Possible Trojan after updating Mac-Version to 1.0.7
Forum rules
An Activity Log is required for support requests. Please read How-to get an activity log? for details on how and why this should be provided.
An Activity Log is required for support requests. Please read How-to get an activity log? for details on how and why this should be provided.
-
- Posts: 2
- Joined: Tue May 09, 2017 1:12 am
Re: Possible Trojan after updating Mac-Version to 1.0.7
Can someone from the handbrake team provide any details on how many people potentially downloaded the infected dmg?
Wanting to know if I'm 1 in 100s or 1000s
Wanting to know if I'm 1 in 100s or 1000s
Re: Possible Trojan after updating Mac-Version to 1.0.7
Potentially 18,000 infected downloads, IIRC.
Re: Possible Trojan after updating Mac-Version to 1.0.7
according to analysis done by objective-see the keychain etc was uploaded to the infected handbrake download server. So handbrake team, have u done any forensics on this server? Does it still contain the files? How many were uploaded? etc etc.. What is the current status of your investigation?
Re: Possible Trojan after updating Mac-Version to 1.0.7
also for the others that opened the infected file and did not have any sign of it on their computer, do you have little snitch?
Re: Possible Trojan after updating Mac-Version to 1.0.7
I meant intego:
https://www.intego.com/mac-security-blo ... ex-trojan/
Once the password is entered, Handbrake will launch and it appears to be business as usual. In the background, however, a backdoor was installed, named "activity_agent." The backdoor was observed contacting 85.17.25.66, which is the IP address that hosts the handbrake website. The compromised server could have been used as a Command and Control (C&C) server as well.
https://www.intego.com/mac-security-blo ... ex-trojan/
Once the password is entered, Handbrake will launch and it appears to be business as usual. In the background, however, a backdoor was installed, named "activity_agent." The backdoor was observed contacting 85.17.25.66, which is the IP address that hosts the handbrake website. The compromised server could have been used as a Command and Control (C&C) server as well.
Re: Possible Trojan after updating Mac-Version to 1.0.7
That IP is not one of ours. Going to query the host about it though
Re: Possible Trojan after updating Mac-Version to 1.0.7
yes it needs to be shut down immediately.
Re: Possible Trojan after updating Mac-Version to 1.0.7
I can confirm that I have installed Little Snitch and had no "activity_agent"-task + no mentioned files installed. But can someone confirm that no task and no files on the mac means that I always been trojan free?
Re: Possible Trojan after updating Mac-Version to 1.0.7
i wonder, what is being done to contact the users that have downloaded this malware, apart from just a press release? looks like there is very little discussion for 18,000 possible infections.
is there an update notice for those that installed it, etc? or did the hacker prevent update notices from being shown? (if he was smart, of course he would)..
is there an update notice for those that installed it, etc? or did the hacker prevent update notices from being shown? (if he was smart, of course he would)..
Re: Possible Trojan after updating Mac-Version to 1.0.7
check little snitch if u approved handbrake to allow all external connections or not. Or if you approved it to access the ip listed above. or check for activity_agent in little snitch also.
it's possible that after the hacker got the files, he will delete the malware to avoid detection. Of course, then he cannot use the other features of the trojan, which is full takeover of the system.
Re: Possible Trojan after updating Mac-Version to 1.0.7
Didn't allowed any connection for handbrake, can't see any process called "activity_agent".wesley123 wrote: ↑Tue May 09, 2017 3:56 pmcheck little snitch if u approved handbrake to allow all external connections or not. Or if you approved it to access the ip listed above. or check for activity_agent in little snitch also.
Re: Possible Trojan after updating Mac-Version to 1.0.7
I think you mean intego, but regardless, It's not out server so it's not possible for us to do any analysis on it. We neither own the server or the IP address in question. You'll notice it has a redirect to handbrake.fr which is probably what fooled intego. The machine is on an entirely different web host from us. We have however contacted LeaseWeb since the IP is in their range and await their feedback.according to analysis done by objective-see the keychain etc was uploaded to the infected handbrake download server. So handbrake team, have u done any forensics on this server? Does it still contain the files? How many were uploaded? etc etc.. What is the current status of your investigation?
If any more pertinent information becomes available, we'll post it in the announcement thread.
Re: Possible Trojan after updating Mac-Version to 1.0.7
red07 -> It's impossible to say with 100% certainty but it appears you've lucked out If you don't see any signs of it in /tmp/ or the directories listed.
There a few reports now that it doesn't work correctly when little snitch is installed. If there was no admin prompt, it's another good sign.
Regardless, it wouldn't hurt to change passwords etc on the off chance anything leaked out.
There a few reports now that it doesn't work correctly when little snitch is installed. If there was no admin prompt, it's another good sign.
Regardless, it wouldn't hurt to change passwords etc on the off chance anything leaked out.
Re: Possible Trojan after updating Mac-Version to 1.0.7
Some further comments regarding security.
Perfect security is a pipe dream. Someone with the skills and determination is going to stand a good chance against any website they pick.
What we can do is mitigate the risks and make it as hard as possible by following good security practices but we can't eliminate those risks.
All it takes is a security hole in one piece of software we run , fore example, the nginx web server or this forum (phpbb) etc, and the whole system collapses.
I'll note some examples of security upgrades we did last year:
Will we be done after that? No. Of course not. Security is an ongoing challenge. There are new vulnerabilities coming out daily. Last year we had to make numerous software upgrades and configuration changes to protect against various types of attacks. We are moving to new infrastructure and implementing the best practices available now, but those will not be best practices forever so we have to continually adapt.
This wasn't a lack of us caring about security. If you watch our server logs, you'll see at any point in the day, there are literally dozens of break in attempts. Brute Force password attacks, Vulnerability scans, actual known vulnerability attacks (these fail because we patch our software) and so on.
Perfect security is a pipe dream. Someone with the skills and determination is going to stand a good chance against any website they pick.
What we can do is mitigate the risks and make it as hard as possible by following good security practices but we can't eliminate those risks.
All it takes is a security hole in one piece of software we run , fore example, the nginx web server or this forum (phpbb) etc, and the whole system collapses.
I'll note some examples of security upgrades we did last year:
- Retiring old services that posed a fairly high risk in favour of GitHub. (Trac, Reviewboard) For exactly the reason listed right above.
- Our servers are kept up-to-date with available software updates.
- Everything is secured with strong random passwords and where applicant publc keys crypto.
- Switching to LetsEncrypt since our old SSL authority wasn't as trustworthy as it once was.
- Reworked the TLS configuraiton to allow us to achieve an A+ SSL Labs Report (https://www.ssllabs.com/ssltest/analyze ... .42&latest)
- Full Server vulnerability scans have been conducted an issues found fixed.
- DSA Signatures on the update checker starting from 1.0.0 were added (And saved quite a few people from this trojan)
- Better reporting and monitoring infrastructure as it took far too long for the issue to be detected. We've already got a temporary solution in place that's monitoring the site and all our downloads but are working towards a better solution.
- Better isolation of our services to reduce the risk of a service compromise allowing access to other services. Anything else we can offload we will but there are significant security considerations to take care of when offloading to 3rd party services.
Will we be done after that? No. Of course not. Security is an ongoing challenge. There are new vulnerabilities coming out daily. Last year we had to make numerous software upgrades and configuration changes to protect against various types of attacks. We are moving to new infrastructure and implementing the best practices available now, but those will not be best practices forever so we have to continually adapt.
This wasn't a lack of us caring about security. If you watch our server logs, you'll see at any point in the day, there are literally dozens of break in attempts. Brute Force password attacks, Vulnerability scans, actual known vulnerability attacks (these fail because we patch our software) and so on.
Re: Possible Trojan after updating Mac-Version to 1.0.7
why do i not hear you say "buy an apple developer certificate and sign our releases, as we should have been doing for years, sorry about this" as well "move to github to host our releases as there is no reason what so ever to host it on our own servers which will undoubtedly get hacked again"?
Re: Possible Trojan after updating Mac-Version to 1.0.7
i do see /tmp/handbrake.app in the tmp directory, but none of the other things. But maybe that's because it is opened from a DMG? Is it copied to /tmp then?s55 wrote: ↑Tue May 09, 2017 6:33 pm red07 -> It's impossible to say with 100% certainty but it appears you've lucked out If you don't see any signs of it in /tmp/ or the directories listed.
There a few reports now that it doesn't work correctly when little snitch is installed. If there was no admin prompt, it's another good sign.
Regardless, it wouldn't hurt to change passwords etc on the off chance anything leaked out.
Re: Possible Trojan after updating Mac-Version to 1.0.7
The volume of downloads we do is too large for Github to host. We'd end up with our account suspended pretty quickly. There are very few web hosts that will do our traffic levels for free. None that i would trust certainly. VideoLan has reached out and we'll have a discussion with them, but it doesn't really solve the mirror compromise problem. (Neither does moving to GitHub. It could still happen there) For example: https://github.com/blog/2190-github-sec ... ord-attack (this isn't the only example of Github being compromised, or accounts on their being compromised)why do i not hear you say "buy an apple developer certificate and sign our releases, as we should have been doing for years, sorry about this" as well "move to github to host our releases as there is no reason what so ever to host it on our own servers which will undoubtedly get hacked again"?
We are working to try get a Developer ID but it's not as simple as going out and buying one. An organisation must be verified and you can't be verified if your not a legal entity which we are not. We are looking at a few options at the moment (including possibly using VideoLan infrastructure for host/sign) but that's not something that will happen immediately as it requires a lot of work and an agreement to be in place first. )
There seems to be a misconception that a Developer ID would have solved this problem. It wouldn't have. It's solving a different security problem. Even if we were signed, we wouldn't have had our cert compromised. So Apple revoking it wouldn't have made a difference. Apple doesn't verify that the binary is safe. (Only Mac App Store binaries are have verification done on them). Currently Apple don't allow GPL apps in the app store so that is not an option for us.
None of the above is an exhaustive list. I didn't mention it but the app is signed with a GPG key for example. (Info on github. Rollout to the main site in due course. )
Re: Possible Trojan after updating Mac-Version to 1.0.7
I just ran the app from within a DMG. No copy in /tmp
-
- Posts: 1
- Joined: Thu May 11, 2017 4:08 pm
Re: Possible Trojan after updating Mac-Version to 1.0.7
Hi,
My laptop was infected recently when I downloaded Handbrake. When I found out, I turned off the wifi on my computer. Then I checked and saw that activity_agent was present in the Activity Monitor, which is how I know the computer was infected. I then restarted the laptop (still with the wifi off) and now I'm not seeing activity_agent.
I deleted Handbrake. Then I followed the instructions for removal at: viewtopic.php?f=33&t=36364
Does that mean the trojan is gone? How can I know?
Thanks very much for your help!
My laptop was infected recently when I downloaded Handbrake. When I found out, I turned off the wifi on my computer. Then I checked and saw that activity_agent was present in the Activity Monitor, which is how I know the computer was infected. I then restarted the laptop (still with the wifi off) and now I'm not seeing activity_agent.
I deleted Handbrake. Then I followed the instructions for removal at: viewtopic.php?f=33&t=36364
Does that mean the trojan is gone? How can I know?
Thanks very much for your help!
Re: Possible Trojan after updating Mac-Version to 1.0.7
I'd be interested to know if the HandBrake developers would consider signing the Mac app using a Developer ID given this recent security issue. Granted it's not a magic bullet, but it at least adds some additional protections - Gatekeeper would warn if it's not signed with a valid dev cert, and Apple has an additional kill switch in addition to XProtect with the ability to revoke the cert serial if it's been compromised.
Re: Possible Trojan after updating Mac-Version to 1.0.7
@timsutton -> See the download page for details on the GPG signed binaries. It's not quite as friendly as Developer ID, but it's a way of authenticating it comes from us and not a malicious 3rd party. The Mac tooling for GPG is actually reasonably usable.
We are trying to get a Developer ID cert, but it's problematic when your not a legal entity. Setting up a legal entity has all sorts of legal, contractual (in terms of our real life employments - HandBrake is a hobby project done in free time) and cost factors that needs to all be resolved, across several people, in several countries. We are looking at one option now, failing that, VideoLan has reached out and we'll see if we can reach an agreement with them (It won't be a simple "Here you go". There's chain of trust, build servers to setup and other infrastructure to setup so it'll take time if we go down this road).
Finally, the problem with Developer ID, a malicious party still has a window of opportunity which if unnoticed, can be several days before their telemetry picks it up. So as I indicated earlier, we are putting new measures in to alert us when something is wrong much much quicker than we had before the attack.
@inkling102 -> You should now be clean, but it's worth monitoring if your not going to do an OS reinstall. Even running an AV scan (Many seem to have definition updates now)
We are trying to get a Developer ID cert, but it's problematic when your not a legal entity. Setting up a legal entity has all sorts of legal, contractual (in terms of our real life employments - HandBrake is a hobby project done in free time) and cost factors that needs to all be resolved, across several people, in several countries. We are looking at one option now, failing that, VideoLan has reached out and we'll see if we can reach an agreement with them (It won't be a simple "Here you go". There's chain of trust, build servers to setup and other infrastructure to setup so it'll take time if we go down this road).
Finally, the problem with Developer ID, a malicious party still has a window of opportunity which if unnoticed, can be several days before their telemetry picks it up. So as I indicated earlier, we are putting new measures in to alert us when something is wrong much much quicker than we had before the attack.
@inkling102 -> You should now be clean, but it's worth monitoring if your not going to do an OS reinstall. Even running an AV scan (Many seem to have definition updates now)
Re: Possible Trojan after updating Mac-Version to 1.0.7
@s55 -> These reasons all make sense to me and I appreciate your prompt response! I imagine that in some cases, small teams or OSS projects punt and use a single-user membership but I imagine that this may violate the agreement. I don't know what (if any) recommendations Apple has made before to other open source projects which aren't represented by a legal entity.
Re: Possible Trojan after updating Mac-Version to 1.0.7
For completion's sake, I now also see the other discussion happening on the GitHub issue: https://github.com/HandBrake/HandBrake/issues/619
Re: Possible Trojan after updating Mac-Version to 1.0.7
@flbruve -> Let me clarify, I was referring to approval of the code, not how Gatekeeper works. When you submit to the Mac App Store, your application is checked by automated and potentially humans to make sure it meets Apples Guidelines and isn't malicious. However with developer ID, a malicious party can sign a trojan and distribute it directly to you. Apple isn't involved in checking it. All they can do with Developer ID is revoke the cert and update xProtect. This can take several days which means the malicious party has a window of opportunity. The moment your infected, it's game over. It's too late.
I wasn't referring to the checks the operating system does to verify it's not tampered with.
I wasn't referring to the checks the operating system does to verify it's not tampered with.