Popular DVD-ripping app HandBrake hacked to carry malware

By JC Torres/May 9, 2017 4:45 am EST

As if it weren't already difficult enough to steer clear of suspicious downloaded programs, some hackers have managed to infiltrate even legitimate sources of software to turn them into sources of malware. That was the case last week when it was discovered that HandBrake, a popular open source DVD-ripping and transcoding program, was carrying and installing the OSX.Proton malware through no fault of HandBrake itself. It's all because someone managed to hack HandBrake's website and replace a legit copy of the program with an infected one.

The telltale sign of a malware-infected copy of HandBrake would have escaped casual macOS users. When run, the fake copy of HandBrake would ask for admin privileges, something the untainted program never did and never needed to do. If the unsuspecting user did enter the requested credentials, consider the Mac compromised.

The good news is that the false copy of HandBrake has now been removed from the source's website and replaced with a clean one. The bad news is that the situation isn't as simple. Many software sites provide checksums that users can use to validate that the copy they downloaded matches what the software authors uploaded. If the checksum doesn't match, then the downloaded is either corrupted or you got a potentially tampered package.

In normal cases, that would be enough of a safeguard. But in this particular situation, it was the website itself that was hacked. In other words, the hacker could have also replaced those checksums with his or her own tainted signatures. Unless HandBrake has figured out how the hack took place and have installed necessary safeguards, users have very little assurance at this point.

OSX.Proton is a somewhat known malware that installs a backdoor on Macs. The slightly good news is that Proton itself appears to have been pretty buggy and unreliable, sometimes failing to install its payload. It's almost a stroke of bad luck that HandBrake happens to be the second software from the same developer, the first being BitTorrent client Transmission, to be hacked and used in this way.

SOURCE: Malwarebytes