Please create an account to participate in the Slashdot moderation system


Forgot your password?
Security Privacy

HandBrake Urges Mac Users To Verify Recent Download, Says Mirror Server Was Compromised ( 22

HandBrake team, writing on their forum: Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it. Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you've downloaded HandBrake during this period. If you see a process called "Activity_agent" in the OSX Activity Monitor application. You are infected. HandBrake is a popular, open-source video conversion tool. The team hasn't issued any advisory for Windows users.
This discussion has been archived. No new comments can be posted.

HandBrake Urges Mac Users To Verify Recent Download, Says Mirror Server Was Compromised

Comments Filter:
  • Actibity_agent (Score:4, Informative)

    by Anonymous Coward on Sunday May 07, 2017 @03:26AM (#54370199)

    Do not confuse Activity_agent with "Activity Monitor", which is a perfectly legitimate process and part of the core Mac OS tools.
    The trojan was likely named thus in order to maximize the potential for confusion.

    • by Anonymous Coward

      The team hasn't issued any advisory for Windows users.

      The team also hasn't issued any advisory for Linux users. Just Mac users, largely because they're FOSS, and can't afford (or don't want) the "developer" license from Apple.

      • by Anonymous Coward

        Apple developer licenses [] are ridiculously cheap when compared to most other companies. It's 99 USD/year for a macOS or iOS license. The 299 USD license is only if you intend to develop in-house apps that you distribute and update internally. The bigger headache for most FOSS teams is that they either have to register the license to an individual or to an organization. Registering under an individual is quick/easy but can be problematic if something happens to that person or they decide to hijack the pro

    • Shortly after the HandBrake team reported this to Apple, an updated XProtect version (2091) was rolled out which adds detection signatures for "OSX.Proton.B".

      To check if you have the update, enter the following command into Terminal:

      defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta Version

      2091 (or later) should be automatically installed, assuming that you have "Automatically check for updates" and "Install system data files and security updates" selected in

  • by rsmith-mac ( 639075 ) on Sunday May 07, 2017 @06:06AM (#54370473)

    Does anyone know if the fake Handbrake was signed with a macOS developer certificate? That's generally not been the case for malware. Which means that this should have been rejected by most systems.

    • Re:Was It Signed? (Score:4, Informative)

      by Midnight Thunder ( 17205 ) on Sunday May 07, 2017 @10:42AM (#54371091) Homepage Journal

      Handbrake is not signed, but they are interested in having it signed in the future.

      The challenge is they are neither an organisation or an individual developer. To be recognised as a legitimate organisation you need a DUNS [] and go through the required paper work. This leaves them with the individual developer approach, which would probably require a trusted person, part of the inner team that would sign on behalf of the team. There are risks of course, but not many good alternatives.

      I am wondering whether in the future the FSF could act as the necessary 'organisation', but then it is trying to work out the paper work, how to avoid abuse and what the cost would be. Yet another alternative would be for Apple to suggest a workable alternative. Maybe a notion of a team certificate, but with extra background checks? I am sure there are other good ideas out there.

      • by jeremyp ( 130771 )

        They should set up an individual account owned by one of the people authorised to create the SHA signatures and give the login details to all the other people so authorised. It seems pretty straight forward to me.

        • They are looking at something like this, but it is just ensuring the right checks and balances are in place. One thing we may see is VideoLAN (organisation responsible for VLC) offering to sign on behalf of the project. There is discussion here, but nothing is official at this point.

  • Summary from Article (Score:5, Informative)

    by CanadianMacFan ( 1900244 ) on Sunday May 07, 2017 @08:12AM (#54370717)

    - HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES NOT match the SHA1 / SHA256 hashes on our website or on our Github Wiki which mirrors these: []

    - The Affected Download mirror ( has been shutdown for investigation.

    - The Primary Download Mirror and website were unaffected.

    - Downloads via the applications built-in updater with 1.0 and later are unaffected. These are verified by a DSA Signature and will not install if they don't pass.

    - Downloads via the applications built-in updater with 0.10.5 and earlier did not have verification so you should check your system with these older releases

    • by Anonymous Coward

      What if we don't have the ".dmg" anymore and have already dragged it into /Applications? Where is the checksum for the actual ".app" package? What infection files should we be looking for?

      BTW, I dragged Handbrake into a VM before using it. It is possible that I launched it before I dragged it into the VM though, but I would not have entered my admin password if it prompted me for that.

Adding manpower to a late software project makes it later. -- F. Brooks, "The Mythical Man-Month"