Det populära programmet Handbrake har drabbats av ett intrång och den legala och korrekta versionen av programmet har bytts ut mot en version som innehåller en trojan.
Den officiella sidan och webbplatsen har hackats samt minst en av Handbrakes nedladdningsplatser.
According to the HandBrake team, their servers were compromised between May 2, 2017, 14:30 UTC and May 6, 2017, 1:00 UTC. Users who downloaded HandBrake for Mac 1.0.7 are most likely compromised.
“If you see a process called ‘Activity_agent’ in the OSX Activity Monitor application. You are infected,” HandBrake developers say.
The SHA256 of the infected HandBrake file is 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793. A VirusTotal scan of this file doesn’t list any infection, but this was one of Proton’s advertised features, as being “undetectable.”
Users who updated to HandBrake 1.0.7 are safe, as the updater uses DSA signatures to verify the downloaded files. The DSA signature check was introduced in HandBrake 0.10.6, so users who updated from an earlier version should check their systems if they’ve been compromised.
The HandBrake team provides the following removal instructions:
Step 1: Open the “Terminal” application and run the following command:
launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
Step 2: Run the following command:
rm -rf ~/Library/RenderFiles/activity_agent.app
Step 3: If ~/Library/VideoFrameworks/ contains proton.zip, remove the folder.
Step 4: Remove any “HandBrake.app” installs you may have.
“Based on the information we have, you must also change all the passwords that may reside in your OSX KeyChain or any browser password stores,” the app developers also added.
The HandBrake team has taken the affected download mirror server offline for an investigation. During this time, the team said HandBrake app downloads would run slower.