
Handbrake malware analysis - zalmoxes
https://objective-see.com/blog/blog_0x1D.html
======
untangle
For those Mac users who are unfamiliar with objective-see... Their free
security tools for MacOS are a boon to the community. I think that they are
right up there with "little snitch" and the like, especially since they spare
the user the typical IDS data overload.

~~~
djsumdog
I not longer use macOS, but Block Block looks pretty interesting. I couldn't
tell from their website, but is it intended to eventually be a commercial
product once out of beta? I didn't seem like it was open source.

~~~
ellw
Not at all. "Objective-See was created to provide simple, yet effective OS X
security tools. Always free of charge - no strings attached!" [0] At the
moment you may support him @patron [1]

[0] - [https://objective-see.com/about.html](https://objective-
see.com/about.html) [1] -
[https://www.patreon.com/bePatron?u=4857001](https://www.patreon.com/bePatron?u=4857001)

------
AsyncAwait
I think hosting the Handbrake, (and Transmission) binaries on the GitHub
releases page of the repo would be harder to compromise than their own
servers.

~~~
_ZeD_
github is not the answer

~~~
tokenizerrr
Go on?

~~~
chrisper
If everyone hosts on GitHub and it goes away like Google's source code
repository or codeplex then a big chunk of the internet goes away. Especially
when it comes to old abandoned repos. Not only that but we could end up with
another story like the SourceForge story.

Also if GitHub goes down and everything is hosted there then the internet
stops working as well. Remember how broken the internet was when that DNS
outage happened a few months ago?

~~~
Trd
This is a bit alarmist. If github went away or became like Sourceforge of old
then we could just move to something else or do self-hosting again. Lose a
chunk of the internet by moving popular software like Handbrake to GitHub? how
could that happen? Most multiplatform open source software like this have
copies of their source code across thousands of linux distribution mirrors.

Also, google code never went away. It just stopped working as an active
platform, but Google still keeps the archive of what already existed there, to
this day:

[https://code.google.com/archive/](https://code.google.com/archive/)

Microsoft is doing the same after shutting down their Code Plex because of
moving toward GitHub:

[https://blogs.msdn.microsoft.com/bharry/2017/03/31/shutting-...](https://blogs.msdn.microsoft.com/bharry/2017/03/31/shutting-
down-codeplex/)

> At that time, CodePlex.com will start serving a read-only lightweight
> archive that will allow you to browse through all published projects – their
> source code, downloads, documentation, license, and issues – as they looked
> when CodePlex went read-only. You’ll also be able to download an archive
> file with your project contents, all in common, transferrable formats like
> Markdown and JSON. Where possible, we’ll put in place redirects so that
> existing URLs work, or at least redirect you to the project’s new homepage
> on the archive. And, the archive will respect your “I’ve moved” setting, if
> you used it, to direct users to the current home of your project.

If there is anything to lose after GitHub's shutdown at some distant point in
the future, it probably won't be something people cared for.

"Don't use a very valuable, and more secure service, because of possible
distant future, very tiny harm" doesn't sound like a convincing argument. You
take "risks" every day in your life. Driving your car is a risk. In the US
there's 12 deaths per 100k people per year on the roads, and that's only
counting deaths, not crippling injuries. But it's valuable enough that you end
up taking it, as living without a car is difficult in many places. Life is
about calculated risks and using GitHub is not exactly at the top of the risk
pyramid.

------
coldcode
If you look at the XProtect files, the syntax is pretty funny.

    
    
        condition:
            Macho and filesize < 600000 and filesize > 10000 and all of them

~~~
praseodym
These are YARA rules, see
[https://virustotal.github.io/yara/](https://virustotal.github.io/yara/) for a
short description. The 'all of them' in the rule refers to the list of strings
above it; it means that all those strings should be present in the binary for
the rule to match.

------
awinter-py
Article talks about a fake authentication popup.

Has anyone used a platform that had an unspoofable one of these?

~~~
Gaelan
How would one make such a thing unspoofable, barring seperate hardware?

~~~
awinter-py
Could use a hardware LED to inform user key input is secure. Could also
reserve part of the screen for OS messages.

This prevents hostile apps from stealing your root password, but doesn't stop
them from tricking you into giving them root access (which is nearly as bad).

------
differentials
If you used brew install handbreak between May 2nd and 5th, you downloaded the
malicious version; \- [https://github.com/caskroom/homebrew-
cask/commit/461af7672fa...](https://github.com/caskroom/homebrew-
cask/commit/461af7672fa267ed42bd5572c20bf337cb4da87e) The pull request has
comments as well, and a snarky dev ;D \-
[https://github.com/caskroom/homebrew-
cask/pull/33354](https://github.com/caskroom/homebrew-cask/pull/33354)

------
atmosx
The only actual counter-measure would be to take the extra step and calculate
the SHASUM of the binary.

The shasum need to be digitally signed with a valid signature otherwise it can
be manipulated as well.

ps. Ofc tools like littlesnitch and blockblock help, but keeping track of all
the applications that try to access the internet is kinda hard these days,
especially on a user machine.

~~~
martinknafve
Wouldn't it make more sense to sign the binary then?

~~~
marcosdumay
Aren't both the same thing?

How else can you sign a binary?

~~~
martinknafve
OP was referring to creating a hash, signing the hash and publish the signed
hash on the web site.

The alternative would be to sign the actual binary file using code signing
(internally I assume that relies on a hash ).

------
merb
that's the reason why i install most mac programs that come from a website
into user programs. this only works for programs that don't add stuff to the
system of course.

