But, the HandBrake Team made sure to note that he is not part of the current HandBrake team of developers, and that they do not share their virtual machines with the Transmission Project. It’s interesting to note that the original developer of Transmission and Handbrake is the same person. The official website of the Transmission Project, which offers for download the Transmission BitTorrent client for Macs, has been compromised two times in the last year or so, and the software’s legitimate binary switched with malware: once with the KeRanger ransomware and the second time with the Keydnap credential stealer. So even if Apple had created a more robust signature, if the attackers were any good and wanted to continue to distribute the malware via this or a similar attack vector, they would be trivially able to bypass any signature.” This particular malware delivery tactic is not new “At the end of the day though, no signature based approach would stop the attackers. an infected handbrake app),” he told Help Net Security. However, since XProtect now supports YARA (which allows for more complex/reg-ex based signatures), I think it would have been wise to create a more generic signature – that would have at least thwarted variants of this same attack vector (i.e. “The reason why Apple chose such a specific signature is that they figured any new attack would use a new distribution vector (thus would be totally different) – so they figured they just use a specific signature for this attack/attack vector. He demonstrated this by changing the final byte of the binary – a move that changed it SHA-1 hash – and downloading it and installing it without any problem on a clean Mac. “This means if the malware authors used any other infection vector, or even just recompiled the binary, this signature would no longer flag the malware.” The signature is just a SHA-1 hash that matches only that specific Trojanized Handbrake binary, he noted. And, by now, it has added the signature for this particular Proton variant ().īut, according to Patrick Wardle, security researcher and developer of Mac security tools, that protection can be easily thwarted. What is Apple doing about this?Īpple has added a signature for the initial version of Proton to XProtect, the built-in macOS anti-malware scanner. “If ~/Library/VideoFrameworks/ contains proton.zip, remove the folder, then remove any ‘HandBrake.app’ installs you may have,” they added.įor finding and removing other malware, users are advised to use a reputable AV solution for Mac to scan their system.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |