from Hacker News

Recent version of Handbrake download infected with malware

by zalmoxes on 5/6/17, 7:23 PM with 211 comments

  • by rasmi on 5/6/17, 7:45 PM

    Something similar has happened with Transmission's download DMGs being replaced on their servers [1] (twice! [2]) in recent memory.

    [1] https://news.ycombinator.com/item?id=11234589

    [2] https://news.ycombinator.com/item?id=12403768

  • by vomitcuddle on 5/6/17, 8:36 PM

    I'm going to take this opportunity to plug my favourite open source project - the Nix package manager[1].

    It can work as a universal homebrew replacement (works on MacOS, Linux, WSL and can be easily ported to most BSD variants), comes with a huge collection of packages[2] and produces its own reproducible source builds. Like homebrew, it's a hybrid source and binary based package manager (if you haven't done anything to modify the build, it will likely be downloaded from a cache of pre-built binaries[3]). Unlike something like homebrew-cask, it will never download the pre-built .dmg file from the developer's website - with the obvious exception of proprietary software.

    It can also work as a great AUR/ports replacement on Linux systems. Fedora doesn't provide FFmpeg or an up-to-date version of a package you need? No problem, just get it from Nix! All the advantages of a rolling release distro, without actually having to use one.

    Due to its functional nature, it comes with a wealth of advantages over homebrew and other traditional package managers[4]. Once you get past the learning curve, creating your own packages or modifying existing ones is a breeze. It can create disposable development environments with dependencies of whatever project you're working on, without having to install them in your system or user profile! Check out the Nix manual[5] for more information.

    It's so flexible that people have built a Linux distribution where your entire system configuration is a Nix derivation (package) - with atomic upgrades, rollbacks, reproducible configuration and much more! [6]

    [1] https://nixos.org/nix/

    [2] https://nixos.org/nixos/packages.html

    [3] https://hydra.nixos.org/

    [4] https://nixos.org/nix/about.html

    [5] https://nixos.org/nix/manual/

    [6] https://nixos.org/nixos/about.html

  • by abalone on 5/7/17, 1:34 AM

    Did the author not sign the binary?[1] Why not?

    Is it really just because of the $99/yr developer program fee? And if so.. is it starting to sound like a better value now?

    [1] https://developer.apple.com/library/content/documentation/Se...

  • by oceanghost on 5/6/17, 10:39 PM

    God dammit. I downloaded this a few days ago and sure enough, I'm infected. What are reasonable mitigation steps to prevent this in the future? I noticed handbrake said it must "install additional codecs" which is mighty odd, but I didn't think much of it at the time.

    Is there a security product on OSX that would have prevented this?

  • by asmosoinio on 5/6/17, 7:43 PM

    " Further Actions Required

    Based on the information we have, you must also change all the passwords that may reside in your OSX KeyChain or any browser password stores."

    That sounds like a very large exercise...

  • by theunixbeard on 5/7/17, 2:37 AM

    Looks like the XProton malware is a RAT.

    Full description here:

    https://www.cybersixgill.com/wp-content/uploads/2017/02/0207...

  • by plg on 5/6/17, 7:45 PM

    I don't understand how I'm supposed to verify the checksum if I've already installed (and run) the HandBrake.app ... and long since deleted the .dmg installer file ????

  • by soraminazuki on 5/7/17, 4:32 AM

    I think the main concern here is the state of GUI apps in macOS and Windows. Popular apps in these platforms are mostly closed-source, even for personal side projects. For the few open source GUI apps, no package manager provides support for building GUI apps from source. I wish package managers would make it easier to build GUI apps from source, or even provide their own binary packages for GUI apps. I really feel reluctant to install most GUI apps on macOS and Windows because I can't trust that the build/distribution platforms for these apps are properly secured.

  • by ricardobeat on 5/6/17, 7:39 PM

  • by noobermin on 5/6/17, 7:55 PM

    Usually package managers on linux distros, to use an example for comparison, tend to check checksums of downloads for security purposes during any installation. For MacOS users, I guess I understand they want to use software not blessed by Apple, then isn't homebrew or whatever supposed to do the same thing?

  • by leonroy on 5/7/17, 2:25 PM

    Yikes. Missed this by 1 day. I updated Handbrake to 1.0.7 on 1st May to compress a bunch of videos. Was a little surprised to see it wasn't signed but after scanning it with ClamXav I figured I was safe and installed it on every Mac in the house so I could crank through my project faster.

    If I understand correctly even if I had in fact downloaded the compromised version ClamXav wouldn't have detected the malware?

    This kind of stuff is extremely worrying and really strengthens Apple's case for signed application binaries across the board.

    Are package managers like Homebrew and MacPorts not also susceptible to this kind of binary poisoning?

  • by atmosx on 5/6/17, 7:54 PM

    I can't believe this. I literally downloaded handbrake like 45 minutes ago! Luckily I got the proper version, but boy oh boy, it was a close call. I think I'll reinstall claXmav on all my macs.

  • by JohnTHaller on 5/7/17, 4:07 AM

    There's a quick analysis of it here: https://objective-see.com/blog/blog_0x1D.html

    Along with the fact that Apple updated the built-in sorta-antivirus in MacOS to detect it. But it only detects an SHA1 hash on the original DMG. If someone rebuilds the DMG or puts the malware with another app and builds a DMG, it'll bypass the MacOS sorta-antivirus.

  • by nly on 5/6/17, 8:06 PM

    Aren't the dmgs digitally signed?

  • by PhantomGremlin on 5/6/17, 10:46 PM

    What about creating different users on a MacOS system to do different things? Wouldn't this mitigate exploits like this?

    Why shouldn't I create a "Tommy Transcoder" user on my system? That user would have the Handbrake app in his own Application folder. I assume that Handbrake will run correctly without needing to be installed in the system /Applications?

    I already do this for a few items of software. Maybe it should be SOP to do this for most/all software?

    Or what about installing most apps into virtual machines and using VMWare to run them?

    I do recognize that such an approach couldn't be used universally. E.g. VMWare itself must run on the native machine, and with elevated privileges.

    I'm interested in "defense in depth". No single technique can defend against all possible exploits.

  • by riobard on 5/7/17, 5:53 AM

    The SHA hash of the dmg file is useless. Who still keeps the dmg file? I need a way to verify the app itself is compromised.

  • by joshua_wold on 5/9/17, 1:37 AM

    Did this affect Handbrake installs that were checking for updates or only newly downloaded installs?

  • by nnutter on 5/6/17, 7:45 PM

    Didn't this also happen somewhat recently? How can this be prevented? The window could be reduced by actively monitoring mirrors? Could BitTorrent help mitigate this because the torrent file validates data and isn't under the control of the parties?

  • by HedleyLamar on 5/7/17, 3:54 AM

    How does this happen? Even if installed, doesn't Mac's secure operating system prevent user programs from accessing passwords?

  • by Angostura on 5/7/17, 5:40 AM

    The most important bit of the advice - change all your passwords in keychain.

    To coin a phrase - oh shit

  • by mikewhy on 5/6/17, 9:36 PM

    > The Download Mirror Server is going to be completely rebuilt from scratch.

    Am I alone in thinking that this is irresponsible? Why not move releases to github?

    Why aren't you going to start signing macOS binaries? I find this offensive. Thanks for potentially compromising users because you couldn't be arsed to pay for a certificate.

  • by kefka on 5/6/17, 8:03 PM

    Sigh.. This could be somewhat repaired by making a beta-release, distributing to devs and testers. Once confirmed good, rename file and release via IPFS. The key here, is if multiple devs did this, the hashsum would prove the file being shared.

    Any one client that's been hacked or infected would show up as an improper hash and easily spotted.