Handbrake hit hard with malware on OSX

[tlink]

SOURCE

Handbrake their official download for mac was infected with malware, verify your checksums. If you've downloaded handbrake between 2 may and 6 may you have a 50% chance of it having a trojan of the OSX.PROTON verity embedded. Updates trough integrated application update scripts are not affected since they don't install if the download doesn't pass the checksum, unless you ran a version from before v0.10.5.

file:   Handbrake.dmg
SHA1:   0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

Quote

Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it. Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you've downloaded HandBrake during this period.

To quickly see if you're infected, check if you have a process called "Activity_agent". According to the handbrake team themselves its 100% indicative of if you're infected or not.

 

What the malware actually tries to do is steal all your passwords, so you will have to change all passwords stored in your OSX keychain, and any other password storage if you want to be thorough.

 

How do you remove this malware? It appears to be pretty easy, see the quote below.

Quote

Removal

Open up the "Terminal" application and run the following commands:

• launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
• rm -rf ~/Library/RenderFiles/activity_agent.app
• if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

Then Remove any "HandBrake.app" installs you may have.

They also state that they will rebuild their download server completely from scratch so downloads will be slower and older versions of handbrake won't be available for download. This will cost time so there will be longer than expected downtime because of this, sounds like possibly something nasty is going on there server-side.

 

Personally i think browser should get integrated checksum checkers already, with them being able to provide a url for where to fetch the checksum to the browser manufacturer so they can find it hassle free. Wouldn't make it 100% secure but its better than people not doing it because humans are lazy fucks.
TL;DR quote:

Quote

Summary

• HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES NOT match the SHA1 / SHA256 hashes on our website or on our Github Wiki which mirrors these: https://github.com/HandBrake/HandBrake/wiki/Checksums
• The Affected Download mirror (download.handbrake.fr) has been shutdown for investigation.
• The Primary Download Mirror and website were unaffected.
• Downloads via the applications built-in updater with 1.0 and later are unaffected. These are verified by a DSA Signature and will not install if they don't pass.
• Downloads via the applications built-in updater with 0.10.5 and earlier did not have verification so you should check your system with these older releases

 

[zMeul]

MACs don't get viruses

/s

[Droidbot]

Just now, zMeul said:

MACs don't get viruses

/s

but it's not a virus!1111!1! 1

it's a trojan

 

seriously had me scared, I installed sometime in April. fuck. 

[Space Reptile]

b-b-b-b-b-but mac´s dont get viruses

REEEE

 

(damn you zMeul)

[SCHISCHKA]

macs dont get viruses, macs get professionals who depend on Apple's whitelist to guard them against things that are outside of their profession. We know this because Apple's hardware lineup is shit for computer scientists! It seems handbrake is not on the apple whitelist and this is the risk you take. At least handbrake is opensource so you dont have to download the binaries.

This reminds me of the debian repo hack scare a few years back, as an over-reaction I almost switched to Gentoo.

[Daan101]

You nearly gave me a heartattack, i installed it yesterday, on windows... 

[vorticalbox]

43 minutes ago, zMeul said:

MACs don't get viruses

/s

 

41 minutes ago, Droidbot said:

but it's not a virus!1111!1! 1

it's a trojan

 

seriously had me scared, I installed sometime in April. fuck. 

By definition a virus, in computing, is a type of malware that can replicate and spread on its own. I worm is a good example. 

 

 

[Master Disaster]

48 minutes ago, vorticalbox said:

 

By definition a virus, in computing, is a type of malware that can replicate and spread on its own. I worm is a good example. 

 

 

Where as a Trojan is malware that hides itself in the background and does unscrupulous things behind your back.

 

2 hours ago, tlink said:

SOURCE

Handbrake their official download for mac was infected with malware, verify your checksums. If you've downloaded handbrake between 2 may and 6 may you have a 50% chance of it having a trojan of the OSX.PROTON verity embedded. Updates trough integrated application update scripts are not affected since they don't install if the download doesn't pass the checksum, unless you ran a version from before v0.10.5.

file:   Handbrake.dmg
SHA1:   0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

To quickly see if you're infected, check if you have a process called "Activity_agent". According to the handbrake team themselves its 100% indicative of if you're infected or not.

 

What the malware actually tries to do is steal all your passwords, so you will have to change all passwords stored in your OSX keychain, and any other password storage if you want to be thorough.

 

How do you remove this malware? It appears to be pretty easy, see the quote below.

They also state that they will rebuild their download server completely from scratch so downloads will be slower and older versions of handbrake won't be available for download. This will cost time so there will be longer than expected downtime because of this, sounds like possibly something nasty is going on there server-side.

 

Personally i think browser should get integrated checksum checkers already, with them being able to provide a url for where to fetch the checksum to the browser manufacturer so they can find it hassle free. Wouldn't make it 100% secure but its better than people not doing it because humans are lazy fucks.

 

Wouldn't help, if you've already breached the server to inject your malware then you could just as easily inject the fake SHAs/MD5s too. The browser would think it was normal and continue with the download.

[vorticalbox]

14 minutes ago, Master Disaster said:

Wouldn't help, if you've already breached the server to inject your malware then you could just as easily inject the fake SHAs/MD5s too. The browser would think it was normal and continue with the download.

There isnt really any defence agaisnt this sort of attack. Handbrake, being open source, means you can build from source whish would stop this sort of attack as you can see changes on github but who has time to build from source? 

 

I guess you could build a web application that gets the source from github and builds the binaries on the fly before serving them to user and this would allow for hashes to be made on the fly too. 

[Doobeedoo]

And I thought prices of them was due to how they can't get infected. 

 

 

/s

[tlink]

41 minutes ago, Master Disaster said:

Wouldn't help, if you've already breached the server to inject your malware then you could just as easily inject the fake SHAs/MD5s too. The browser would think it was normal and continue with the download.

yea i know that, but i meant as in a completely different server located on a completely different site. google would probably provide it as a service for free anyways so people can just push the update to there, just like the whole lets encrypt initiative. its by no means completely secure but its better than having the user do it manually which 99% won't.

[tlink]

1 hour ago, Daan101 said:

You nearly gave me a heartattack, i installed it yesterday, on windows... 

it still is kinda icky imo, they don't really know how it happened from the appearance of it so they're rebuilding their downloading infrastructure completely in the hope that that solves the problem i think (pure speculation)

[Master Disaster]

40 minutes ago, vorticalbox said:

There isnt really any defence agaisnt this sort of attack. Handbrake, being open source, means you can build from source whish would stop this sort of attack as you can see changes on github but who has time to build from source? 

 

I guess you could build a web application that gets the source from github and builds the binaries on the fly before serving them to user and this would allow for hashes to be made on the fly too. 

Then someone could attack the build server and have it inject malware as it was building instead.

 

As you said, there's no real way of stopping this from happening but @tlink idea of having an external server hosting hashes so a browser could check them at download is actually pretty secure. If the external host relied on a separate method of updating hashes (for when app updates are released) it would at least provide a 2 factor defense and while it wouldn't stop the attack from taking place it could help to stop users downloading hacked apps and alert devs much quicker when potential hacks occur.

[NumLock21]

Can we stop with these fake news, it's really hurting Apple.

[Treemasterx]

"Macs don't get viruses" meme really need to stop, its going to hurt Apple eventually rather than help.

[vorticalbox]

8 hours ago, Master Disaster said:

Then someone could attack the build server and have it inject malware as it was building instead.

 

As you said, there's no real way of stopping this from happening but @tlink idea of having an external server hosting hashes so a browser could check them at download is actually pretty secure. If the external host relied on a separate method of updating hashes (for when app updates are released) it would at least provide a 2 factor defense and while it wouldn't stop the attack from taking place it could help to stop users downloading hacked apps and alert devs much quicker when potential hacks occur.

could use github to hold the hashes then pull that data to the website. I don't think I have once check the hash of any file I've downloaded  

[mrchow19910319]

Last time transmission, this time handbreak. 

 

[mynameisjuan]

4 hours ago, NumLock21 said:

Can we stop with these fake news, it's really hurting Apple.

How is this fake news and how is this hurting them? 

2 hours ago, Treemasterx said:

"Macs don't get viruses" meme really need to stop, its going to hurt Apple eventually rather than help.

Going to hurt them? If they stop claiming it people will stop spewing it. OSX is secure due to it being based on UNIX. Other than that the devs a shit when it comes to fixing security holes.

[suicidalfranco]

inb4 Apple goes MS-retard and makes the App Store the only place where you can get apps

[NumLock21]

6 minutes ago, mynameisjuan said:

How is this fake news and how is this hurting them?

It's ruining their reputation.

*Poor Tim Cook is over there crying in the corner*

[Not_Sean]

19 minutes ago, suicidalfranco said:

inb4 Apple goes MS-retard and makes the App Store the only place where you can get apps

Lol, welcome Redsnow Mac Jailbreak  Can't have one without the other  

[SCHISCHKA]

10 hours ago, vorticalbox said:

There isnt really any defence agaisnt this sort of attack. Handbrake, being open source, means you can build from source whish would stop this sort of attack as you can see changes on github but who has time to build from source? 

 

I guess you could build a web application that gets the source from github and builds the binaries on the fly before serving them to user and this would allow for hashes to be made on the fly too. 

just teach software compiling to children in primary school

[SCHISCHKA]

55 minutes ago, mynameisjuan said:

Going to hurt them? If they stop claiming it people will stop spewing it. OSX is secure due to it being based on UNIX. Other than that the devs a shit when it comes to fixing security holes.

oh that is not a reason for being secure. unix certification doesn't mean security, it just means it complies with a really popular API

[SansVarnic]

"MAC's don't get Viruses" 

 

[Open the spoiler to be spoiled]

Spoiler

Leap

DNSChanger

RSPlug

Jahla

MacSweeper

Krowi

OpinionSpy

MacDefender

 MacProtector

MacSecurity

Flashback

Thunderstrike 2

Badusb

 

... just to name a few.

 

[BuckGup]

The whole Mac's don't get viruses is annoying me and I don't even care