Monday, May 8, 2017

HandBrake Proton Trojan

HandBrake (Hacker News, MacRumors):

Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it.

Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you’ve downloaded HandBrake during this period.

[…]

Downloads via the applications built-in updater with 1.0 and later are unaffected. These are verified by a DSA Signature and will not install if they don’t pass.

Patrick Wardle:

So yah, when run, the infected Handbrake application:

  1. unzips Contents/Resources/HBPlayerHUDMainController.nib to /tmp/HandBrake.app
. This ‘nib’ is a password protected zip file who’s password is: qzyuzacCELFEYiJ52mhjEC7HYl4eUPAR1EEf63oQ5iTkuNIhzRk2JUKF4IXTRdiQ
  2. launches (opens) /tmp/HandBrake.app

Once the /tmp/HandBrake.app is launched, it displays a (fake) authentication popup - which is how the malware attempts to elevate its privileges[…]

Thomas Reed:

The fact that the malware requests an admin password yet installs all components in user space where no admin password is needed was initially puzzling, but that password request is actually not a system-generated prompt. It’s a phishing dialog displayed by the malware to obtain your password, which will be sent in clear text to api[DOT]handbrake[DOT]biz, the command & control (C&C) server for this malware.

[…]

This is a general-purpose backdoor with all the usual backdoor functionality. In addition, it appears this malware is exfiltrating the entire keychain, with all passwords. Thus, if you’re infected, the first priority should be changing all your online passwords. (After ensuring that your computer is free of infection, of course! Never change passwords on a device that may still be infected.)

Howard Oakley:

Apple has, over the last twenty-four hours or so, pushed another update to the XProtect data for macOS Sierra and, presumably, El Capitan.

Last year, something similar happened with Transmission, also from Eric Petit. However, the hacked Transmission was signed for Gatekeeper, whereas the hacked HandBrake was unsigned, like the normal HandBrake.

HandBrake:

The HandBrake Team is independent of the Tranmission Developers. The projects share history in the sense that the same author created these apps but he is not part of the current HandBrake team of developers.

We do not share our virtual machines with the Transmission project.

Update (2017-05-17): Steven Frank (Hacker News):

In a case of extraordinarily bad luck, even for a guy that has a lot of bad computer luck, I happened to download HandBrake in that three day window, and my work Mac got pwned.

Long story short, somebody, somewhere, now has quite a bit of source code to several of our apps.

1 Comment RSS · Twitter

Leave a Comment