Handbrake is a popular video transcoder that works for both PC and Mac but if you happen to have a Mac and you downloaded the app recently you may be in a spot of trouble.
At the weekend Handbrake developers issued a warning to Mac users stating that a mirror server it used for distribution of the app had been hacked. The mirror originally featured the Handbrake-1.0.7.dmg file but it had been replaced by a malicious file.
“Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it,” said the developer in a forum post.
“Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you’ve downloaded HandBrake during this period,” said Handbrake.
For those interested according to MacRumours the malicious file is a variant of the OSX.PROTON trojan which can give an attacker root-access privilege to a target machine.
Identifying if you have the trojan
Even though there is only a 50% chance that you may have this trojan, root-access is a rather scary prospect so here’s how to check if you are infected.
According to the developer, infected machines will have a process called “Activity_agent” running when the OSX Activity Monitor is running. If you see that you are infected.
If you discover that you are infected you should open up the Terminal and input the following commands.
- launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
- rm -rf ~/Library/RenderFiles/activity_agent.app
The developer goes on to say that if the /Library/VideoFrameworks/ folder contains proton.zip, remove the folder. Any Handbrake.app installs should be removed as well.
The mirror that was hijacked has since been taken and will be rebuilt from scratch. While this is happening Handbrake has said that downloads may be slower than usual and older versions of the app will not be available for download.
Finally, as an extra precaution the developers suggest users change all their passwords that may reside in their OSX KeyChain or in browser password stores.[Via – MacRumours]