HandBrake for Mac developers warn of potential trojan installation following server breach...

Posted:
in macOS
Mac users of HandBrake who downloaded the open source video transcoder since May 2 could have put their data at risk, after developers warned one of the mirror servers used to distribute the software had been hacked.




A post on the HandBrake forum reports files from the download.handbrake.fr mirror between May 2 and May 6 were compromised, with the tool replaced by a malicious file containing a trojan capable of providing root access . Anyone who has installed HandBrake for Mac in this period is asked to verify their system is not infected with the trojan, with the developers suggesting users have a "50/50 chance" of being a victim if they did download the tool.

The file in question, HandBrake-1.0.7.dmg, was replaced by a malicious file that does not match the SHA1 and SHA256 hashes of the original file, with users advised to verify the checksum of the file before running it. Another way to check for an infection is to search for a process called "Activity_agent" in the Activity Monitor.

The same HandBrake forum post advises of commands to run in Terminal to combat the trojan, if an infection has occurred, as well as the removal of any HandBrake installations before starting from scratch. It is also advised that affected users should also change their passwords in the OSX KeyChain, as well as any stored in browsers.

HandBrake's developers have been informed that Apple is updating the definitions for XProtect as of May 6 to help combat the infection, with the new definitions rolling out to Mac desktops automatically.

Only one mirror hosted the infected file, which has been shut down for investigation, while the primary download mirror and the project website remain unaffected. Users who update via the built-in updater in version 1.0 or later are protected by DSA Signature verification, though those who used the updater in version 0.10.5 or earlier are still at risk of infection.

The malware is identified as OSX/Proton.A, a variant of the Proton trojan that surfaced in March being sold on Russian cybercrime forums, priced at $50,000. An infection of this trojan leaves the system open to a number of different potential actions by hackers, including keystroke logging, file uploads and downloads, taking screenshots and photos from webcams, and SSH and VNC connectivity.

Macs are generally considered to be more resilient to attacks than Windows systems, but the frequency of malware reports aimed at Mac users is slowly increasing, partly due to the popularity of the platform in security-minded fields. Members of the U.S. defense industry and human rights advocates were targets for an attack by the "MacDownloader" malware in February, disguised as a Flash Player Update.

Also in February was the discovery of an auto-running macro in a Word document, a revival of an old technique used to infect Windows systems, this time used against Macs. Later that same month, a Russian hacking group accused of interfering with the 2016 U.S. presidential elections was found to have updated the "Xagent" malware package, adding Macs to its roster of potential targets.

In April, the "Dok" malware was said to be the first "major scale" malware aimed at Mac owners via a "coordinated email phishing campaign," with the malware notably using a signed Apple developer certificate to bypass Apple's Gatekeeper protection. Earlier this month, it was discovered the "Snake" malware used to attack Windows users has been ported to Mac.
albegarc

Comments

  • Reply 1 of 19
    fracfrac Posts: 480member
    Two words...Little Snitch
    pscooter63argonaut
  • Reply 2 of 19
    suddenly newtonsuddenly newton Posts: 13,724member
    The Mac is popular enough to attract the attention of hackers? What?? Steve Ballmer liked to call the Mac's marketshare a "rounding error," except when there was the threat of anti-trust action against Microsoft, then their party line was "but Windows is not a monopoly because Mac and Linux."
    magman1979pscooter63albegarc
  • Reply 3 of 19
    macxpressmacxpress Posts: 4,712member
    The Mac is popular enough to attract the attention of hackers? What?? Steve Ballmer liked to call the Mac's marketshare a "rounding error," except when there was the threat of anti-trust action against Microsoft, then their party line was "but Windows is not a monopoly because Mac and Linux."
    This is why Steve Ballmer isn't in charge of Microsoft anymore. He always underestimated his competition, acting like Microsoft is so far on top they can never be dethroned. He has done more harm to Microsoft than anyone there. Very poor leadership skills, not an innovator at all, and just acts like some cocky HS football coach who hardly ever loses a game and thinks its always gonna be that way, even with little to no effort. 
    magman1979macpluspluspscooter63albegarclostkiwielijahgargonaut
  • Reply 4 of 19
    macplusplusmacplusplus Posts: 1,527member
    frac said:
    Two words...Little Snitch
    That doesn't prevent infection.
    williamlondongatorguychiasergiozlostkiwi
  • Reply 5 of 19
    MacProMacPro Posts: 17,868member
    frac said:
    Two words...Little Snitch
    Exactamundo!
  • Reply 6 of 19
    MacProMacPro Posts: 17,868member

    frac said:
    Two words...Little Snitch
    That doesn't prevent infection.
    But it would prevent any malware communicating anything / anywhere.  Firewall in reverse as it were.  Little Snitch is invaluable.
    StrangeDaysargonaut
  • Reply 7 of 19
    macplusplusmacplusplus Posts: 1,527member
    MacPro said:

    frac said:
    Two words...Little Snitch
    That doesn't prevent infection.
    But it would prevent any malware communicating anything / anywhere.  Firewall in reverse as it were.  Little Snitch is invaluable.
    Until the next macOS update that may disable it...

    Besides, Mac malware are mostly installed by users' voluntary actions. Do you think that an average user who can't discern a malware from legit installer will be able to police the network traffic via Little Snitch? 

    There is only one way for average users to protect themselves from malware: enable Gatekeeper to install only applications from the Mac AppStore. This Handbrake case is a very didactic example of that.
    gatorguy
  • Reply 8 of 19
    MacProMacPro Posts: 17,868member
    MacPro said:

    frac said:
    Two words...Little Snitch
    That doesn't prevent infection.
    But it would prevent any malware communicating anything / anywhere.  Firewall in reverse as it were.  Little Snitch is invaluable.
    Until the next macOS update that may disable it...

    Besides, Mac malware are mostly installed by users' voluntary actions. Do you think that an average user who can't discern a malware from legit installer will be able to police the network traffic via Little Snitch? 

    There is only one way for average users to protect themselves from malware: enable Gatekeeper to install only applications from the Mac AppStore. This Handbrake case is a very didactic example of that.
    Have you used Little Snitch?  Updates to macOS wouldn't have the slightest effect on its ability to prevent out going calling home type malware.  It's simple, to use too.  I agree Gatekeeper is excellent too if not overridden, the snag is many of these nasty things talk users through how to disable Gatekeeper or at least give permissions and people often follow the instructions.  You can never protect agains users ;).
  • Reply 9 of 19
    .
    MacPro said:

    frac said:
    Two words...Little Snitch
    That doesn't prevent infection.
    There is only one way for average users to protect themselves from malware: enable Gatekeeper to install only applications from the Mac AppStore. This Handbrake case is a very didactic example of that.
    No there isn't. Even this does not protect. Handbrake developers have done great job for years, They are not for MacOS exclusively. It is real freeware with no adds so, their budget is really zero and we can only thank for their effort and clean software. I moved all my libraries to Apple TV thank to them. Did apple stop charging developers to be on their store? And let me remind that developers do not need to use Apple software or development subscriptions to create software for Mac. Perhaps that is why they are not on Apple App Store and perfer this way. After all you can also run Handbrake on Linux and Windows - Apple does not own it in it's echosystem.
  • Reply 10 of 19
    macplusplusmacplusplus Posts: 1,527member
    .
    MacPro said:

    frac said:
    Two words...Little Snitch
    That doesn't prevent infection.
    There is only one way for average users to protect themselves from malware: enable Gatekeeper to install only applications from the Mac AppStore. This Handbrake case is a very didactic example of that.
    No there isn't. Even this does not protect. Handbrake developers have done great job for years, They are not for MacOS exclusively. It is real freeware with no adds so, their budget is really zero and we can only thank for their effort and clean software. I moved all my libraries to Apple TV thank to them. Did apple stop charging developers to be on their store? And let me remind that developers do not need to use Apple software or development subscriptions to create software for Mac. Perhaps that is why they are not on Apple App Store and perfer this way. After all you can also run Handbrake on Linux and Windows - Apple does not own it in it's echosystem.

    That is the approach that creates a favorable environment to the spread of Mac malware. Handbrake developers have done great job for years but this incident shows that they are unable to protect even themselves from hacking, yet protect their users? I use Handbrake since very early versions and this is the first time such an incident has happened. But that happened eventually. There are other great software by indie developers in AppStore based on ffmpeg, they perform very well with the AppStore, Handbrake is not the only nail in the town...

    Edit: It is quality software with good granular control on the encoding process and if it goes to the AppStore I would pay without hesitation and recommend to everyone.
    edited May 2017 lostkiwiargonaut
  • Reply 11 of 19
    wonkothesanewonkothesane Posts: 1,288member
    MacPro said:

    frac said:
    Two words...Little Snitch
    That doesn't prevent infection.
    But it would prevent any malware communicating anything / anywhere.  Firewall in reverse as it were.  Little Snitch is invaluable.
    Wouldn't it be possible for a malware with root rights to modify the rule set of LS such that all connections would be allowed?
    macpluspluschia
  • Reply 12 of 19
    sergiozsergioz Posts: 219member

    I read this articles and then I read comments to understand how average user protects themselves. Little Snitch is a great utility but it is as intelligent as you are. Sometimes you thinking you are allowing the legitimate connection but it could be rogue server masquerading as a legitimate one. So the question is how do you protect yourself? I recommend Cisco Umbrella Security https://umbrella.cisco.com it's a cloud security that will protect you from phishing, malware, and ransomware on DNS level and it will even speed up your internet. 

    edited May 2017
  • Reply 13 of 19
    rezwitsrezwits Posts: 599member
    Man it's getting real!
  • Reply 14 of 19
    shapetablesshapetables Posts: 201member
    At the end off the day, Handbrake is little more than a pretty terrible graphical user interface wrapped around the free ffmpeg utility. About the only thing in there that's original are the codec presets for transcoding media to playback on certain devices.
  • Reply 15 of 19
    avon b7avon b7 Posts: 3,180member
    .
    MacPro said:

    frac said:
    Two words...Little Snitch
    That doesn't prevent infection.
    There is only one way for average users to protect themselves from malware: enable Gatekeeper to install only applications from the Mac AppStore. This Handbrake case is a very didactic example of that.
    No there isn't. Even this does not protect. Handbrake developers have done great job for years, They are not for MacOS exclusively. It is real freeware with no adds so, their budget is really zero and we can only thank for their effort and clean software. I moved all my libraries to Apple TV thank to them. Did apple stop charging developers to be on their store? And let me remind that developers do not need to use Apple software or development subscriptions to create software for Mac. Perhaps that is why they are not on Apple App Store and perfer this way. After all you can also run Handbrake on Linux and Windows - Apple does not own it in it's echosystem.

    That is the approach that creates a favorable environment to the spread of Mac malware. Handbrake developers have done great job for years but this incident shows that they are unable to protect even themselves from hacking, yet protect their users? I use Handbrake since very early versions and this is the first time such an incident has happened. But that happened eventually. There are other great software by indie developers in AppStore based on ffmpeg, they perform very well with the AppStore, Handbrake is not the only nail in the town...

    Edit: It is quality software with good granular control on the encoding process and if it goes to the AppStore I would pay without hesitation and recommend to everyone.
    The article does mention a checksum so that is a pretty good way of protecting its users.
  • Reply 16 of 19
    evilutionevilution Posts: 1,342member
    At the end off the day, Handbrake is little more than a pretty terrible graphical user interface wrapped around the free ffmpeg utility. About the only thing in there that's original are the codec presets for transcoding media to playback on certain devices.
    and it's free and it works.
    tallest skil
  • Reply 17 of 19
    evilutionevilution Posts: 1,342member
    Just bought and installed Little Snitch just in case.
  • Reply 18 of 19
    evilution said:
    Just bought and installed Little Snitch just in case.
    A better solution is not to download the program from a mirror site.  Little Snitch won't stop you from downloading and installing malicious software.  If you are a regular user of Handbrake, and already using version 1.0 or later, than you never would have been vulnerable to this trojan horse.  It only affected those that downloaded it for the first time from the infected mirror site.
  • Reply 19 of 19
    vulpinevulpine Posts: 61member
    A better solution is not to download the program from a mirror site.  Little Snitch won't stop you from downloading and installing malicious software.  If you are a regular user of Handbrake, and already using version 1.0 or later, than you never would have been vulnerable to this trojan horse.  It only affected those that downloaded it for the first time from the infected mirror site.
    Last Saturday morning I ran Handbrake 1.0.5 and it prompted me about a 1.0.7 update; I allowed it to self-update, and it downloaded the new version and then reported an error when trying to extract it. I tried again; same problem. So that's when I decided to download a fresh copy from the official site, and that's how I got hacked.

    Little Snitch wouldn't have helped me here, either - after I let it "install additional codecs" it would have told me there was communication with www.handbrake.biz, and I probably wouldn't have seen anything suspicious about that. Unless I had looked at the packets and noticed it was sending my admin password - but who's going to inspect every network packet your computer sends?
Sign In or Register to comment.