Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.sys.mac.system > #106587
| From | Your Name <YourName@YourISP.com> |
|---|---|
| Newsgroups | comp.sys.mac.system, comp.sys.mac.misc |
| Subject | [News] Handbrake developers warn of malware download mirror |
| Date | 2017-05-08 10:36 +1200 |
| Organization | Aioe.org NNTP Server |
| Message-ID | <oeo7hi$bkc$1@gioia.aioe.org> (permalink) |
Cross-posted to 2 groups.
From MacRumors.com ...
Handbrake Developers Issue Mac Security Warning
After Mirror Download Server Hack
-----------------------------------------------
The developers of open source video transcoder app Handbrake
have issued a security warning to Mac users after a mirror
download server hosting the software was hacked.
The alert was issued on Saturday after it was discovered that
the original HandBrake-1.0.7.dmg installer file on mirror
server download.handbrake.fr had been replaced by a malicious
file.
The affected server has been shut down for investigation, but
developers are warning that users who downloaded the software
from the server between 14:30 UTC May 2 and 11:00 UTC May 6
have a 50/50 chance of their system being infected by a
trojan. "If you see a process called 'Activity_agent' in the
OS X Activity Monitor application, you are infected," read the
alert.
To remove the malware from an infected computer, users need to
open up the Terminal application and run the following commands:
launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
rm -rf ~/Library/RenderFiles/activity_agent.app
if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
Users should then remove any installs of the Handbrake.app they
have on their system. As an extra security recommendation, users
should also change all the passwords that may reside in their
OSX KeyChain or in any browser password stores.
The malware in question is a new variant of OSX.PROTON, a
Mac-based remote access trojan that gives the attacker root-access
privileges. Apple updated its macOS security software XProtect in
February to defend against the original Proton malware. Apple
initiated the process to update its XProtect definitions on
Saturday and the update should already be rolling out to machines
silently and automatically.
Handbrake users should note that the primary download mirror and
the Handbrake website were unaffected by the hack. Downloads via
the application's built-in updater with 1.0 and later are also
unaffected, since these are verified by a DSA Signature and won't
install if they don't pass. However, users with Handbrake 0.10.5
and earlier who used the application's built-in updater should
check their system, as these versions don't have the verification
feature.
For reference, HandBrake.dmg files with the following checksums are
infected:
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793
Back to comp.sys.mac.system | Previous | Next | Find similar
[News] Handbrake developers warn of malware download mirror Your Name <YourName@YourISP.com> - 2017-05-08 10:36 +1200
csiph-web