Mirror Download Server Compromised

News and Updates
Locked
User avatar
HandBrake
Moderator
Posts: 96
Joined: Fri Jul 25, 2008 10:40 pm

Mirror Download Server Compromised

Post by HandBrake » Sat May 06, 2017 8:10 am

SECURITY WARNING

Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it.

Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you've downloaded HandBrake during this period.

Detection

If you see a process called "activity_agent" in the OSX Activity Monitor application. You are infected.

For reference, if you've installed a HandBrake.dmg with the following checksums, you will also be infected:

SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

The Trojan in question is a new variant of OSX.PROTON

Removal

Open up the "Terminal" application and run the following commands:
  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/activity_agent.app
  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
Then Remove any "HandBrake.app" installs you may have.

Further Actions Required

Based on the information we have, you must also change all the passwords that may reside in your OSX KeyChain or any browser password stores.

Apple

We have been informed that the process to update the definitions for OSX's XProtect feature started this morning, so this should start rolling out to machines automatically soon if not already.


Summary
  • HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES NOT match the SHA1 / SHA256 hashes on our website or on our Github Wiki which mirrors these: https://github.com/HandBrake/HandBrake/wiki/Checksums
  • The Affected Download mirror (download.handbrake.fr) has been shutdown for investigation.
  • The Primary Download Mirror and website were unaffected.
  • Downloads via the applications built-in updater with 1.0 and later are unaffected. These are verified by a DSA Signature and will not install if they don't pass.
  • Downloads via the applications built-in updater with 0.10.5 and earlier did not have verification so you should check your system with these older releases

When relevant information becomes available we will update this post.


Notices
  • The Download Mirror Server is going to be completely rebuilt from scratch so downloads may be a bit slower than usual while the primary picks up the load. During this time, old versions of HandBrake will not be available.

User avatar
HandBrake
Moderator
Posts: 96
Joined: Fri Jul 25, 2008 10:40 pm

Re: Mirror Download Server Compromised

Post by HandBrake » Sun May 07, 2017 12:22 pm

This has been mis-reported in the press a few times now, so for clarity, let us say:

The HandBrake Team is independent of the Tranmission Developers. The projects share history in the sense that the same author created these apps but he is not part of the current HandBrake team of developers.

We do not share our virtual machines with the Transmission project.

User avatar
HandBrake
Moderator
Posts: 96
Joined: Fri Jul 25, 2008 10:40 pm

Re: Mirror Download Server Compromised

Post by HandBrake » Wed May 10, 2017 9:11 pm

Further Analysis on PROTON has come to light:

https://objective-see.com/blog/blog_0x1F.html
Patrick from Objective-See.com wrote:Well this makes analysis rather easy ;) We're not going to walk thru all of these, but let's cover a few of the more interesting items in this this list.

The first items from this list that the malware extracts and utilizes are the following paths:
/Library/Extensions/LittleSnitch.kext

/Library/Extensions/Radio Silence.kext

/Library/Extensions/HandsOff.kext
For each of these paths, it checks if they exist on disk, and if so, the malware immediately exits!

These of course are macOS security products (firewalls) which would alert the user to the presence of the malware when it attempts to call out to connect to its command and control server(s). Seems like the malware would simply exit, rather than risking detection.

Ah! Could this be why various users, who had ran the infected Handbrake application were not infected? Why yes! Turns out all had been running Little Snitch. Lucky for them :)

Locked