Malware scare for popular video app HandBrake
Official download source compromised with malware for almost five days
In a security warning posted on handbrake.fr, the development team behind the video transcoding tool revealed that downloads of version 1.0.7 between May 2 and May 6 are likely to be infected with a new variant of the OSX.PROTON Trojan – a piece of malware.
This occurred after the real copy of the disk image on one of the site’s servers which delivered the software was replaced with one carrying the malware. At the time of writing, that server had been taken down and an investigation was underway to identify how the incident occurred.
Obviously, if you didn’t download that particular version of HandBrake during that specific period, you won’t be affected by this. Regardless, to check whether your Mac is running the malware, open Activity Monitor from /Applications/Utilities, click the CPU tab, enter activity_agent in the app’s search bar, and then inspect the list of processes below for one of that name; if one exists, follow the developer’s steps, which we’ve repeated here, to get rid of the malware from your Mac.
First, open Terminal and type the following command, followed by ® . launchctl unload ~/Library/LaunchAg ents/fr.handbrake.activity_agent.plist Next, enter this command, and again press afterwards. rm -rf ~/Library/RenderFiles/activity _agent.app
In Finder, hold Alt and choose Go > Library. In VideoFrameworks here, check for a file called proton. zip – if it’s there, remove the folder. The developer warns that the malware in question risks exposing data stored in your keychain, so you should change all the passwords stored there or in other browser password stores.
You should also remove the HandBrake app from your Mac, of course, and obtain an uninfected copy. If you use Time Machine or another regular backup routine, consider getting rid of copies of the app that are stored in your backups as part of this process.
A quick way to do this is to press Alt+ ç+ Spacebar to open a search window in Finder, type handbrake in its search bar, then click the + to add a rule and set it to “Kind is Application.”
Next, use Spotlight to find and open Time Machine, press ç+A to select all instances of the HandBrake app in the search window (which will have remained open), then click the cog in the window’s toolbar and choose “Delete All Backups of <some file name or number of items>.” Leave Time Machine and repeat the Finder search, but instead of “Application” as the kind of file, choose “Other” and type disk
image. You might want to delete all copies, including backups, of HandBrake 1.0.7’s disk image using the same techniques. For further details and updates, go to tinyurl.com/m4fb3hn.
in general, whenever you’re downloading files from places outside the Mac App Store, see whether the publisher provides a checksum for each file to enable you to check the original hasn’t been tampered with. This may not protect you against a concerted attack in which a downloadable file and the checksum on its official site are
both compromised – though such instances are, thankfully, pretty rare.
See page 83 for steps to check a file against its published SHA-1 or SHA-256 checksum.