Archive for May 8, 2017

Monday, May 8, 2017 [Tweets] [Favorites]

foreach Using Objective-C Generics

Peter Steinberger shares an Objective-C macro that lets you write foreach (object, collection), where object gets the proper type based on the collection’s type parameter. The benefits: you save space and typing vs. a standard for loop, yet you still get static checking and auto-completion. The code ends up looking like my macro from the old days before NSFastEnumeration and for…in loops.

HandBrake Proton Trojan

HandBrake (Hacker News, MacRumors):

Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it.

Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you’ve downloaded HandBrake during this period.

[…]

Downloads via the applications built-in updater with 1.0 and later are unaffected. These are verified by a DSA Signature and will not install if they don’t pass.

Patrick Wardle:

So yah, when run, the infected Handbrake application:

  1. unzips Contents/Resources/HBPlayerHUDMainController.nib to /tmp/HandBrake.app
. This ‘nib’ is a password protected zip file who’s password is: qzyuzacCELFEYiJ52mhjEC7HYl4eUPAR1EEf63oQ5iTkuNIhzRk2JUKF4IXTRdiQ
  2. launches (opens) /tmp/HandBrake.app

Once the /tmp/HandBrake.app is launched, it displays a (fake) authentication popup - which is how the malware attempts to elevate its privileges[…]

Thomas Reed:

The fact that the malware requests an admin password yet installs all components in user space where no admin password is needed was initially puzzling, but that password request is actually not a system-generated prompt. It’s a phishing dialog displayed by the malware to obtain your password, which will be sent in clear text to api[DOT]handbrake[DOT]biz, the command & control (C&C) server for this malware.

[…]

This is a general-purpose backdoor with all the usual backdoor functionality. In addition, it appears this malware is exfiltrating the entire keychain, with all passwords. Thus, if you’re infected, the first priority should be changing all your online passwords. (After ensuring that your computer is free of infection, of course! Never change passwords on a device that may still be infected.)

Howard Oakley:

Apple has, over the last twenty-four hours or so, pushed another update to the XProtect data for macOS Sierra and, presumably, El Capitan.

Last year, something similar happened with Transmission, also from Eric Petit. However, the hacked Transmission was signed for Gatekeeper, whereas the hacked HandBrake was unsigned, like the normal HandBrake.

HandBrake:

The HandBrake Team is independent of the Tranmission Developers. The projects share history in the sense that the same author created these apps but he is not part of the current HandBrake team of developers.

We do not share our virtual machines with the Transmission project.