Handbrake malware analysis (opens in new tab)

(objective-see.com)

165 pointszalmoxes9y ago28 comments

28 comments

25 comments · 7 top-level

untangle9y ago· 5 in thread

For those Mac users who are unfamiliar with objective-see... Their free security tools for MacOS are a boon to the community. I think that they are right up there with "little snitch" and the like, especially since they spare the user the typical IDS data overload.

idm9y ago

Thank you for highlighting this! I wasn't aware of Patrick's software until you mentioned it, but there's a lot of great stuff there:

- KnockKnock: perform system scan to list everything you have installed, like kexts, browser components, startup scripts, etc.

- BlockBlock: continuously monitor system for changes to startup scripts

- TaskExplorer: tool to examine a running processes

- Oversight: continuously monitor microphone and webcam activity

Nice UX too.

proyb29y ago

Also Patrick Wardle used to work in NASA and NSA and been to lot of conferences.

xtracto9y ago

Very interesting indeed. It reminded me of SysInternals before Microsoft bought them.

djsumdog9y ago

I not longer use macOS, but Block Block looks pretty interesting. I couldn't tell from their website, but is it intended to eventually be a commercial product once out of beta? I didn't seem like it was open source.

ellw9y ago

Not at all. "Objective-See was created to provide simple, yet effective OS X security tools. Always free of charge - no strings attached!" [0] At the moment you may support him @patron [1]

[0] - https://objective-see.com/about.html [1] - https://www.patreon.com/bePatron?u=4857001

atmosx9y ago· 5 in thread

The only actual counter-measure would be to take the extra step and calculate the SHASUM of the binary.

The shasum need to be digitally signed with a valid signature otherwise it can be manipulated as well.

ps. Ofc tools like littlesnitch and blockblock help, but keeping track of all the applications that try to access the internet is kinda hard these days, especially on a user machine.

perfectlyfin9y ago

Well, if they can compromise the host website, they can change the published SHA hash.

Similar thing happened to TransmissionBT. For a while, their legit website was serving a hacked binary.

Pinned long-term public keys are the only way to verify this stuff. Even that isn't fool-proof if the rogues get commit access.

pbhjpbhj9y ago

Is there such a thing as a co-hash where an application can verify the hash and the hash can verify the application?

It might work in the way that generating a hash collision for an arbitrary string works??

Probably wouldn't help in these situations, just curious.

martinknafve9y ago

Wouldn't it make more sense to sign the binary then?

alexchantavy9y ago

Yeah, really silly that the legitimate binary for Handbrake isn't signed. Sure, if the intruder had compromised the hosting server then they might have also compromised the signing cert, but that's still an extra step.

marcosdumay9y ago

Aren't both the same thing?

How else can you sign a binary?

1 more reply

AsyncAwait9y ago· 4 in thread

I think hosting the Handbrake, (and Transmission) binaries on the GitHub releases page of the repo would be harder to compromise than their own servers.

djsumdog9y ago

That makes sense. They're already an open source project, it could save them bandwidth, and if Github did have a security issue they could probably get information out faster as well (and it'd probably affect more software).

_ZeD_9y ago

github is not the answer

AsyncAwait9y ago

> github is not the answer

I am against centralization and all as well, but I think that is the lowest barrier to entry for them right now, as they already have a repo there.

tokenizerrr9y ago

Go on?

1 more reply

awinter-py9y ago· 3 in thread

Article talks about a fake authentication popup.

Has anyone used a platform that had an unspoofable one of these?

aorth9y ago

It's only "fake" in that the real Handbrake doesn't need to install extra codecs—it's a real authentication dialog. They are just hoping to catch the user off guard and unaware so they can install the persistent malware agent.

Gaelan9y ago

How would one make such a thing unspoofable, barring seperate hardware?

awinter-py9y ago

Could use a hardware LED to inform user key input is secure. Could also reserve part of the screen for OS messages.

This prevents hostile apps from stealing your root password, but doesn't stop them from tricking you into giving them root access (which is nearly as bad).

coldcode9y ago· 1 in thread

If you look at the XProtect files, the syntax is pretty funny.

    condition:
        Macho and filesize < 600000 and filesize > 10000 and all of them

praseodym9y ago

These are YARA rules, see https://virustotal.github.io/yara/ for a short description. The 'all of them' in the rule refers to the list of strings above it; it means that all those strings should be present in the binary for the rule to match.

differentials9y ago

If you used brew install handbreak between May 2nd and 5th, you downloaded the malicious version; - https://github.com/caskroom/homebrew-cask/commit/461af7672fa... The pull request has comments as well, and a snarky dev ;D - https://github.com/caskroom/homebrew-cask/pull/33354

merb9y ago

that's the reason why i install most mac programs that come from a website into user programs. this only works for programs that don't add stuff to the system of course.

j / k navigate · click thread line to collapse

28 comments

25 comments · 7 top-level

untangle9y ago· 5 in thread

idm9y ago

Thank you for highlighting this! I wasn't aware of Patrick's software until you mentioned it, but there's a lot of great stuff there:

- KnockKnock: perform system scan to list everything you have installed, like kexts, browser components, startup scripts, etc.

- BlockBlock: continuously monitor system for changes to startup scripts

- TaskExplorer: tool to examine a running processes

- Oversight: continuously monitor microphone and webcam activity

Nice UX too.

proyb29y ago

Also Patrick Wardle used to work in NASA and NSA and been to lot of conferences.

xtracto9y ago

Very interesting indeed. It reminded me of SysInternals before Microsoft bought them.

djsumdog9y ago

ellw9y ago

Not at all. "Objective-See was created to provide simple, yet effective OS X security tools. Always free of charge - no strings attached!" [0] At the moment you may support him @patron [1]

[0] - https://objective-see.com/about.html [1] - https://www.patreon.com/bePatron?u=4857001

atmosx9y ago· 5 in thread

The only actual counter-measure would be to take the extra step and calculate the SHASUM of the binary.

The shasum need to be digitally signed with a valid signature otherwise it can be manipulated as well.

ps. Ofc tools like littlesnitch and blockblock help, but keeping track of all the applications that try to access the internet is kinda hard these days, especially on a user machine.

perfectlyfin9y ago

Well, if they can compromise the host website, they can change the published SHA hash.

Similar thing happened to TransmissionBT. For a while, their legit website was serving a hacked binary.

Pinned long-term public keys are the only way to verify this stuff. Even that isn't fool-proof if the rogues get commit access.

pbhjpbhj9y ago

Is there such a thing as a co-hash where an application can verify the hash and the hash can verify the application?

It might work in the way that generating a hash collision for an arbitrary string works??

Probably wouldn't help in these situations, just curious.

martinknafve9y ago

Wouldn't it make more sense to sign the binary then?

alexchantavy9y ago

marcosdumay9y ago

Aren't both the same thing?

How else can you sign a binary?

1 more reply

AsyncAwait9y ago· 4 in thread

I think hosting the Handbrake, (and Transmission) binaries on the GitHub releases page of the repo would be harder to compromise than their own servers.

djsumdog9y ago

_ZeD_9y ago

github is not the answer

AsyncAwait9y ago

> github is not the answer

I am against centralization and all as well, but I think that is the lowest barrier to entry for them right now, as they already have a repo there.

tokenizerrr9y ago

Go on?

1 more reply

awinter-py9y ago· 3 in thread

Article talks about a fake authentication popup.

Has anyone used a platform that had an unspoofable one of these?

aorth9y ago

Gaelan9y ago

How would one make such a thing unspoofable, barring seperate hardware?

awinter-py9y ago

Could use a hardware LED to inform user key input is secure. Could also reserve part of the screen for OS messages.

This prevents hostile apps from stealing your root password, but doesn't stop them from tricking you into giving them root access (which is nearly as bad).

coldcode9y ago· 1 in thread

If you look at the XProtect files, the syntax is pretty funny.

    condition:
        Macho and filesize < 600000 and filesize > 10000 and all of them

praseodym9y ago

differentials9y ago

merb9y ago

that's the reason why i install most mac programs that come from a website into user programs. this only works for programs that don't add stuff to the system of course.

j / k navigate · click thread line to collapse