Server for HandBrake hacked, here's what to do if you've been infected

Jos

TS Evangelist

If you downloaded the Mac version of popular video converter Handbrake last week, your computer may be infected with a trojan. The developers behind the open source app have issued a security warning to Mac users after a mirror download server (download.handbrake.fr) hosting the software was hacked, replacing the HandBrake-1.0.7.dmg file for an infected one.

The malicious file was up between 14:30 UTC May 2 and 11:00 UTC May 6. “You have 50/50 chance if you've downloaded HandBrake during this period," the developer warns. The malware in question is a new variant of OSX.PROTON, a Mac-based remote access trojan that gives the attacker root-access privileges, allowing them to perform all kinds of actions, from viewing the screen in real time and recording keystrokes, to uploading your files, downloading additional malware, accessing the webcam, and more.

If you downloaded the video transcoding software during the reported timeframe, the easiest way to confirm if you’re infected is by launching Activity Monitor from Applications/Utilities and looking for a process called “activity_agent”. If it’s there then your system is infected.

Apple updated its macOS security software XProtect in February to defend against the original Proton malware, and begun rolling out new definitions over the weekend to detect the new variant as well.

Deleting the infected files manually is also relatively straightforward. All you need to do is open up the “Terminal” application and run the following commands:

launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
rm -rf ~/Library/RenderFiles/activity_agent.app

HandBrake recommends checking the ~/Library/VideoFrameworks folder for the presence of a file called “proton.zip” and deleting the entire VideoFrameworks directory if found. You should also delete the infected HandBrake.dmg file and reinstall from a clean source.

According to HandBrake, the primary download mirror and website are unaffected. We’ve also made sure that TechSpot’s download entry for HandBrake points to a clean file.

While that should take care of the original infection, users should run additional malware detection software in case anything else has already been downloaded to your system, and change all the passwords in their macOS Keychain as well as any of the passwords they saved in their browsers.

Permalink to story.

 
  • Like
Reactions: jobeard
D

davislane1

TL;DR: User error has resulted in Macs being infected with viruses.
 

HardReset

TS Guru
Deleting the infected files manually is also relatively straightforward. All you need to do is open up the “Terminal” application and run the following commands:

launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
rm -rf ~/Library/RenderFiles/activity_agent.app
99.9% of Apple users have never used terminal :D
 

mailpup

TS Special Forces
He didn't say you hated Macs. He just said he was tired of the bashing (deserved or not).
 

captaincranky

TechSpot Addict
He didn't say you hated Macs. He just said he was tired of the bashing (deserved or not).
I didn't think were were bashing Macs, per se. We were, (justifiably perhaps), making fun of their owners.

Apple, at last survey, was, "the most loved company in America". That said, I'm sure their shoulders are broad enough to withstand some push back against their stock in trade repetitive bullsh!t lines. "It just works, blah, blah, blah".

Moving on, how come "The Thought Police" don't jump in when Intel is getting murdered...? :p
 
Last edited: