You are viewing a single comment's thread from:

RE: Mac's Version Of HandBrake Infected With Trojan!

in #security8 years ago

Just to note, the XProtect signature that Apple pushed out in an update to block/detect this malware is pretty useless. It simply does a SHA1 hash match on the malicious binary, so to render it undetected again, all the people behind the malware have to do is recompile it or even flip a single bit in it to change the hash.

Furthermore, the detection method proposed here (checking for a process named "activity_agent") is also easy to get around - just rename the executable, or use fairly normal process-name spoofing trickery to change it.

Our good friends over at Objective-See have written a detailed analysis of the malware here: Link to analysis on Objective-See.com