How To Find Library Videoframeworks On A Mac

Thanks to Anna Szalay and Xinran Wu of SophosLabs for their behind-the-scenes work on this article.

Last week, crooks managed to break into one of the download servers of a popular open-source video converter program called HandBrake.

The crooks then uploaded a hacked version of the official Mac download.

As a result, anyone who installed or reinstalled HandBrake Version 1.0.7 recently may have ended up with malware known as OSX/Proton-A.

  1. Getting started with a Mac. With a Mac, you can borrow and enjoy ebooks, audiobooks, and streaming videos from your library's digital collection. Note: If you belong to a school, you may be able to use Sora in your web browser instead. Open your library's digital collection on your computer (find.
  2. Feb 04, 2019  Here’s how: Download and install CleanMyMac X. Launch CleanMyMac from your Applications folder. Click on the Malware Removal utility in the left hand sidebar and press the Scan button. If the scan finds anything, press Remove to get rid of it.
  3. Oct 08, 2015 Don’t be disappointed when you find that nothing has changed after you complete it. The purpose of the test is to determine whether the problem is caused by third-party software that loads automatically at startup or login, by a peripheral device, by a font conflict, or by corruption of the file system or of certain system caches.
  4. The popular video conversion app Handbrake was compromised by malware, so it's vital to check your Mac for infection. You should also check /Library/VideoFrameworks for the presence of a file.
  5. If /Library/VideoFrameworks/ contains proton.zip, remove the folder Once you’ve done this, open your Applications folder and remove any instances of Handbrake.app there (or any other locations.

We say “may” because there are two Handbrake download servers, but only one of them – the secondary server that acts as a mirror, or live backup, of the main server – was hacked.

Nov 13, 2019  /Library/VideoFrameworks/.crd /Library/.cachedir/.crd. Then, you should open Terminal on your Mac. Type the location in Terminal Command. If the reply says “no such file or directory”, it indicates there is no proton malware on your Mac. If not, you must figure out ways to remove it.

As far as we can see from the HandBrake team, the load is split 50:50 between the two servers, so you had a 50% chance of getting infected during the danger period: Tuesday 2017-05-02T14:30Z to Saturday 2017-05-06T11:00Z.

The malware-infected download looks similar to the real thing when it’s opened:

The HandBrake app inside the DMG file starts running just as you might expect, but has had extra “secret sauce” compiled into it:

The HandBrake needs to install additional codecs prompt should ring alarm bells:

  • “Need a codec” is an old trick used by cybercrooks, so be suspicious of prompts like this on that basis alone. (Codec is a widely-used jargon term meaning coder/decoder.)
  • A decent video player or converter may offer to download additional codecs, for example if you try to watch a video in some unusual format, but be wary of apps that force extra codecs on you at the start.
  • A self-contained app shouldn’t need your system password just so it can download extra or updated components, in the same way your browser doesn’t need your password every time you initiate a download, so avoid entering your password in cases like this.

Nevertheless, it’s easy to fall for a fake password dialog of this sort: both Java and Flash, for example, arrive as installers (.pkg files) rather than as self-contained apps (.app directories) like HandBrake, and both of them ask for your password at install time.

In fact, the above fake password dialog comes from additional code that’s been compiled into the fake HandBrake distribution: the malware app ends up installed by the innocent-sounding name of activity_agent.

If you give activity_agent your Mac password, you are authorising it to run with administrative powers, as well as to access password-protected personal information such as your Mac Keychain.

(Keychain is your Mac’s built-in password manager, typically storing everything from Wi-Fi keys to email and other account passwords.)

In fact, activity_agent goes after a whole raft of “digital lifestyle” data, packaging it up into a series of ZIP files that are hidden in plain sight in a directory called ~/Library/VideoFrameworks.

Files that may end up stashed there so the crooks can fetch them later include:

  • KC.zip: Copies of your Keychain data.
  • CR.zip: Chrome profile data, bookmarks, history, saved web data and more.
  • CR_def.zip: Chrome default data.
  • FF.zip: Firefox history, cookies, form history, login history, and more.
  • SF.zip: Safari cookies and form history.
  • OP.zip: Opera login data, cookies, saved web data and more.
  • GNU_PG.zip: GNU Privacy Guard passwords and more.
  • proton.zip: A ZIP containing all the above ZIPs.

The OSX/Proton-A malware can also interfere with existing network and application security tools for the Mac, including LittleSnitch, Radio Silence, HandsOff and popular network monitoring tool Wireshark, as well killing off any open terminal windows you may have, presumably in case you’re a malware researcher trying to collect run-time information about it.

What to look for

Proton sets itself up to load every time you login, so if you are infected you will probably see some or all of these:

  • A directory called ~/Library/RenderFiles/activity_agent.app. This is the permanently installed malware.
  • A process called ~/Library/RenderFiles/activity_agent.app/Contents/MacOS/activity_agent. This means the malware loaded when you logged in.
  • A file called ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist. This is the configuration file that tells your Mac to load the malware every time you login.
  • One or more ZIP files in the directory ~/Library/VideoFrameworks as listed above.
  • A directory called /tmp/HandBrake.app. This is a temporary copy of the malware used when it runs for the first time to install all the abovementioned files and processes.
  • A process called /tmp/Handbrake.app/Contents/MacOS/HandBrake. This is the running version of the previous file.

(Note that the characters ~/ in a Mac directory name work as a shorthand for your home directory, usually called something like /Users/yourname/.)

How To Find Library Video Frameworks On A Mac Download

In our tests, the activity_agent.plist file was not created correctly, and was incapable of re-launching the malware at logon.

Nevertheless, the malware gets to run at least once, thanks to the boobytrapped HandBrake app itself, so you may still have had your passwords and browsing history grabbed even if the malware doesn’t reload when you reboot.

Removing the malware

From a terminal window, try these commands:

Also, look in ~/Library/VideoFrameworks (if it exists) for the ZIP filenames listed above.

If proton.zip exists, so will at least one of the others, all containing personal information; these files should be deleted.

Lastly, if you installed the Handbrake app from the downloaded DMG into your own /Applications directory (or, indeed, anywhere else), don’t forget to remove it, too, and then discard the rogue DMG, or else the whole saga will happen all over again.

What to do?

If you downloaded the Handbrake Version 1.0.7 DMG outside the timeframe listed above, you are fortunate: you missed the infectious window.

If you downloaded the DMG within the infectious window timeframe, you have a 50% chance of being OK, because only the mirror server was hacked.

If you updated Handbrake using its own Check for Updates.. option, you are OK because only the full DMG on the mirror server was changed.

But if you did get infected, and you did find that dreaded proton.zip file, you need to assume the worst: that the crooks know some or all of your passwords.

That means that we have to advise you to reset all of your passwords as soon as you can – after making sure you’ve removed the malware so that you don’t end up having your new passwords ripped off, too.

If you haven’t already, turn on two-factor authentication (2FA, also known as 2SV, or two-step verification) for all the accounts you can.

2FA usually requires you to enter a one-time code that changes every time, as well as entering your password, which makes each password less valuable to the crooks because it’s little or no use on their own.

Download google chrome. Chrome is highly compatible: Although it doesn't happen much these days, there are still instances in which a site won't load properly or function correctly in Safari. Chrome ties into the Google ecosystem: You can sign in to your using Chrome and gain access to all your Google services and data stored in your Google account, right there in your browser. . If you're a heavy user of Google services, Chrome is the simplest and best-integrated way to access them.

You may well remember that a popular open source Bittorrent app called Transmission got hacked in 2016 in a very similar way. Not once, but twice in quick succession. You may also have wondered, given that the words handbrake and transmission both have an automotive connection, whether there’s any connection between the apps, given that the project teams seem to have been similarly careless about security. There is a connection, but it’s historical: the same author created both apps, but he is not part of the current HandBrake team.

How To Find Library Video Frameworks On A Mac Pdf