle on the process was incredible helpful. So I went to look at starting and found this Trojan warning on the website. As someone that blindly assumed what I was told that macs can not get viruses. How does one go about knowing their download is safe?
This find made me want to go back to my App Store ways and not venture out of my safe little box.