(pc-Google Images)

After the warning from Checkpoint to users regarding a first of a kind Trojan spreading in Europe, Mac security has been going through some tough times. The latest malware problem has been found in one of the most prominent video transcoding apps for Mac.

The warning was issued by the developers of the software Handbrake mentioning that one of the mirror sites to download the software has been compromised. The warning is only for users who may have downloaded the software between 2nd-6th May with a 50% chance of being infected.

The installer file on the mirror server download.handbrake.fr (HandBrake-1.0.7.dmg) was replaced by a malicious file, which gives the hacker root access privileges to the system. The malware is a variant of OSX.PROTON. Apple had issued an update to XProtect in February to account for the original Proton. The latest variant should automatically download for more users.

Following the process of detection and removal of the malware:

Detection

Your device is infected if you see a process called “Activity_agent” in the OSX Activity Monitor application. For instance, if you’ve installed a HandBrake.dmg with the following checksums, you will also be infected:

SHA1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274

SHA256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

The Trojan in question is a new variant of OSX.PROTON

Removal

Open up the “Terminal” application and run the following commands:

launchctl      unload          ~/Library/LaunchAgents/fr.handbrake.activity_agent.plistrm     -rf ~/Library/RenderFiles/activity_agent.appif ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

Then Remove any “HandBrake.app” installs you may have.

Although primary mirror site and the automatic updater on versions 1.0 or later haven’t been affected, users of Handbrake should just be careful. As a safety measure, it is suggested that users change all passwords stored in any OSX or browser keychains.



Source link