Handbrake Developers Issue Mac Security Warning After Mirror Download Server Hack

MacRumors

macrumors bot
Original poster
Apr 12, 2001
48,677
10,101



The developers of open source video transcoder app Handbrake have issued a security warning to Mac users after a mirror download server hosting the software was hacked.

The alert was issued on Saturday after it was discovered that the original HandBrake-1.0.7.dmg installer file on mirror server download.handbrake.fr had been replaced by a malicious file.

The affected server has been shut down for investigation, but developers are warning that users who downloaded the software from the server between 14:30 UTC May 2 and 11:00 UTC May 6 have a 50/50 chance of their system being infected by a trojan. "If you see a process called 'Activity_agent' in the OS X Activity Monitor application, you are infected," read the alert.

To remove the malware from an infected computer, users need to open up the Terminal application and run the following commands:

[*]launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist

[*]rm -rf ~/Library/RenderFiles/activity_agent.app

[*]if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
Users should then remove any installs of the Handbrake.app they have on their system. As an extra security recommendation, users should also change all the passwords that may reside in their OSX KeyChain or in any browser password stores.

The malware in question is a new variant of OSX.PROTON, a Mac-based remote access trojan that gives the attacker root-access privileges. Apple updated its macOS security software XProtect in February to defend against the original Proton malware. Apple initiated the process to update its XProtect definitions on Saturday and the update should already be rolling out to machines silently and automatically.

Handbrake users should note that the primary download mirror and the Handbrake website were unaffected by the hack. Downloads via the application's built-in updater with 1.0 and later are also unaffected, since these are verified by a DSA Signature and won't install if they don't pass. However, users with Handbrake 0.10.5 and earlier who used the application's built-in updater should check their system, as these versions don't have the verification feature.

For reference, HandBrake.dmg files with the following checksums are infected:
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274 / SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

(Thanks, Alfonso!)

Article Link: Handbrake Developers Issue Mac Security Warning After Mirror Download Server Hack
 

MH01

Suspended
Feb 11, 2008
12,107
9,298
Point is, we are getting targeted and people should be vigilant . He usual crowd will put their heads in the sand and blame the end user.

Be it a PC or a Mac , be careful and think.
 

sudo1996

Suspended
Aug 21, 2015
1,496
1,182
Berkeley, CA, USA
Isn't Apple's code signing supposed to protect against this? Or are they not signing their builds? Or did their key get stolen?
[doublepost=1494153907][/doublepost]
These developers really need to setup a deamon of sorts which tests the SHA1 hash of these binaries every few hours or release their wares on the App Store.
No need for that exactly. Registered Mac developers can sign their code and distribute it anywhere. Most seem to do that.
 

Quu

macrumors 68030
Apr 2, 2007
2,955
4,756
Isn't Apple's code signing supposed to protect against this? Or are they not signing their builds? Or did their key get stolen?
[doublepost=1494153907][/doublepost]
No need for that exactly. Registered Mac developers can sign their code and distribute it anywhere. Most seem to do that.
That isn't secure enough because any developer can register for $99 (and the malware authors do too) then they just re-sign their new binary with the bought certificate and as-long as no one notices it will fly under the radar.

The developers themselves need to maintain hashes are correct.
 

Markoth

macrumors 6502
Oct 1, 2015
490
1,395
Behind You
These developers really need to setup a deamon of sorts which tests the SHA1 hash of these binaries every few hours or release their wares on the App Store.
SHA1 has been shown to have weaknesses. As other have said, binary signing takes care of this. Some dev just don't want to have to shell out $99 a year for a dev membership just for the certificate, which I can understand.
That isn't secure enough because any developer can register for $99 (and the malware authors do too) then they just re-sign their new binary with the bought certificate and as-long as no one notices it will fly under the radar.

The developers themselves need to maintain hashes are correct.
Apple bans any accounts that do these sort of things fairly quickly, but I suppose you do have a point.
 

gnasher729

macrumors P6
Nov 25, 2005
16,951
3,849
That isn't secure enough because any developer can register for $99 (and the malware authors do too) then they just re-sign their new binary with the bought certificate and as-long as no one notices it will fly under the radar.
You can do that as a malware developer, but Apple will have information about you. If my app had problems, Apple could send someone to my home if they felt that was the right thing to do. They have the name of my company, companyhouse in the UK who holds information about all UK companies has my company's address and my name and home address, they have delivered mail there so they know where I am. It's not just $99 to register, Apple checks and keeps information about the developer.
 

Rigby

macrumors 603
Aug 5, 2008
5,141
4,885
San Jose, CA
Isn't Apple's code signing supposed to protect against this? Or are they not signing their builds? Or did their key get stolen?
The Mac binaries are not signed (see here). The Windows binaries are signed though. I guess they want to avoid the cost for yet another certificate (you can't use Microsoft authenticode certs to sign MacOS applications). Let's not forget that this is an open source project made by volunteers. Also note that they encourage people to verify their downloads via the checksums on the download page. This is generally a good practice.
 
Last edited:

KALLT

macrumors 603
Sep 23, 2008
5,118
3,168
These developers really need to […] release their wares on the App Store.
It is GPL-licensed software. Apple likely won’t allow that. I am also not sure if Apple would allow such software in the first place.
 

Larry The L

Suspended
Jun 9, 2016
263
615
Been not using this app for a long time. Maybe I need to keep not using it a bit longer.
good idea. even if the problem has been found, is being addressed, and the problem is being resolved and you need the program, don't use it. And don't use any other app as it also might be infected and you don't know about it.
 

folp02

macrumors newbie
Feb 28, 2008
16
0
Are you infected if the "activity agent" is not running? My checksum matches SHA1. I haven't used handbrake in years, so I do and get this!

cheers all,
 

Quu

macrumors 68030
Apr 2, 2007
2,955
4,756
You can do that as a malware developer, but Apple will have information about you. If my app had problems, Apple could send someone to my home if they felt that was the right thing to do. They have the name of my company, companyhouse in the UK who holds information about all UK companies has my company's address and my name and home address, they have delivered mail there so they know where I am. It's not just $99 to register, Apple checks and keeps information about the developer.
That's nice and all but these criminals do find ways to get businesses registered fraudulently. Remember that the app store is accessible worldwide which makes it easy for criminals to make up details about being somewhere that Apple is not familiar with.

And it does and has happened, malware has been found on Windows and macOS both with official certificates. https://www.infosecurity-magazine.com/news/apple-revokes-cert-for-mac-trojan/

Am I advocating against certs? hell no, they're useful. But it's not a silver bullet. Developers need to check their own binaries and often.
 
Last edited:

sudo1996

Suspended
Aug 21, 2015
1,496
1,182
Berkeley, CA, USA
That isn't secure enough because any developer can register for $99 (and the malware authors do too) then they just re-sign their new binary with the bought certificate and as-long as no one notices it will fly under the radar.

The developers themselves need to maintain hashes are correct.
Yes, that is a problem. App Store would fix that for the most part. Unfortunately, as much as I'd like to use the App Store, it's so glitched that I avoid it at all costs.
[doublepost=1494178529][/doublepost]
The Mac binaries are not signed (see here). The Windows binaries are signed though. I guess they want to avoid the cost for yet another certificate (you can't use Microsoft authenticode certs to sign MacOS applications). Let's not forget that this is an open source project made by volunteers. Also note that they encourage people to verify their downloads via the checksums on the download page. This is generally a good practice.
TBH, I've never manually verified binary checksums, and I know that I should, but I'm lazy. There needs to be a nicer way of doing this because people either don't know or don't care enough to bother opening up a shell or something to compute the hash. Also, using checksums on the download page relies on their site not being hacked.
[doublepost=1494178990][/doublepost]
It is GPL-licensed software. Apple likely won’t allow that. I am also not sure if Apple would allow such software in the first place.
Interesting. Looking around online, it seems that Apple doesn't allow it, and the GPL likely doesn't either.
[doublepost=1494179128][/doublepost]
You can do that as a malware developer, but Apple will have information about you. If my app had problems, Apple could send someone to my home if they felt that was the right thing to do. They have the name of my company, companyhouse in the UK who holds information about all UK companies has my company's address and my name and home address, they have delivered mail there so they know where I am. It's not just $99 to register, Apple checks and keeps information about the developer.
Plenty of devs do sketchy stuff. They used to keep releasing those Nintendo emulators for iOS, not on the App Store but through a website. I'm sure they have ways to remain anonymous. Probably registered to some random company in Russia.
 
Last edited:

groovyd

Suspended
Jun 24, 2013
1,227
621
Atlanta
what a non-sensical name and even more confused icon for a tool that transcodes video. why can't people name and iconify things anymore that actually indicates what they do in some small part?
 
  • Like
Reactions: huperniketes

flyinmac

macrumors 68040
Sep 2, 2006
3,577
2,453
United States
These developers really need to setup a deamon of sorts which tests the SHA1 hash of these binaries every few hours or release their wares on the App Store.
They can't publish GPL / Open Source titles in the Mac App Store as Apple's terms and conditions violate open source rules.

Apple would need to provide a separate open source section that doesn't require the downloaded to agree to any of Apple's terms and conditions.

A good brief explanation can be read here:

http://www.fsf.org/blogs/licensing/more-about-the-app-store-gpl-enforcement
 
  • Like
Reactions: huperniketes

Gannet

macrumors newbie
Dec 20, 2009
6
18
Handbrake is an excellent program that has served me well over the years and I have great respect for the developers. Security slip-ups can happen to anyone and I'm sure they will take the necessary measures to improve this for future.

That said, I'm posting because I nearly got caught by this. I download Handbrake last week and was surprised to see a dialog on launch asking me to enter my password to "install additional codecs". As a longtime Handbrake user I was certain that this was *not* normal, so I declined. Shortly afterword I was shown another dialog, independent from Handbrake, purporting to be from the system "Network Configuration" which needed my password to "update DHCP settings". As this was also something I was unfamiliar with, I again declined but the dialog immediately reappeared upon clicking cancel and I had to restart the computer to make it go away. So yeah, if you see any suspicious password dialogs, do NOT enter your password.
 

Attachments

unixkid

macrumors regular
Jan 25, 2004
101
1
It's pretty sad to see history repeat it self again... Much like the inept developers of Transmission BitTorrent. These devs likely reject the best practice of cryptographically signing their releases because they either don't care or don't even know how to use PGP. It's pretty clear how useful Gatekeeper is when used outside the Mac Appstore, based on the number of times Transmission BitTorrent got hacked... Source
 

UL2RA

Suspended
May 7, 2017
999
1,617
You'd think they would've learned from Transmission's mishap. I guess not.
 

IJ Reilly

macrumors P6
Jul 16, 2002
17,889
1,478
Palookaville
So yeah, if you see any suspicious password dialogs, do NOT enter your password.
If you rely on the suspicion system of security it is only a matter of time before you get hosed. These hackers are good at looking not suspicious, and the meaning of these dialog boxes is far from clear, making it close to impossible for most users to tell one that's legitimate from one that is not.
 
  • Like
Reactions: Val-kyrie
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.