Possible Trojan after updating Mac-Version to 1.0.7

HandBrake for Mac support
Forum rules
An Activity Log is required for support requests. Please read How-to get an activity log? for details on how and why this should be provided.
justhereforaq
Posts: 2
Joined: Tue May 09, 2017 1:12 am

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by justhereforaq »

Can someone from the handbrake team provide any details on how many people potentially downloaded the infected dmg?

Wanting to know if I'm 1 in 100s or 1000s
Deleted User 11865

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by Deleted User 11865 »

Potentially 18,000 infected downloads, IIRC.
wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 »

according to analysis done by objective-see the keychain etc was uploaded to the infected handbrake download server. So handbrake team, have u done any forensics on this server? Does it still contain the files? How many were uploaded? etc etc.. What is the current status of your investigation?
wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 »

also for the others that opened the infected file and did not have any sign of it on their computer, do you have little snitch?
wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 »

I meant intego:

https://www.intego.com/mac-security-blo ... ex-trojan/

Once the password is entered, Handbrake will launch and it appears to be business as usual. In the background, however, a backdoor was installed, named "activity_agent." The backdoor was observed contacting 85.17.25.66, which is the IP address that hosts the handbrake website. The compromised server could have been used as a Command and Control (C&C) server as well.
User avatar
s55
HandBrake Team
Posts: 10350
Joined: Sun Dec 24, 2006 1:05 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by s55 »

That IP is not one of ours. Going to query the host about it though
wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 »

yes it needs to be shut down immediately.
red07
Posts: 2
Joined: Tue May 09, 2017 10:59 am

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by red07 »

wesley123 wrote: Tue May 09, 2017 6:33 am also for the others that opened the infected file and did not have any sign of it on their computer, do you have little snitch?
I can confirm that I have installed Little Snitch and had no "activity_agent"-task + no mentioned files installed. But can someone confirm that no task and no files on the mac means that I always been trojan free?
wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 »

i wonder, what is being done to contact the users that have downloaded this malware, apart from just a press release? looks like there is very little discussion for 18,000 possible infections.

is there an update notice for those that installed it, etc? or did the hacker prevent update notices from being shown? (if he was smart, of course he would)..
wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 »

red07 wrote: Tue May 09, 2017 11:08 am
wesley123 wrote: Tue May 09, 2017 6:33 am also for the others that opened the infected file and did not have any sign of it on their computer, do you have little snitch?
I can confirm that I have installed Little Snitch and had no "activity_agent"-task + no mentioned files installed. But can someone confirm that no task and no files on the mac means that I always been trojan free?
check little snitch if u approved handbrake to allow all external connections or not. Or if you approved it to access the ip listed above. or check for activity_agent in little snitch also.

it's possible that after the hacker got the files, he will delete the malware to avoid detection. Of course, then he cannot use the other features of the trojan, which is full takeover of the system.
red07
Posts: 2
Joined: Tue May 09, 2017 10:59 am

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by red07 »

wesley123 wrote: Tue May 09, 2017 3:56 pm
red07 wrote: Tue May 09, 2017 11:08 am
wesley123 wrote: Tue May 09, 2017 6:33 am also for the others that opened the infected file and did not have any sign of it on their computer, do you have little snitch?
I can confirm that I have installed Little Snitch and had no "activity_agent"-task + no mentioned files installed. But can someone confirm that no task and no files on the mac means that I always been trojan free?
check little snitch if u approved handbrake to allow all external connections or not. Or if you approved it to access the ip listed above. or check for activity_agent in little snitch also.
Didn't allowed any connection for handbrake, can't see any process called "activity_agent".
User avatar
s55
HandBrake Team
Posts: 10350
Joined: Sun Dec 24, 2006 1:05 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by s55 »

according to analysis done by objective-see the keychain etc was uploaded to the infected handbrake download server. So handbrake team, have u done any forensics on this server? Does it still contain the files? How many were uploaded? etc etc.. What is the current status of your investigation?
I think you mean intego, but regardless, It's not out server so it's not possible for us to do any analysis on it. We neither own the server or the IP address in question. You'll notice it has a redirect to handbrake.fr which is probably what fooled intego. The machine is on an entirely different web host from us. We have however contacted LeaseWeb since the IP is in their range and await their feedback.

If any more pertinent information becomes available, we'll post it in the announcement thread.
User avatar
s55
HandBrake Team
Posts: 10350
Joined: Sun Dec 24, 2006 1:05 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by s55 »

red07 -> It's impossible to say with 100% certainty but it appears you've lucked out If you don't see any signs of it in /tmp/ or the directories listed.

There a few reports now that it doesn't work correctly when little snitch is installed. If there was no admin prompt, it's another good sign.

Regardless, it wouldn't hurt to change passwords etc on the off chance anything leaked out.
User avatar
s55
HandBrake Team
Posts: 10350
Joined: Sun Dec 24, 2006 1:05 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by s55 »

Some further comments regarding security.

Perfect security is a pipe dream. Someone with the skills and determination is going to stand a good chance against any website they pick.
What we can do is mitigate the risks and make it as hard as possible by following good security practices but we can't eliminate those risks.

All it takes is a security hole in one piece of software we run , fore example, the nginx web server or this forum (phpbb) etc, and the whole system collapses.

I'll note some examples of security upgrades we did last year:

  • Retiring old services that posed a fairly high risk in favour of GitHub. (Trac, Reviewboard) For exactly the reason listed right above.
  • Our servers are kept up-to-date with available software updates.
  • Everything is secured with strong random passwords and where applicant publc keys crypto.
  • Switching to LetsEncrypt since our old SSL authority wasn't as trustworthy as it once was.
  • Reworked the TLS configuraiton to allow us to achieve an A+ SSL Labs Report (https://www.ssllabs.com/ssltest/analyze ... .42&latest)
  • Full Server vulnerability scans have been conducted an issues found fixed.
  • DSA Signatures on the update checker starting from 1.0.0 were added (And saved quite a few people from this trojan)
What we are working on now:
  • Better reporting and monitoring infrastructure as it took far too long for the issue to be detected. We've already got a temporary solution in place that's monitoring the site and all our downloads but are working towards a better solution.
  • Better isolation of our services to reduce the risk of a service compromise allowing access to other services. Anything else we can offload we will but there are significant security considerations to take care of when offloading to 3rd party services.

Will we be done after that? No. Of course not. Security is an ongoing challenge. There are new vulnerabilities coming out daily. Last year we had to make numerous software upgrades and configuration changes to protect against various types of attacks. We are moving to new infrastructure and implementing the best practices available now, but those will not be best practices forever so we have to continually adapt.

This wasn't a lack of us caring about security. If you watch our server logs, you'll see at any point in the day, there are literally dozens of break in attempts. Brute Force password attacks, Vulnerability scans, actual known vulnerability attacks (these fail because we patch our software) and so on.
wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 »

why do i not hear you say "buy an apple developer certificate and sign our releases, as we should have been doing for years, sorry about this" as well "move to github to host our releases as there is no reason what so ever to host it on our own servers which will undoubtedly get hacked again"?
wesley123
Posts: 19
Joined: Sun May 07, 2017 4:10 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by wesley123 »

s55 wrote: Tue May 09, 2017 6:33 pm red07 -> It's impossible to say with 100% certainty but it appears you've lucked out If you don't see any signs of it in /tmp/ or the directories listed.

There a few reports now that it doesn't work correctly when little snitch is installed. If there was no admin prompt, it's another good sign.

Regardless, it wouldn't hurt to change passwords etc on the off chance anything leaked out.
i do see /tmp/handbrake.app in the tmp directory, but none of the other things. But maybe that's because it is opened from a DMG? Is it copied to /tmp then?
User avatar
s55
HandBrake Team
Posts: 10350
Joined: Sun Dec 24, 2006 1:05 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by s55 »

why do i not hear you say "buy an apple developer certificate and sign our releases, as we should have been doing for years, sorry about this" as well "move to github to host our releases as there is no reason what so ever to host it on our own servers which will undoubtedly get hacked again"?
The volume of downloads we do is too large for Github to host. We'd end up with our account suspended pretty quickly. There are very few web hosts that will do our traffic levels for free. None that i would trust certainly. VideoLan has reached out and we'll have a discussion with them, but it doesn't really solve the mirror compromise problem. (Neither does moving to GitHub. It could still happen there) For example: https://github.com/blog/2190-github-sec ... ord-attack (this isn't the only example of Github being compromised, or accounts on their being compromised)

We are working to try get a Developer ID but it's not as simple as going out and buying one. An organisation must be verified and you can't be verified if your not a legal entity which we are not. We are looking at a few options at the moment (including possibly using VideoLan infrastructure for host/sign) but that's not something that will happen immediately as it requires a lot of work and an agreement to be in place first. )

There seems to be a misconception that a Developer ID would have solved this problem. It wouldn't have. It's solving a different security problem. Even if we were signed, we wouldn't have had our cert compromised. So Apple revoking it wouldn't have made a difference. Apple doesn't verify that the binary is safe. (Only Mac App Store binaries are have verification done on them). Currently Apple don't allow GPL apps in the app store so that is not an option for us.

None of the above is an exhaustive list. I didn't mention it but the app is signed with a GPG key for example. (Info on github. Rollout to the main site in due course. )
User avatar
s55
HandBrake Team
Posts: 10350
Joined: Sun Dec 24, 2006 1:05 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by s55 »

I just ran the app from within a DMG. No copy in /tmp
inkling102
Posts: 1
Joined: Thu May 11, 2017 4:08 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by inkling102 »

Hi,

My laptop was infected recently when I downloaded Handbrake. When I found out, I turned off the wifi on my computer. Then I checked and saw that activity_agent was present in the Activity Monitor, which is how I know the computer was infected. I then restarted the laptop (still with the wifi off) and now I'm not seeing activity_agent.

I deleted Handbrake. Then I followed the instructions for removal at: viewtopic.php?f=33&t=36364

Does that mean the trojan is gone? How can I know?

Thanks very much for your help!
timsutton
Posts: 6
Joined: Sun Nov 10, 2013 8:30 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by timsutton »

I'd be interested to know if the HandBrake developers would consider signing the Mac app using a Developer ID given this recent security issue. Granted it's not a magic bullet, but it at least adds some additional protections - Gatekeeper would warn if it's not signed with a valid dev cert, and Apple has an additional kill switch in addition to XProtect with the ability to revoke the cert serial if it's been compromised.
User avatar
s55
HandBrake Team
Posts: 10350
Joined: Sun Dec 24, 2006 1:05 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by s55 »

@timsutton -> See the download page for details on the GPG signed binaries. It's not quite as friendly as Developer ID, but it's a way of authenticating it comes from us and not a malicious 3rd party. The Mac tooling for GPG is actually reasonably usable.

We are trying to get a Developer ID cert, but it's problematic when your not a legal entity. Setting up a legal entity has all sorts of legal, contractual (in terms of our real life employments - HandBrake is a hobby project done in free time) and cost factors that needs to all be resolved, across several people, in several countries. We are looking at one option now, failing that, VideoLan has reached out and we'll see if we can reach an agreement with them (It won't be a simple "Here you go". There's chain of trust, build servers to setup and other infrastructure to setup so it'll take time if we go down this road).

Finally, the problem with Developer ID, a malicious party still has a window of opportunity which if unnoticed, can be several days before their telemetry picks it up. So as I indicated earlier, we are putting new measures in to alert us when something is wrong much much quicker than we had before the attack.


@inkling102 -> You should now be clean, but it's worth monitoring if your not going to do an OS reinstall. Even running an AV scan (Many seem to have definition updates now)
timsutton
Posts: 6
Joined: Sun Nov 10, 2013 8:30 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by timsutton »

@s55 -> These reasons all make sense to me and I appreciate your prompt response! I imagine that in some cases, small teams or OSS projects punt and use a single-user membership but I imagine that this may violate the agreement. I don't know what (if any) recommendations Apple has made before to other open source projects which aren't represented by a legal entity.
timsutton
Posts: 6
Joined: Sun Nov 10, 2013 8:30 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by timsutton »

For completion's sake, I now also see the other discussion happening on the GitHub issue: https://github.com/HandBrake/HandBrake/issues/619
fibruve
Posts: 3
Joined: Thu May 11, 2017 8:31 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by fibruve »

s55 wrote: Tue May 09, 2017 7:29 pm Apple doesn't verify that the binary is safe. (Only Mac App Store binaries are have verification done on them).
I though that Gatekeper verifies that a binary has not been altered since signing.
Is that not the case?
User avatar
s55
HandBrake Team
Posts: 10350
Joined: Sun Dec 24, 2006 1:05 pm

Re: Possible Trojan after updating Mac-Version to 1.0.7

Post by s55 »

@flbruve -> Let me clarify, I was referring to approval of the code, not how Gatekeeper works. When you submit to the Mac App Store, your application is checked by automated and potentially humans to make sure it meets Apples Guidelines and isn't malicious. However with developer ID, a malicious party can sign a trojan and distribute it directly to you. Apple isn't involved in checking it. All they can do with Developer ID is revoke the cert and update xProtect. This can take several days which means the malicious party has a window of opportunity. The moment your infected, it's game over. It's too late.

I wasn't referring to the checks the operating system does to verify it's not tampered with.
Post Reply