Possible Trojan after updating Mac-Version to 1.0.7
Forum rules
An Activity Log is required for support requests. Please read How-to get an activity log? for details on how and why this should be provided.
An Activity Log is required for support requests. Please read How-to get an activity log? for details on how and why this should be provided.
Possible Trojan after updating Mac-Version to 1.0.7
Are there any mac-users here that got a dialog box like this recently?
"Network Configuration needs to update DHCP setting. Type your password to allow this"
If so, you have got a trojan that steals your passwords.
Further information here:
https://apple.stackexchange.com/questio ... 821#282821
"Network Configuration needs to update DHCP setting. Type your password to allow this"
If so, you have got a trojan that steals your passwords.
Further information here:
https://apple.stackexchange.com/questio ... 821#282821
Re: Possible Trojan after updating Mac-Version to 1.0.7
Last edited by Anonymous on Mon May 15, 2017 8:37 am, edited 2 times in total.
Reason: Added Post Mortem
Reason: Added Post Mortem
Re: Possible Trojan after updating Mac-Version to 1.0.7
Does anyone have any more information about the trojan?
I have data in ~/Library/VideoFrameworks but it seems to be primarily browser data from Firefox, Chrome, Opera and Safari.
I can't see any keychain related data, or screenshots.
I will consider my keychain data compromised regardless - but does this mean that data wasn't taken? I haven't entered my password into the DHCP prompt that comes up - does anyone know if this means the data that is in the folder hasn't been uploaded anywhere?
Does anyone know the implications of a compromised keychain file, and how insecure/secure it is?
Thanks
I have data in ~/Library/VideoFrameworks but it seems to be primarily browser data from Firefox, Chrome, Opera and Safari.
I can't see any keychain related data, or screenshots.
I will consider my keychain data compromised regardless - but does this mean that data wasn't taken? I haven't entered my password into the DHCP prompt that comes up - does anyone know if this means the data that is in the folder hasn't been uploaded anywhere?
Does anyone know the implications of a compromised keychain file, and how insecure/secure it is?
Thanks
Re: Possible Trojan after updating Mac-Version to 1.0.7
As reported, it seems if you see a processed called activity_agent, then your infected. (I suspect it'll just send the keychain rather than copy it to the directory but don't hold me to that. We don't have capabilities to analyse this ourselves. )
The safest option for people who are affected to to assume the worst and reset / change passwords for everything affected.
The safest option for people who are affected to to assume the worst and reset / change passwords for everything affected.
Re: Possible Trojan after updating Mac-Version to 1.0.7
I downloaded it during the affected time period onto a test computer, which happened to be logged into my Apple ID. I dragged the app from the DMG into the Applications folder. However, I never ran the app and the computer was wiped before I heard about this on reddit. Since the computer was wiped, I have no idea if I downloaded the trojan version or not, however, if it was never run, so should I be ok?
Re: Possible Trojan after updating Mac-Version to 1.0.7
If you never run it you are ok.
Re: Possible Trojan after updating Mac-Version to 1.0.7
hi there -
so i downloaded the infected copy, my checksum matches. but i have none of the listed folders present and activity agent is not running, should i be concerned? or rather, how concerned should i be? i've deleted all files related to handbrake.
thanks!
mike
so i downloaded the infected copy, my checksum matches. but i have none of the listed folders present and activity agent is not running, should i be concerned? or rather, how concerned should i be? i've deleted all files related to handbrake.
thanks!
mike
Re: Possible Trojan after updating Mac-Version to 1.0.7
I ran this app from the DMG for which the SHA1 matches the trojan hash. But I ran it from DMG, did not drag to the disk. Am I infected or not? The files listed in the announcement do not exist!
Re: Possible Trojan after updating Mac-Version to 1.0.7
@folp If you opened the DMG but didn't run the app you should be OK but if you opened HandBrake.app you'll be infected.
@wesley123 -> I don't think it matters if it's within the DMG. Once you've opened HandBrake.app and you've given it an admin password, your machined is compromised.
If your in any doubt, open "Process Monitor" and look for "activity_agent" and follow the instructions here for removal.
viewtopic.php?f=33&p=170931#p170931
@wesley123 -> I don't think it matters if it's within the DMG. Once you've opened HandBrake.app and you've given it an admin password, your machined is compromised.
If your in any doubt, open "Process Monitor" and look for "activity_agent" and follow the instructions here for removal.
viewtopic.php?f=33&p=170931#p170931
Re: Possible Trojan after updating Mac-Version to 1.0.7
why don't i see any of the trojan files then? does it delete itself after it is successful. I do use little snitch and I don't think i got an alert about it.
Re: Possible Trojan after updating Mac-Version to 1.0.7
someone should run this in a vm immediately to see what it does after it got the password field filled, and if it even runs if it detects little snitch, etc. if it deletes itself, etc.
Re: Possible Trojan after updating Mac-Version to 1.0.7
https://objective-see.com/blog/blog_0x1D.html Someone already has done some analysis.
Re: Possible Trojan after updating Mac-Version to 1.0.7
says nothing about what it does after it's gotten what it needs. u guys should be doing the analysis anyway instead of letting others do the hard work.
Re: Possible Trojan after updating Mac-Version to 1.0.7
We are not malware or security experts. Security experts are looking at this and dissecting it. Messing with these things without the proper tools and experience (regardless if whether your using a VM or not), is inherently dangerous and failing to handle it properly puts others at risk.
So, in short, it's no different to them having physical access to the machine. They've got full control.From Link above wrote:After deploying the RAT onto a victim's Mac, an attacker could allegedly gain complete remote access, including viewing the user's screen in real time, recording keystrokes, uploading the victim's files, downloading additional malware, accessing the webcam, issuing shell commands, and other nefarious things. More information can be found in this PDF report published by Sixgill (their accompanying blog post was offline at the time of this article's publication).
Re: Possible Trojan after updating Mac-Version to 1.0.7
it isn't hard to put it in a vm and check what happens after they've go the keychain, do they delete the running process or not. that's what i need to know. I see i have /tmp/Handbrake.app but none of the other files are found on my system...
Re: Possible Trojan after updating Mac-Version to 1.0.7
The last reports we've had is the activity_agent is persistent on the system and doesn't delete itself, but I should point out that there is a person on other other end of this Trojan so it's conceivable they could re-program or hide it remotely on demand.
There is also the possibility that the fact you ran it from the DMG in some way stopped it from executing it's payload.
VM's are neither Safe or reliable for telling what a trojan does. Many detect the presence of and don't behave the same to avoid detection. Even isolating the thing from the internet to avoid infecting others may have an impact. There is also the risk that the Trojan can break out of the VM container that it's in. As I said, we are not malware experts so messing with this thing really isn't smart.
There is also the possibility that the fact you ran it from the DMG in some way stopped it from executing it's payload.
VM's are neither Safe or reliable for telling what a trojan does. Many detect the presence of and don't behave the same to avoid detection. Even isolating the thing from the internet to avoid infecting others may have an impact. There is also the risk that the Trojan can break out of the VM container that it's in. As I said, we are not malware experts so messing with this thing really isn't smart.
Re: Possible Trojan after updating Mac-Version to 1.0.7
i also hear a lot of trojans don't do anything when they see little snitch is installed, so that may be another factor to consider..
Re: Possible Trojan after updating Mac-Version to 1.0.7
I've reached out to some contacts to see if I can get a better answer for you.
If you didn't get an Admin password prompt, then you may well be right that it detected Little Snitch.
If you didn't get an Admin password prompt, then you may well be right that it detected Little Snitch.
Re: Possible Trojan after updating Mac-Version to 1.0.7
I have a file, that should be compromited, as sha met your compromited key. But neither one of two mentioned files and the process were there. Are you sure, that all files met the compromited sha key were infected?
Re: Possible Trojan after updating Mac-Version to 1.0.7
Is it possible to be infected after auto-update? Or auto-update was not affected?
Re: Possible Trojan after updating Mac-Version to 1.0.7
Only if you had version 0.10.x and lower. Please note version 0.10.x and lower auto-update does not work on macOS Sierra. HandBrake 1.0 and later checks the downloaded file signature before replacing the existing app.
See the forum announcement for more info.
See the forum announcement for more info.
Re: Possible Trojan after updating Mac-Version to 1.0.7
…if you don't care to scroll up
Re: Possible Trojan after updating Mac-Version to 1.0.7
I was unfortunate to fall victim to this. I have removed as directed, but am wondering a few things.
My computer was not restart and I was the only user logged in from install until I learned of the virus. I did enter my admin password when prompted for "additional codecs".
I know I need to change my login for this computer, and passwords stored in my keychain.
Do any of the other users who were not logged into this computer need to change all their passwords as well?
Anything else I should know?
My computer was not restart and I was the only user logged in from install until I learned of the virus. I did enter my admin password when prompted for "additional codecs".
I know I need to change my login for this computer, and passwords stored in my keychain.
Do any of the other users who were not logged into this computer need to change all their passwords as well?
Anything else I should know?
Re: Possible Trojan after updating Mac-Version to 1.0.7
Same here. I'm was on OS X 10.8.5 and despite getting the infected dmg, and giving it my password I've seen none of the other symptoms. I was about ready to wipe the computer anyway so I've since reformatted the HD and reinstalled the OS and changed the passwords that were in my keychain. But I'd still like to know if they actually got anything from me.folp wrote: ↑Sun May 07, 2017 4:08 pm hi there -
so i downloaded the infected copy, my checksum matches. but i have none of the listed folders present and activity agent is not running, should i be concerned? or rather, how concerned should i be? i've deleted all files related to handbrake.
thanks!
mike