HandBrake is an open-source and free transcoder for digital video files. It makes ripping a film from a DVD to a data storage device such as NAS boxes easier. HandBrake works Linux, macOS, and Windows. A Recent version of Handbrake for Mac and possibly other downloads at the same site infected with malware. If you have downloaded HandBrake on Mac between 2/May/2017 and 06/May/2017, you need to delete the file ASAP. HandBrake infected with a new variant of OSX.PROTON malware.
HandBrake
What happened?
- HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES NOT match the SHA1 / SHA256 hashes on our website or on our Github Wiki which mirrors these: https://github.com/HandBrake/HandBrake/wiki/Checksums
- The Affected Download mirror (download.handbrake.fr) has been shutdown for investigation.
- The Primary Download Mirror and website were unaffected.
- Downloads via the applications built-in updater with 1.0 and later are unaffected. These are verified by a DSA Signature and will not install if they don’t pass.
- Downloads via the applications built-in updater with 0.10.5 and earlier did not have verification so you should check your system with these older releases
How do I find out if my macOS was compromised?
From the official forum:
If you see a process called “Activity_agent” in the OSX Activity Monitor application. You are infected. For reference, if you’ve installed a HandBrake.dmg with the following checksums, you will also be infected:
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793The Trojan in question is a new variant of OSX.PROTON
How do I remove it?
Open up the “Terminal” application and run the following commands:
$ launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
$ rm -rf ~/Library/RenderFiles/activity_agent.app
if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder. Then Remove any “HandBrake.app” installs you may have.
Connection between Transmission’s malware hack
It seems that the author/developer of Transmission and Handbrake are the same people. In past Transmission’s download being replaced with infected malware too. Coincidence? I don’t think so.
For more info see:
🐧 2 comments so far... add one ↓
| Category | List of Unix and Linux commands |
|---|---|
| Disk space analyzers | df • ncdu • pydf |
| File Management | cat • tree |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | NetHogs • dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
“It seems that the author/developer of Transmission and Handbrake are the same people. In past Transmission’s download being replaced with infected malware too. Coincidence? I don’t think so.”
The developers are 2 different groups of people. The original developer who created the projects doesn’t work on them now and hasn’t for a long time. HandBrake has it’s own Virtual Machines that are independent of whatever Transmission runs.
You need to be in terminal root then search system files to assure all are gone as it loads again at boot up.
Also: I found s second file – activity_agent.plist.e.
This needs to be removed too.