Mac's Version Of HandBrake Infected With Trojan!

in #security8 years ago

Ahoy Steemians!
Untitled-1.png

On May 6th a security warning was published by the HandBrake Development team in regards to a high chance of Mac users downloading an infected version of HandBrake. The popular App used for converting video files was compromised for a 5 day period, running between the 2nd-6th May 2017.

It has been stated that there is a "50/50" chance that if you have downloaded the app between this period, you could have an infected version. The Trojan luckily was only located on the "download.handbrake.fr Mirror" but from experience it is still worth while checking.

The App was infected with a recent but popular Trojan called Proton. Proton has been sold on many cybercrime forums since the beginning of this year. It's main focus is Keylogging, Remote Access via SSH or VNC, an ability to execute shell commands as root, take and download webcam and desktop screenshot and many more.

At this time, to know if you have an infected system, you will be able to see a process running called activity_agent which can be seen in the OSX Activity Monitor application. The HandBrake Development Team have provided the steps for removal in details which can be found at the following: https://forum.handbrake.fr/viewtopic.php?f=33&t=36364

I wish you all good luck and i hope that this security issue has not affected any of our community!

Many Thanks
Kipps

Sort:  

Just to note, the XProtect signature that Apple pushed out in an update to block/detect this malware is pretty useless. It simply does a SHA1 hash match on the malicious binary, so to render it undetected again, all the people behind the malware have to do is recompile it or even flip a single bit in it to change the hash.

Furthermore, the detection method proposed here (checking for a process named "activity_agent") is also easy to get around - just rename the executable, or use fairly normal process-name spoofing trickery to change it.

Our good friends over at Objective-See have written a detailed analysis of the malware here: Link to analysis on Objective-See.com