Handbrake Developers Issue Mac Security Warning After Mirror Download Server Hack

The developers of open source video transcoder app Handbrake have issued a security warning to Mac users after a mirror download server hosting the software was hacked.

The alert was issued on Saturday after it was discovered that the original HandBrake-1.0.7.dmg installer file on mirror server download.handbrake.fr had been replaced by a malicious file.

The affected server has been shut down for investigation, but developers are warning that users who downloaded the software from the server between 14:30 UTC May 2 and 11:00 UTC May 6 have a 50/50 chance of their system being infected by a trojan. "If you see a process called 'Activity_agent' in the OS X Activity Monitor application, you are infected," read the alert.

To remove the malware from an infected computer, users need to open up the Terminal application and run the following commands:

launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist

rm -rf ~/Library/RenderFiles/activity_agent.app

if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

Users should then remove any installs of the Handbrake.app they have on their system. As an extra security recommendation, users should also change all the passwords that may reside in their OSX KeyChain or in any browser password stores.

The malware in question is a new variant of OSX.PROTON, a Mac-based remote access trojan that gives the attacker root-access privileges. Apple updated its macOS security software XProtect in February to defend against the original Proton malware. Apple initiated the process to update its XProtect definitions on Saturday and the update should already be rolling out to machines silently and automatically.

Handbrake users should note that the primary download mirror and the Handbrake website were unaffected by the hack. Downloads via the application's built-in updater with 1.0 and later are also unaffected, since these are verified by a DSA Signature and won't install if they don't pass. However, users with Handbrake 0.10.5 and earlier who used the application's built-in updater should check their system, as these versions don't have the verification feature.

For reference, HandBrake.dmg files with the following checksums are infected:
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274 / SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

(Thanks, Alfonso!)

Tags: security, malware

Top Rated Comments

(View all)

Quu

35 months ago

These developers really need to setup a deamon of sorts which tests the SHA1 hash of these binaries every few hours or release their wares on the App Store.

Rating: 7 Votes

loby

35 months ago

The app is one of the best out there. I use it almost daily.

This is a great app and I too use it quite often.

It amazes me how people quickly complain and comment negatively on an open source "free" software that they don't have to pay anything for. Give them a break. This is not apple with unlimited resources and employees with high paying salaries who are expected to have everything protected and secure and perfect. They don't get paid. They were quick to reveal the issue and not hide anything.

Complainers either don't write code, or if you do, you are doing it for money. They are not. Those who use their software appreciate their hard work and appreciate their honesty to reveal the issue quickly and not hide anything so we can fix the issue on our side. This stuff happens occasionally. If you paid for the software, then "yeah"..complain. They have limited resources, so give them a break as they work hard to resolve the issue. I am sure someone had no sleep trying to quickly fix the problem and then have to go to their day job after, just to fix a free program that they offer to the world to use.

Appreciate the open source community that gives us a great program. Thanks for informing us right away so we can protect our systems and continue to use handbrake.

Rating: 5 Votes

Quu

35 months ago

Isn't Apple's code signing supposed to protect against this? Or are they not signing their builds? Or did their key get stolen?
[doublepost=1494153907][/doublepost]
No need for that exactly. Registered Mac developers can sign their code and distribute it anywhere. Most seem to do that.

That isn't secure enough because any developer can register for $99 (and the malware authors do too) then they just re-sign their new binary with the bought certificate and as-long as no one notices it will fly under the radar.

The developers themselves need to maintain hashes are correct.

Rating: 5 Votes

bladerunner2000

35 months ago

Guess it's an indication that using the tool won't make any sense either... fair game.

The app is one of the best out there. I use it almost daily.

Rating: 4 Votes

Gannet

35 months ago

Handbrake is an excellent program that has served me well over the years and I have great respect for the developers. Security slip-ups can happen to anyone and I'm sure they will take the necessary measures to improve this for future.

That said, I'm posting because I nearly got caught by this. I download Handbrake last week and was surprised to see a dialog on launch asking me to enter my password to "install additional codecs". As a longtime Handbrake user I was certain that this was *not* normal, so I declined. Shortly afterword I was shown another dialog, independent from Handbrake, purporting to be from the system "Network Configuration" which needed my password to "update DHCP settings". As this was also something I was unfamiliar with, I again declined but the dialog immediately reappeared upon clicking cancel and I had to restart the computer to make it go away. So yeah, if you see any suspicious password dialogs, do NOT enter your password.

Rating: 4 Votes

cashinstinct

35 months ago

Many developpers would have simply not said anything.

I applaud them for telling it like it is, and finding solutions.

Pretty sure many apps are affected by such issues, but either they don't find out / don't say to their users.

Rating: 4 Votes

MH01

35 months ago

Point is, we are getting targeted and people should be vigilant . He usual crowd will put their heads in the sand and blame the end user.

Be it a PC or a Mac , be careful and think.

Rating: 3 Votes

Quu

35 months ago

You can do that as a malware developer, but Apple will have information about you. If my app had problems, Apple could send someone to my home if they felt that was the right thing to do. They have the name of my company, companyhouse in the UK who holds information about all UK companies has my company's address and my name and home address, they have delivered mail there so they know where I am. It's not just $99 to register, Apple checks and keeps information about the developer.

That's nice and all but these criminals do find ways to get businesses registered fraudulently. Remember that the app store is accessible worldwide which makes it easy for criminals to make up details about being somewhere that Apple is not familiar with.

And it does and has happened, malware has been found on Windows and macOS both with official certificates. https://www.infosecurity-magazine.com/news/apple-revokes-cert-for-mac-trojan/

Am I advocating against certs? hell no, they're useful. But it's not a silver bullet. Developers need to check their own binaries and often.

Rating: 3 Votes

Westside guy

35 months ago

That said, I'm posting because I nearly got caught by this.

It's also another reminder that it's better for your day-to-day account to not be an admin account. OS X / MacOS make it trivially easy and painless to run as a non-admin user.

If your username is "joe", just create a new account "joe_admin" with a different password, then log into that account and remove admin permission from your original account. Really the only things that change is a) the admin prompt text changes from "enter your password" to "enter an administrator's name and password"; and b) you'll have to type the admin account name (e.g. "joe_admin") and password instead of just typing in a password. Easy peasy.

Rating: 2 Votes

thomasareed

35 months ago

It's important to note that hashes are an extremely flawed method of verifying the legitimacy of an app. If a hacker has managed to replace the app on the website, it's not a stretch to imagine that they have also replaced the hash on that same website.

Not to mention that an SHA1 or MD5 hash cannot be considered to be a guarantee, since it is now possible to create different files designed to have the same hash. All it takes is processing power, and the power needed can be easily purchased from Amazon, or obtained by a hacker by employing an existing botnet.

Code signing is the only way to guarantee that the app has not been tampered with, and HandBrake is not code signed. So it's really very difficult to determine whether you have an un-tampered copy of the app.

Some have pointed out that Apple developer certificates can be purchased for $99, and used to sign a malicious version of an app. This is true, and it's been done. That's what happened in the case of Transmission's hacks. However, this is an easier issue to spot, if you know how, as the code signature will change. If the app is signed with a cert belonging to someone other than the developer, you know there's a problem.

Of course, the average user won't know how to check that - or even that they should - any more than they'll know to check a hash.

Those asking how they can trust HandBrake again are asking a good question. It's particularly concerning that there is a historical connection between Transmission and HandBrake. I don't know how many people may have access to both projects, but these repeated hacks start to seem like an insider job. Without code signing, there's really no way we can be expected to trust HandBrake in the future.

(Fortunately, I only have HandBrake installed on an older Mac with no PII... but even so, this is something that could have infected my Mac, and I'm a security researcher!)

Rating: 2 Votes

[ Read All Comments ]