
Recent version of Handbrake download infected with malware - zalmoxes
https://forum.handbrake.fr/viewtopic.php?f=33&t=36364
======
rasmi
Something similar has happened with Transmission's download DMGs being
replaced on their servers [1] (twice! [2]) in recent memory.

[1]
[https://news.ycombinator.com/item?id=11234589](https://news.ycombinator.com/item?id=11234589)

[2]
[https://news.ycombinator.com/item?id=12403768](https://news.ycombinator.com/item?id=12403768)

~~~
tehabe
The original developer of Transmission and Handbrake are the same IIRC. I hope
this is just a coincidence.

~~~
tyingq
Coincidence seems unlikely, doesn't it? Same compromised admin level password,
or same vector/hole in 2 places seems likely to me.

~~~
dmix
Could be the same hacker just continuing to prod his lazy security practices.
Or exploiting existing knowledge of his systems to bypass new layers.

Or he exposed himself on criminal hacking forums as an easy mark. But this is
purely baseless conjecture.

------
vomitcuddle
I'm going to take this opportunity to plug my favourite open source project -
the Nix package manager[1].

It can work as a universal homebrew replacement (works on MacOS, Linux, WSL
and can be easily ported to most BSD variants), comes with a huge collection
of packages[2] and produces _its own reproducible source builds_. Like
homebrew, it's a hybrid source and binary based package manager (if you
haven't done anything to modify the build, it will likely be downloaded from a
cache of pre-built binaries[3]). Unlike something like homebrew-cask, it will
never download the pre-built .dmg file from the developer's website - with the
obvious exception of proprietary software.

It can also work as a great AUR/ports replacement on Linux systems. Fedora
doesn't provide FFmpeg or an up-to-date version of a package you need? No
problem, just get it from Nix! All the advantages of a rolling release distro,
without actually having to use one.

Due to its functional nature, it comes with a wealth of advantages over
homebrew and other traditional package managers[4]. Once you get past the
learning curve, creating your own packages or modifying existing ones is a
breeze. It can create disposable development environments with dependencies of
whatever project you're working on, without having to install them in your
system or user profile! Check out the Nix manual[5] for more information.

It's so flexible that people have built a Linux distribution where your entire
system configuration is a Nix derivation (package) - with atomic upgrades,
rollbacks, reproducible configuration and much more! [6]

[1] [https://nixos.org/nix/](https://nixos.org/nix/)

[2]
[https://nixos.org/nixos/packages.html](https://nixos.org/nixos/packages.html)

[3] [https://hydra.nixos.org/](https://hydra.nixos.org/)

[4] [https://nixos.org/nix/about.html](https://nixos.org/nix/about.html)

[5] [https://nixos.org/nix/manual/](https://nixos.org/nix/manual/)

[6] [https://nixos.org/nixos/about.html](https://nixos.org/nixos/about.html)

~~~
nagvx
If we're plugging functional package management, we may as well mention the
other significant project in this space - Guix:

[https://www.gnu.org/software/guix/download/](https://www.gnu.org/software/guix/download/)

Essentially, all the benefits touted above apply here, but it is worth noting
that Guix is a younger project. The author was originally a Nix dev, but found
the DSL to be too awkward to use in practice, and opted to use Scheme through
and through. Yes, Emacs bindings are available.

Also, Guix can now produce Dockerfiles, if that floats your boat:

[https://www.gnu.org/software/guix/news/creating-bundles-
with...](https://www.gnu.org/software/guix/news/creating-bundles-with-guix-
pack.html)

~~~
type0
So Haskell users use NixOS and Scheme users use Guix?

~~~
drawnwren
It's not Haskell, strictly speaking. There are some weird global state
mutations in NixOS (I.e. the pkgs object) that aren't as intuitive as you'd
like. Also, the novel file structure makes composing packages that aren't
already built to do so quite difficult. Trying to get eclimd to work with
emacs and eclipse was a giant pain.

~~~
Profpatsch
There are no global state mutations in `pkgs`. All immutable parts are in
`impure.nix`, which already has a complete `pkgs`.

Maybe you are confusing state mutations with fixed points, which are used
extensively (thankfully).

~~~
drawnwren
There are no global state mutations in pkgs until you need a custom package,
and then you're overriding the global state with your own custom state.

~~~
vertex-four
That does not modify global state - it creates a new state from the old one +
your modifications.

~~~
dom0
In other words, it modifies global state.

~~~
vertex-four
I expect that your issue is more with the fact that there is a mega state
object that contains almost everything - not that it is somehow global, which
it isn't. You can't access it unless it is passed to you.

------
abalone
Did the author not sign the binary?[1] Why not?

Is it really just because of the $99/yr developer program fee? And if so.. is
it starting to sound like a better value now?

[1]
[https://developer.apple.com/library/content/documentation/Se...](https://developer.apple.com/library/content/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html)

~~~
voltagex_
$99 for Apple, $300+ for Windows. It adds up. I suspect Handbrake gets plenty
of donations, but most projects don't. Heaven help you if you want to build a
signed driver for Windows.

~~~
hirsin
$300 for Windows? Where does that come from? Submitting to the Store should
handle the signing for you (not that I know if it does).

~~~
i336_
I think this is for signing arbitrary EXEs. I'd always been curious how that
worked, TIL it's that expensive though :(

~~~
user5994461
It's peanuts to distribute your software to millions of people.

~~~
i336_
Yeah, fair point. I guess I was erroneously looking at that from the
standpoint of the financial scale I'm working with right now (don't have a
job, etc) and didn't catch myself. (Hmm. I'll keep an eye on that.)

If distributing a commercial (or enterprise) application then yeah it's
peanuts (or a rounding error). Good point.

~~~
user5994461
Related story about app stores.

There was a time when distributing content on Steam was free and anyone could
do it.

This resulted in a lot of shit stuff, copied materials and fraud being
distributed.

They introduced a $100 publication fee. As the story goes, it was very
effective to stop abuse.

~~~
i336_
Interesting tidbit to file away, thanks.

Irrefutable point though - it's one thing to want something for free as a
consumer, but quite a different story as a creator or developer. I totally get
the rationale behind charging to keep quality high.

Charging also creates a contract and with that contract be able to enforce a
minimum standard. That helps greatly too.

------
oceanghost
God dammit. I downloaded this a few days ago and sure enough, I'm infected.
What are reasonable mitigation steps to prevent this in the future? I noticed
handbrake said it must "install additional codecs" which is mighty odd, but I
didn't think much of it at the time.

Is there a security product on OSX that would have prevented this?

~~~
danieldk
_Is there a security product on OSX that would have prevented this?_

Little Flocker. Unfortunately, it was sold to F-Secure [1].

 _I 'm infected_

Personally, I would wipe the whole system (rather than just removing the
malware as in the steps that they describe) and change all credentials
(passwords, SSH keys, etc.).

[1] [https://9to5mac.com/2017/04/06/little-flocker-
acquisition/](https://9to5mac.com/2017/04/06/little-flocker-acquisition/)

~~~
oceanghost
Ironically-- the reason I didn't have little flocker installed... I had just
wiped my machine. When I reinstalled (the reason I redownloaded HB), flocker
was on longer available.

------
asmosoinio
" Further Actions Required

Based on the information we have, you must also change all the passwords that
may reside in your OSX KeyChain or any browser password stores."

That sounds like a very large exercise...

~~~
tjoff
One very good reason to not rely on password managers...

That is not to say that there are many good reason to do so, but the password
manager do become a very coveted target.

edit: Maybe I phrased that badly. It is a risk associated with password
managers that everyone that are using one should be aware of.

~~~
mikeash
What's the alternative? Using different passwords for every account is not
practical without some way to store them, and using the same password makes
you even more vulnerable. We could write them all down in a big book or
something, but that leaves us vulnerable to physical theft and loss.

~~~
codazoda
Two options come to mind, neither perfect, but options.

1\. Use a password pattern. Something like 8 random digits that you memorize
and then part of the domain name or business name. Such as "goo" for google.
Put them in whatever order you like. Now you've memorized one pattern but use
a unique password everywhere.

2\. Use a predictable algorithm instead of a password. Their are web based
services for this. You enter the domain name and then "encode" it to a
password. That is typically not reversible.

These fall down some when you have to change a password or when a system has
requirements that don't match your password (like requiring a number or
symbol). Other users will mention other limitations as well.

~~~
tambourine_man
That is an interesting idea. echo URL + password | sha/md5

Should be hard to crack and easy to remember.

Can anyone who actually knows this thing chime in?

~~~
danieldk
_That is an interesting idea. echo URL + password | sha /md5_

There are 'stateless' password managers that work that way. It does not really
protect against malware. If your user account is compromised by malware, what
holds them from reading out your password and applying the same procedure to
obtain password for interesting sites? You'll still be updating your password
everywhere.

What you want is a second factor that uses a challenge-response mechanism with
user interaction (e.g. U2F Yubikeys that require a finger press to start the
challenge-response).

~~~
rdslw
They can't. Prove me otherwise.

Even if they have plaintext password (which is often not case), this is just
shasum. Feel free to guess which password (and which exactly scheme) I used to
generate my password for news.ycombinator.com, if (of course it's now not like
that :) it is:

bb05f766a74e6bf722136eaca97d9beb1fcc8f59d47c2d9e6eb1667d57c4cb82

You have now (after hacking whole hackernews db) access to my password ONLY
for the hackersnews. Which was the original goal of the method: to use
different passwords at different sites, which if compromised (password), do
not reveal scheme used to generate it for different sites.

~~~
danieldk
_bb05f766a74e6bf722136eaca97d9beb1fcc8f59d47c2d9e6eb1667d57c4cb82_

That's not the point. The malware would have access to your complete machine,
possibly with root privileges, what holds them from reading your master
password with a keylogger when you type it in?

It does not provide more security against trojans than a password manager.

~~~
rdslw
You didnt read my reply nor the parent thread.

I was replying solely and only to the acusation that after revealing plain
text password on _one_ site (which was generated using said scheme) you
disclose every one.

This is simply not true.

In addition (but I didnt address that), there is no single keychain/password
store to steal by the trojan. I can use it anywhere, using only my head as a
'storage' machine.

------
theunixbeard
Looks like the XProton malware is a RAT.

Full description here:

[https://www.cybersixgill.com/wp-
content/uploads/2017/02/0207...](https://www.cybersixgill.com/wp-
content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf)

------
plg
I don't understand how I'm supposed to verify the checksum if I've already
installed (and run) the HandBrake.app ... and long since deleted the .dmg
installer file ????

~~~
luhn
You aren't. They describe how to check your system for the Trojan if you've
already run the installer.

~~~
plg
well aren't I the idiot

~~~
atmosx
No worries, happens to most of us ;-)

------
soraminazuki
I think the main concern here is the state of GUI apps in macOS and Windows.
Popular apps in these platforms are mostly closed-source, even for personal
side projects. For the few open source GUI apps, no package manager provides
support for building GUI apps from source. I wish package managers would make
it easier to build GUI apps from source, or even provide their own binary
packages for GUI apps. I really feel reluctant to install most GUI apps on
macOS and Windows because I can't trust that the build/distribution platforms
for these apps are properly secured.

~~~
Benjamin_Dobell
Being open source isn't going to stop someone replacing a download on a hacked
server.

Also, the package manager you're after is brew, specifically 'brew cask',
which installs GUI apps.

EDIT: By the way, building from source doesn't stop someone replacing the
source package the package manager uses. Sure you can look at the code in the
package, but are you going to? It's more likely you'd check the code on
Github, if at all.

~~~
soraminazuki
I'm mostly worried about the security of the build/distribution platform,
which is why I would would prefer a reputable package manager to provide
binaries built and distributed using their own infrastructure. If this isn't
feasible, better support for building from source would at least ensure that
the binaries are correct, provided that your own computer isn't compromised.

Homebrew Cask currently can't address this kind of situation, since the binary
is still built and distributed from non-reputable sources.

The correctness of the source code itself is surely a problem, but it's better
than having to trust random binaries built and distributed from non-reputable
sources.

~~~
simooooo
The leakyness here was the Dev, would likely be the Dev again, just pre-github

------
ricardobeat
A working link:
[https://forum.handbrake.fr/viewtopic.php?f=33&t=36364](https://forum.handbrake.fr/viewtopic.php?f=33&t=36364)

~~~
zalmoxes
In case the site goes down:
[http://imgur.com/a/I6gpB](http://imgur.com/a/I6gpB)

------
noobermin
Usually package managers on linux distros, to use an example for comparison,
tend to check checksums of downloads for security purposes during any
installation. For MacOS users, I guess I understand they want to use software
not blessed by Apple, then isn't homebrew or whatever supposed to do the same
thing?

~~~
mikeash
Most Mac users don't use anything like Homebrew. Typically you just download
the software as a .zip file or equivalent, unpack it, and run it.

Apple does support code signatures for apps downloaded this way through their
Developer ID program, but you have to pay $99/year to be a member of their
developer program in order to do so.

In theory, you could still sign downloads using a code signing certificate you
got elsewhere, but system wouldn't check it for you, and few people would
bother to do it manually.

~~~
zalmoxes
If you have Gatekeeper enabled(which it is by default), the system prevents
the user from running random unsigned apps.

~~~
mikeash
You can't turn Gatekeeper off anymore, at least not without using the command
line. You can bypass it on an app-by-app basis by just right-clicking an app
and selecting "Open" there, which is what you'd have to do if you're
downloading apps like Handbrake.

------
leonroy
Yikes. Missed this by 1 day. I updated Handbrake to 1.0.7 on 1st May to
compress a bunch of videos. Was a little surprised to see it wasn't signed but
after scanning it with ClamXav I figured I was safe and installed it on every
Mac in the house so I could crank through my project faster.

If I understand correctly even if I had in fact downloaded the compromised
version ClamXav wouldn't have detected the malware?

This kind of stuff is extremely worrying and really strengthens Apple's case
for signed application binaries across the board.

Are package managers like Homebrew and MacPorts not also susceptible to this
kind of binary poisoning?

------
atmosx
I can't believe this. I literally downloaded handbrake like 45 minutes ago!
Luckily I got the proper version, but boy oh boy, it was a close call. I think
I'll reinstall claXmav on all my macs.

~~~
theGimp
The real problem is that you're trusting binaries you find on disparate
websites.

If you want to avoid these sorts of compromises, use a package manager or
check the hash of the downloaded file against one that you trust.

~~~
galad87
HomeBrew Cask updated the hash to the infected one, so in this case it has
been useless.

~~~
0x0
If you look at the history for handbrake in cask, it looks like it was first
updated to 1.0.7 with the correct hash, then later the hash was changed with
no version bump, and then reverted. That's crazy! Why didn't alarm bells go
off when the hash changed? [https://github.com/caskroom/homebrew-
cask/commits/master/Cas...](https://github.com/caskroom/homebrew-
cask/commits/master/Casks/handbrake.rb)

~~~
adriancooney
What the absolute heck. Literally just the hash was updated yet the version
stayed the same: [https://github.com/caskroom/homebrew-
cask/commit/461af7672fa...](https://github.com/caskroom/homebrew-
cask/commit/461af7672fa267ed42bd5572c20bf337cb4da87e#diff-d2016e0c3103c7993f5cec00fd000a23)

------
JohnTHaller
There's a quick analysis of it here: [https://objective-
see.com/blog/blog_0x1D.html](https://objective-see.com/blog/blog_0x1D.html)

Along with the fact that Apple updated the built-in sorta-antivirus in MacOS
to detect it. But it only detects an SHA1 hash on the original DMG. If someone
rebuilds the DMG or puts the malware with another app and builds a DMG, it'll
bypass the MacOS sorta-antivirus.

~~~
Buge
>HandBrake needs to install additional codecs. Enter your password to allow
this.

Interesting, the malware creates a phishing-ish popup.

------
nly
Aren't the dmgs digitally signed?

~~~
TillE
The legitimate version of Handbrake is not signed, at least not in the
standard Apple way. I know a cert costs some money, but well, this is why they
exist and why the latest versions of MacOS have hard-to-override warnings.

~~~
goodplay
Perhaps we need a letsencrypt for signing packages on walled-garden systems.

~~~
tonyedgecombe
Code signing requires some verification that you are who you say you are in
the real world so there is an additional cost.

~~~
goodplay
Not necessarily. For issues like the one discussed in this thread, a simple
ssh-style "trust initially" would have sufficed, and would have prevented the
malicious installer from running.

Note that I'm not proposing this as a replacement for the current cert system
(which you pay into), but as a replacement for unsigned executables.

------
PhantomGremlin
What about creating different users on a MacOS system to do different things?
Wouldn't this mitigate exploits like this?

Why shouldn't I create a "Tommy Transcoder" user on my system? That user would
have the Handbrake app in his own Application folder. I assume that Handbrake
will run correctly without needing to be installed in the system
/Applications?

I already do this for a few items of software. Maybe it should be SOP to do
this for most/all software?

Or what about installing most apps into virtual machines and using VMWare to
run them?

I do recognize that such an approach couldn't be used universally. E.g. VMWare
itself must run on the native machine, and with elevated privileges.

I'm interested in "defense in depth". No single technique can defend against
all possible exploits.

------
riobard
The SHA hash of the dmg file is useless. Who still keeps the dmg file? I need
a way to verify the app itself is compromised.

------
joshua_wold
Did this affect Handbrake installs that were checking for updates or only
newly downloaded installs?

------
nnutter
Didn't this also happen somewhat recently? How can this be prevented? The
window could be reduced by actively monitoring mirrors? Could BitTorrent help
mitigate this because the torrent file validates data and isn't under the
control of the parties?

~~~
zalmoxes
This could have been prevented by hosting downloads on a reputable
site(Github), instead of developer's own PHP backend.

Software like
[https://github.com/google/santa](https://github.com/google/santa) can help,
especially if you're doing IT in a large enterprise.

The feed used by the software's autoupdate framework(sparkle) was signed, so
that would've prevented bad downloads through autoupdate.

~~~
21
Hosting on GitHub solves one problem, but creates another.

Chrome for example has a sort of a bloom filter which is used to check all
downloaded executables. This will raise a nasty warning if the thing you
downloaded is not a "popular" download.

For obvious reason, this check is disabled for a bunch of sites, like github,
sf, ...

I know for a fact that some malware authors host their stuff on GitHub exactly
to bypass this Chrome check.

~~~
gaadd33
Do you have any more info about this? I've downloaded random executables from
a lot of unpopular (and in some cases, newly created by me) sites and never
seen anything pop up in chrome warning me not to download it.

~~~
21
Information is scarce on this (a little bit of security through obscurity).

Here is theirs blog post introducing the feature in 2012:
[https://chrome.googleblog.com/2012/02/faster-browsing-
safer-...](https://chrome.googleblog.com/2012/02/faster-browsing-safer-
downloading.html)

> Chrome also does checks on executable files (like ".exe" and ".msi" files).
> If the executable doesn't match a whitelist, Chrome checks with Google for
> more information, such as whether the website you're accessing hosts a high
> number of malicious downloads.

At the time I looked at the implementation in the Chrome source code, but I
remember that it took me a while to locate it.

------
HedleyLamar
How does this happen? Even if installed, doesn't Mac's secure operating system
prevent user programs from accessing passwords?

~~~
kccqzy
The malware uses social engineering to obtain root.

------
Angostura
The most important bit of the advice - change all your passwords in keychain.

To coin a phrase - oh shit

------
mikewhy
> The Download Mirror Server is going to be completely rebuilt from scratch.

Am I alone in thinking that this is irresponsible? Why not move releases to
github?

Why aren't you going to start signing macOS binaries? I find this offensive.
Thanks for potentially compromising users because you couldn't be arsed to pay
for a certificate.

~~~
JohnTHaller
Please feel free to donate the funds necessary to cover the Apple ID signup
for multiple years as well as the potentially necessary Apple hardware to
install the SDK on and sign the app (since Apple artificially restricts code
signing to only run on their own hardware) as well as any necessary training
hours to the team to setup said environment so that they can sign the software
they're giving to you for free.

~~~
symlinkk
It's $100 for the signing and $500 for a Mac Mini. Any professional software
developer would make that kind of money in a few days. And I would bet that an
open source project as big as this gets at least that amount in donations
yearly. It's completely irresponsible to not sign releases after something
like this happens.

~~~
JohnTHaller
And if they did get $600 in donations in the last year... they should dedicate
all of that to the Mac build? Even if they've already spent those funds on
hosting and other expenses?

A user of a free product telling the developer of said free product how the
developer should be spending the money that said user isn't giving them takes
a special kind of entitlement.

~~~
comex
Hold on… your premise doesn't make sense. Apple's SDK only officially runs on
Mac - but that applies to the entire build process, not just codesigning.
Anyone who is already producing a Mac build either has access to a Mac build
host, which they can also use to sign, or is using third party tools to cross-
compile from another OS.

In the latter case, there is also a third party tool capable of signing
binaries:

[https://github.com/saucelabs/isign](https://github.com/saucelabs/isign)

You do need to pay the $99/year for the certificate, but it shouldn't be
necessary to buy hardware just to sign things.

~~~
JohnTHaller
It's worth noting that you need access to a Mac you can trust to setup your
Apple developer credentials on as well as iSign and then export your
credentials and certificate from each time you get a new certificate. It's
likely you won't be able to do this in the Apple store. While you or I may
have a colleague or trusted friend we could do this with, many developers will
not.

~~~
comex
It does say that in the readme, but I don't think it's actually necessary: you
can get certificates and provisioning profiles through the web portal without
going through Xcode. (For certificates, it has you upload a standard CSR
file.) Though developers may not know that…

Admittedly, if you don't have a Mac build machine, (a) you can't test your
builds, and (b) you can't use the official SDK (including, e.g., system header
files) without violating the terms of service. Not that many people care about
that, but if you don't mind ToS violations you may as well just install
pirated macOS in a VM (which is easy enough in practice). Perhaps Apple
deserves blame for not having a legal way to run a macOS VM on non-Apple
hardware; certainly it makes life harder for open-source developers that want
to play by the rules. Still, these obstacles have nothing to do with signing.

------
kefka
Sigh.. This could be somewhat repaired by making a beta-release, distributing
to devs and testers. Once confirmed good, rename file and release via IPFS.
The key here, is if multiple devs did this, the hashsum would _prove_ the file
being shared.

Any one client that's been hacked or infected would show up as an improper
hash and easily spotted.

~~~
vomitcuddle
hindsight is always 20/20

i'm sure <insert your favourite open source project here> would appreciate
patches for reproducible, cryptographically signed releases

