HandBrake server hacked: Mac users warned of trojan

Popular video software HandBrake has been compromised and some users are paying the price. The company has revealed that one of its mirror servers was hacked and that the video software was replaced with a trojan. This apparently only affects the Mac version of HandBrake, and only those who downloaded the software from the download.handbrake.fr mirror server. The trojan was live from May 2 to May 6 before being discovered and removed.

The compromised nature of the server was announced on the HandBrake forums, where the team behind the software posted a notice saying that anyone who downloaded the application between May 2 and May 6 should verify that they weren't infected with the trojan. This can be done by verifying the SHA1 / 256 sum of the file before you install it onto your Mac.

If you've already installed the software, open Activity Monitor and look for a process called 'Activity_Agent.' If you see this, it means you installed the trojan, which itself is said to be a variant of the OSX.PROTON malware. If you do find the process in Activity Monitor, HandBrake explains the following process for removing it:

Open up the "Terminal" application and run the following commands:

- launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist

- rm -rf ~/Library/RenderFiles/activity_agent.app

- if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

Then Remove any "HandBrake.app" installs you may have

Because the trojan comprises users' passwords, anyone who is infected is advised to change all of their passwords that are stored in the browser or in the OS X KeyChain. Meanwhile, HandBrake says that its Download Mirror Server is being 'completely rebuilt from scratch' to deal with the issue. If you need to download the software and the new version is too slow, grab the older version until the server is back up and running.

SOURCE: Handbrake