Question

Mac backdoor - malware bytes post

Forum|Forum|8 years ago
January 18, 2017
15 replies
63 views

+19

lisacherie
Valued Contributor

I saw mention of this on slack today - so wrote an EA that would see if any of the fleet had the two files present. It's rather rough and doesn't do the checksum if the files are there, however could be used to identify any macs for further investigation.

https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/

It needs 2 smart groups:

Infected
EAName is NOT None
EAName is NOT

Not Infected
EAName is None

#!/usr/bin/perl -w
my $userlist = `dscl . list /Users`;
chomp $userlist;
my @excludedusers = split(" ","daemon nobody _amavisd _appleevents _appowner _appserver _ard _assetcache _astris _atsserver _avbdeviced _calendar _ces _clamav _coreaudiod _coremediaiod _cvmsroot _cvs _cyrus _devdocs _devicemgr _displaypolicyd _distnote _dovecot _dovenull _dpaudio _eppc _ftp _gamecontrollerd _geod _iconservices _installassistant _installer _jabber _kadmin_admin _kadmin_changepw _krb_anonymous _krb_changepw _krb_kadmin _krb_kerberos _krb_krbtgt _krbfast _krbtgt _launchservicesd _lda _locationd _lp _mailman _mbsetupuser _mcxalr _mdnsresponder _mysql _netbios _netstatistics _networkd _nsurlsessiond _nsurlstoraged _ondemand _postfix _postgres _qtss _sandbox _screensaver _scsd _securityagent _serialnumberd _softwareupdate _spotlight _sshd _svn _taskgated _teamsserver _timezone _tokend _trustevaluationagent _unknown _update_sharing _usbmuxd _uucp _warmd _webauthserver _windowserver _www _wwwproxy _xserverdocs");
my @userslist = split("
", $userlist);
my @users;
my $result = "";
foreach my $u (@userslist) {

    my $match = 0;
    foreach my $e (@excludedusers) {
        if ("$u" eq "$e") {
            $match = 1;
        }   
    }
    if ($match == 0) {
        push(@users, $u);
    }
}
foreach (@users) {
    my $home = `dscl . -read /Users/$_ NFSHomeDirectory | cut -d " " -f 2`;
    chomp $home;
    printf "home is $home
";
    if (-e "$home/.client") {
        $result = $result . "
$home/.client";
    }

    if (-e "$home/Library/LaunchAgents/com.client.client.plist") {
        $result = $result . "
$home/Library/LaunchAgents/com.client.client.plist";
    }
}
$result =~ s/^
+//;
if ($result =~ /^$/) {
    system "echo "<result>None</result>"";
} else {
    system "echo "<result>$result</result>"";
}

+23

ImAMacGuy
Esteemed Contributor
Forum|Forum|8 years ago
January 19, 2017

thank you!

+12

sean
Contributor
Forum|Forum|8 years ago
January 19, 2017

FWIW, the find command can use wildcards:

echo "<result>"`find /Users/*/Library/LaunchAgents -name com.client.client.plist -exec bash -c "echo {} | cut -d / -f 3" ;`"</result>"

+19

lisacherie
Author
Valued Contributor
Forum|Forum|8 years ago
January 19, 2017

The querying of NFSHomeDirectory accounts for any edge cases where a user may have a non standard home directory location.

+16

roiegat
Valued Contributor
Forum|Forum|8 years ago
January 19, 2017

Great info guys! Testing the scripts and will deploy as EA.

+23

ImAMacGuy
Esteemed Contributor
Forum|Forum|8 years ago
January 19, 2017

well, all of a sudden I'm getting notifications about machines hitting the infected smart group. Do you have you any info on apple's patch? The malware bytes post didn't say much. I assume it's gatekeeper. Does it remove the infection automagically?

+19

lisacherie
Author
Valued Contributor
Forum|Forum|8 years ago
January 19, 2017

Not to be dismissive - do you have the Boolean logic correct in the smart group?
A similar check for Eleanor last year, some people had the Boolean logic around the wrong way resulting in false positives.

The EA in inventory should list the path for any infections you do have when viewing the computer to confirm whether smart group criteria is correct.

+23

ImAMacGuy
Esteemed Contributor
Forum|Forum|8 years ago
January 19, 2017

I actually think it was partly because I made the changes off vpn but on the DMZ server, and it didn't replicate the EA.

Quick question though, for the infected section

Infected EAName is NOT None EAName is NOT

Are they an "and" or an "or"?

+19

lisacherie
Author
Valued Contributor
Forum|Forum|8 years ago
January 19, 2017

AND :) otherwise the OR would match all the clean Macs.

+19

lisacherie
Author
Valued Contributor
Forum|Forum|8 years ago
January 19, 2017

Theory behind it courtesy of a google search and a CS dept kindly sharing their deck.
https://courses.cs.washington.edu/courses/cse370/08wi/pdfs/lectures/04-Logic%20gates.pdf

Had a whole semester on this back in the day - then building it on bread boards. :)

Tokyo
Contributor
Forum|Forum|8 years ago
January 19, 2017

@lisacherie what exactly is the Criteria I am setting for the Smart Computer Group? Sorry, I'm drawing a blank here

I uploaded the script and deployed to my MacBook for testing, now I am trying to figure out what I need to do to set up the Smart Group.

Thanks!

+23

ImAMacGuy
Esteemed Contributor
Forum|Forum|8 years ago
January 19, 2017

@apanages Per @lisacherie 's post

It needs 2 smart groups: Infected EAName is NOT None EAName is NOT Not Infected EAName is None

that being said, I had to change the infected EAName is NOT None to EAName not like None in order to register correctly.

+30

dan-snelson
Honored Contributor
Forum|Forum|8 years ago
January 19, 2017

Thanks, @lisacherie.

Tokyo
Contributor
Forum|Forum|8 years ago
January 20, 2017

@jwojda Thank-you.

+16

Kaltsas
Valued Contributor
Forum|Forum|8 years ago
January 21, 2017

MRT was updated to remove this.

plutil -p /Library/Receipts/InstallHistory.plist | grep 14U2301

If you get 0 => "com.apple.pkg.MRT.14U2301" you've gotten the background update for MRT. Or just check MRT for version 1.14.

mani2care
Contributor
Forum|Forum|4 years ago
March 24, 2021

Malwarebytes uninstall script anything is available?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded