Handbrake Was Infected by a Trojan, How to Check if You Are
It happened not too long ago with Transmission, the BitTorrent client, the dowloadable .DMG file was replaced with another version that contained both the app and a malware. This time, it happened to Handbrake when you were redirected to the download.handbrake.fr server between May 2nd and May 6th. The server was closed down and here are the steps to make sure you are not infected.
If you did not download Handbrake between May 2nd or May 6th, you are safe. The trojan that comes with the infected package is called OSX.PROTON.
Detection of Infection
- Run Activity Monitor, and look for a “Activity_agent” process. If you see it, you are infected.
- If you installed Handbrake and still have the .DMG file, AND it matches the following hash you are also infected. The “Activity_agent” might just not be running yet.
SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793
Removal of Trojan
Open up the “Terminal” application and run the following commands:
launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
rm -rf ~/Library/RenderFiles/activity_agent.app
If ~/Library/VideoFrameworks/ contains proton.zip, remove the folder.
Then, remove any “HandBrake.app” installs you may have and any .DMG files. Make sure you empty the Trash so you don’t acciently reinstall it.
Now, the Bad Things
Removing the malware is not very hard and getting back to a clean status is quite easy. But what does this malware do?
We do not much informations but it seems to be strongly suggested that you change all of the password of items in your Keychain. Yes, a big pain…
Update: it seems this malware targets source files, passwords and SSH keys to download software source code. At the very least, Panic was the victim of said hacker.
