On May 6, 2017, the developers of the open source video transcoder app Handbrake have issued a security warning to Mac users after one of their download server hosting the software was hacked.
Here is the information provided by the Handbrake team.
Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it.
Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you’ve downloaded HandBrake during this period.
Handbrake Security Issue – Detection
If you see a process called “Activity_agent” in the OSX Activity Monitor application. You are infected.
For reference, if you’ve installed a HandBrake.dmg with the following checksums, you will also be infected:
The Trojan in question is a new variant of OSX.PROTON.
Handbrake Security Issue – Removal
Open up the “Terminal” application and run the following commands:
- launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
- rm -rf ~/Library/RenderFiles/activity_agent.app
- if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
Then Remove any “HandBrake.app” installs you may have.
Handbrake Security Issue – Further Actions Required
Based on the information we have, you must also change all the passwords that may reside in your OSX KeyChain or any browser password stores.
We have been informed that the process to update the definitions for OSX’s XProtect feature started this morning, so this should start rolling out to machines automatically soon if not already.
- HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES NOT match the SHA1 / SHA256 hashes on our website or on our Github Wiki which mirrors these: https://github.com/HandBrake/HandBrake/wiki/Checksums
- The Affected Download mirror (download.handbrake.fr) has been shutdown for investigation.
- The Primary Download Mirror and website were unaffected.
- Downloads via the applications built-in updater with 1.0 and later are unaffected. These are verified by a DSA Signature and will not install if they don’t pass.
- Downloads via the applications built-in updater with 0.10.5 and earlier did not have verification so you should check your system with these older releases
- The Download Mirror Server is going to be completely rebuilt from scratch so downloads may be a bit slower than usual while the primary picks up the load. During this time, old versions of HandBrake will not be available.
If you liked this article, please consider sharing it with your friends and leaving a comment below.