Obsessed with technology?
Subscribe to the latest tech news as well as exciting promotions from us and our partners!
By subscribing, you indicate that you have read & understood the SPH's Privacy Policy and PDPA Statement.
News
News Categories

New Mac malware propagates through popular DVD ripping software

By Liu Hongzuo - on 11 May 2017, 11:49am

New Mac malware propagates through popular DVD ripping software

Logo of HandBrake, the DVD ripping software that's was targeted by Proton (malware).

Some Mac users may have fallen victim to a new Mac malware called Proton. Over the weekend, the malware infected unsuspecting users by hitching a ride on a trusted server that hosted downloads for HandBrake, a popular DVD ripper and media encoding program. The malware provides a backdoor for malicious activity, such as stealing stored files.

At the point of propagation, none of the 55 most widely-used antivirus services detected Proton. As of writing, the VirusTotal tracking website showed only 12 services that are capable of picking up on the new malware. Researcher Patrick Wardle has plenty of other Proton details listed on his blog.

According to Ars Technica, the folks maintaining the HandBrake download mirrors said that one of their two servers was compromised by the malware. There is a 50% chance for a Mac user who downloaded HandBrake between 2nd May and 6th May 2017 to be infected with Proton.

 

Babe, I think I caught something…

To check for the malware on your Mac, you can do a simple checksum verification by going to the Mac terminal and type in the following:

shasum /path/to/HandBrake-1.0.7.dmg

“path/to” refers to your HandBrake installation location/filename.

Alternatively, you can type “shasum” within Terminal and drag the file to the Terminal window. If it returns:

0935a43ca90c6c419a49e4f8f1d75e68cd70b274

You’ve struck lottery. Remove the malicious malware as soon as possible. To disinfect the Mac, you can remove the following Launch Agent plist file:

fr.handbrake.activity_agent.plist

Also remove the following file from your ~/Library/RenderFiles/ location:

activity_agent.app

Then proceed to nuke your Mac reset and change all passwords.

According to Ars Technica, Proton is a general-purpose backdoor malware that’s on sale on the Dark Web for as much as US$63,000. It offers keylogging, remote access, stealing of files, and the ability to take and upload webcam or screenshot video and images.

Last year, a popular torrenting app (Transmission) was also hacked to spread one of the first known Mac-targeting ransomware. In both instances, Eric Petit was the original developer of the legitimate HandBrake and Transmission apps.

Source: Ars Technica, Patrick Wardle (blog)