Handbrake warns Mac users after mirror download server hack

HandBrake official blog reports:

Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it.

Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you’ve downloaded HandBrake during this period.

Detection

If you see a process called “Activity_agent” in the OSX Activity Monitor application. You are infected.

For reference, if you’ve installed a HandBrake.dmg with the following checksums, you will also be infected:

SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

The Trojan in question is a new variant of OSX.PROTON

Removal

Open up the “Terminal” application and run the following commands:
• launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
• rm -rf ~/Library/RenderFiles/activity_agent.app
• if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
Then Remove any “HandBrake.app” installs you may have.

Further Actions Required

Based on the information we have, you must also change all the passwords that may reside in your OSX KeyChain or any browser password stores.

Apple

We have been informed that the process to update the definitions for OSX’s XProtect feature started this morning, so this should start rolling out to machines automatically soon if not already.

Summary
• HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES NOT match the SHA1 / SHA256 hashes on our website or on our Github • Wiki which mirrors these: https://github.com/HandBrake/HandBrake/wiki/Checksums
• The Affected Download mirror (download.handbrake.fr) has been shutdown for investigation.
• The Primary Download Mirror and website were unaffected.
• Downloads via the applications built-in updater with 1.0 and later are unaffected. These are verified by a DSA Signature and will not install if they don’t pass.
• Downloads via the applications built-in updater with 0.10.5 and earlier did not have verification so you should check your system with these older releases

When relevant information becomes available we will update this post.

Notices
The Download Mirror Server is going to be completely rebuilt from scratch so downloads may be a bit slower than usual while the primary picks up the load. During this time, old versions of HandBrake will not be available.

Direct link to article here.

[Thanks to MacDailyNews Readers “Fred Mertz” and “Frank Piccolo” for the heads up.]

18 Comments

    1. Proton is a RAT or Remote Access Trojan horse. It is installed into the Root of macOS (OS X) and allows access to the entire Mac from a remote location.

      The term ‘virus’ refers to only one kind of malware. Technically, there are no ‘viruses’ for Mac. Most Mac malware are Trojan horses, inadvertently installed by the Mac user. In the case described here, the Proton RAT Trojan in embedded into a fake HandBrake installer that replaced the real installer on one specific mirror server in France that had been cracked by bad guys, aka Black Hats.

      1. You must be kidding.

        A Trojan horse IS a VIRUS.

        Anti-virus software is precisely what is used to remove them!!!

        There has been viruses on Mac and virtually every version of iOS for decades!

        Sorry to bust your bubble, mister know nothing about technology!

        🙂 🙂 🙂

        1. No, a trojan horse is a type of malware.

          ‘Malware’ is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs.

          The key difference between a virus and a trojan horse is that a virus is self-replicating and can modify other programs, spreading the virus across a system and along media used in the system, and thus other systems.

          A trojan is exactly what Derek Currie said it was.

          “There has been viruses on Mac and virtually every version of iOS for decades!”

          Go ahead and try to name or point to a list of them.

          1. So mister smarty pants, tell me what is the name of the software that is used to detect and remove Trojan horses?

            Hint: anti-virus software

            1. What Mac software do you use to purchase and rent movies from Apple? Hint: iTunes. And the software I use is MalwareBytes, which specifically says it’s anti-malware software which covers viruses, trojans, and others.

              Norton, Kapersky, AVG, all make a point of distinguishing the different classes of malware, of which viruses and trojans are two different subsets.

              Look, you started this by trying to correct (and insult) someone who specifically said, “The term ‘virus’ refers to only one kind of malware. Technically, there are no ‘viruses’ for Mac. Most Mac malware are Trojan horses”

              That is absolutely correct. Don’t believe us though, check out:
              https://en.wikipedia.org/wiki/Malware

              Still waiting for that list of Mac and iOS viruses.

          2. If you have never seen a virus on a Mac or iOS device, perhaps you should install an anti-virus software immediately!!!

            You do realize that without an anti-virus software, you will never be able to detect any viruses (or malware)!

            Saying that there are no viruses on Apple computers (or any other Apple device) while not having any anti-virus software to detect such viruses is ridiculous and plain stupid.

            In fact, it’s just as stupid as saying that there are no criminals in our city, that’s why we don’t need the police!!!

            That’s why every serious IT expert thinks so-called Apple technology experts are a little chump, and that’s to say the least.

            1. Where did I, or anyone else say there wasn’t any Mac malware? We’re sitting here commenting on an article about a known malware incident for the Mac.

              I don’t know if English isn’t your native language, and if that’s what your problem is, but you’re simply not grasping the difference between a subset and superset. See:
              https://en.wikipedia.org/wiki/Subset

              All viruses are malware. All trojans are malware. Not all trojans are viruses (in fact, no trojans are viruses). You’re just woefully misinformed about this or don’t understand basic logic.

              Again.. waiting for that list of Mac and iOS viruses…

        2. Semantics. Words are symbols. Big deal, etc.

          But no. Malware is the overall category. Viruses are a subcategory. Viruses are self-replicating as well as maliciously destructive. Worms are self-replicating but not deliberately malicious. Trojan horses are not self-replicating, but instead specifically require the user to install them, typically through the use of social engineering. Then there are spyware, adware, crapware and PUPS (potentially unwanted programs)

          There are still plenty of people and companies that stick to the antiquated term ‘virus’ to cover the entire field of malware. But all they’re doing is confusing people, such as yourself.

          I have an extensive science background, so I get to play at being a stickler.

          This page provides a definition for ‘malware’ and offers links with definitions to the most common types of malware:

          https://techterms.com/definition/malware

          My common refrain:
          We never know everything about anything.

        3. BTW: I collect and keep track of all malicious malware for Macs. Since the beginning of macOS (Mac OS X) there have been a total of 136 different ‘species’ or kinds of malware for Mac. Within each kind there are often a number of varieties.

          Currently, we are keeping an eye out for new varieties of four different malware that have been attacking Macs. They are:

          – Komplex (a Trojan)
          – Findzip (Trojan ransomware)
          – Proton (a RAT or remote access Trojan)
          – Dok (another Trojan)

          It is still common to find Trojans buried in fake Adobe Flash installers and warez (cracked software) around the net. Phishing attacks are currently extreme and again result in the installation of Trojans.

          If you want more information on Mac security, please ask. If you click my avatar, it will take you to my profile where you’ll find a link to my Mac-Security blog, which I’ve been writing for over 10 years.

        4. Oh and iOS ‘viruses’ (malware). I have a list of 9 kinds at this time. None of them are active on up-to-date iOS devices. There were also a couple proof-of-concept malware used to cattle prod Apple into better vetting apps submitted to the App Store. Of the actual malware, all are Trojans. All but, I believe, three of them required a user to have jailbroken their iOS device. The biggest weakness in iOS app security is Apple’s policy regarding Enterprise developer security certificates, which have in the past been stolen and applied to malware apps.

  1. NDW,

    It sounds like you’re OK. Note: this warning was for a specific download period so if you downloaded Handbrake before this then you’re OK. And for what’s it’s worth I still ran the scripts even though I downloaded the current version weeks ago.

    In addition I run Avast (for viruses) in the background and have a copy of MalwareBytes (for malware) which I run from time to time as well. Better to be safe than sorry.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.