Alert to mac users
Few days back, Handbrake team warned its users that one of its mirror server has been controlled by some hackers. Handbrake- an open source video source transcoder app to convert video from one format to other formats. So, the company had warned its mac users to uninstall the malicious version. On 6 May, the company warned its users about this security flaw in its servers. According to HandBrake team, an unknown Hacker or group of hackers had been hacked their one of the downloading mirror servers i.e (download.handbrake.fr) and the actors replaced the mac version of HandBrake client (HandBrake-1.0.7.dmg) with the malicious version including the latest version of proton. Proton- mac based trojan, which has been initially discovered by Russian underground hacking forum om February. This trojan is designed to give root access of the infected system to the attacker. Though the affected server has been deactivated for further investigation. but still, the company has warned its users that, 'Users who had downloaded HandBrake for Mac from the infected server between 2 May and 6 May, 2017, has a "50/50 chance" of getting their Mac infected by Proton.' The team also provided some instructions to check whether its users had been infected or not. In the OSX activity monitor application, if there is any process called ' Activity agent', then the PC is infected with Proton. Also, by looking onto the hashes in the downloaded software, the sign of infection can be found. The check sums are: SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274
SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793 If you have downloaded and installed the software with the above mentioned chechsum with the hashes, you're system is infected with the trojan.The company has also mentioned the instructions to remove the Proton from the infected system. They are, Step 1: Open up the "Terminal" application and run the following command: launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist rm -rf ~/Library/RenderFiles/activity_agent.app Step 2: If ~/Library/VideoFrameworks/ includes proton.zip, remove the folder. Step 3: After this, remove all the installations of HandBrake from the PC. As a security measure, go to the settings and change the passwords, which were stored on OS X keychain and also on browser password stores.In the meantime, Users who updated to handBrake version 1.0 or above were not affected by this issue.Because, it usesDSA signatures to verify the downloaded files.This is an alert to Mac users, who have installed HandBrake transcoder app knowingly or unknowingly , which has been infected with dangerous remote access trojan.
