Skip to main content

I saw mention of this on slack today - so wrote an EA that would see if any of the fleet had the two files present. It's rather rough and doesn't do the checksum if the files are there, however could be used to identify any macs for further investigation.



https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/



It needs 2 smart groups:



Infected
EAName is NOT None
EAName is NOT



Not Infected
EAName is None



#!/usr/bin/perl -w

my $userlist = `dscl . list /Users`;

chomp $userlist;

my @excludedusers = split(" ","daemon nobody _amavisd _appleevents _appowner _appserver _ard _assetcache _astris _atsserver _avbdeviced _calendar _ces _clamav _coreaudiod _coremediaiod _cvmsroot _cvs _cyrus _devdocs _devicemgr _displaypolicyd _distnote _dovecot _dovenull _dpaudio _eppc _ftp _gamecontrollerd _geod _iconservices _installassistant _installer _jabber _kadmin_admin _kadmin_changepw _krb_anonymous _krb_changepw _krb_kadmin _krb_kerberos _krb_krbtgt _krbfast _krbtgt _launchservicesd _lda _locationd _lp _mailman _mbsetupuser _mcxalr _mdnsresponder _mysql _netbios _netstatistics _networkd _nsurlsessiond _nsurlstoraged _ondemand _postfix _postgres _qtss _sandbox _screensaver _scsd _securityagent _serialnumberd _softwareupdate _spotlight _sshd _svn _taskgated _teamsserver _timezone _tokend _trustevaluationagent _unknown _update_sharing _usbmuxd _uucp _warmd _webauthserver _windowserver _www _wwwproxy _xserverdocs");

my @userslist = split("

", $userlist);

my @users;

my $result = "";

foreach my $u (@userslist) {



    my $match = 0;

    foreach my $e (@excludedusers) {

        if ("$u" eq "$e") {

            $match = 1;

        }   

    }

    if ($match == 0) {

        push(@users, $u);

    }

}

foreach (@users) {

    my $home = `dscl . -read /Users/$_ NFSHomeDirectory | cut -d " " -f 2`;

    chomp $home;

    printf "home is $home

";

    if (-e "$home/.client") {

        $result = $result . "

$home/.client";

    }



    if (-e "$home/Library/LaunchAgents/com.client.client.plist") {

        $result = $result . "

$home/Library/LaunchAgents/com.client.client.plist";

    }

}

$result =~ s/^

+//;

if ($result =~ /^$/) {

    system "echo "<result>None</result>"";

} else {

    system "echo "<result>$result</result>"";

}

thank you!

FWIW, the find command can use wildcards:



echo "<result>"`find /Users/*/Library/LaunchAgents -name com.client.client.plist -exec bash -c "echo {} | cut -d / -f 3" ;`"</result>"

The querying of NFSHomeDirectory accounts for any edge cases where a user may have a non standard home directory location.

Great info guys! Testing the scripts and will deploy as EA.

well, all of a sudden I'm getting notifications about machines hitting the infected smart group. Do you have you any info on apple's patch? The malware bytes post didn't say much. I assume it's gatekeeper. Does it remove the infection automagically?

Not to be dismissive - do you have the Boolean logic correct in the smart group?
A similar check for Eleanor last year, some people had the Boolean logic around the wrong way resulting in false positives.



The EA in inventory should list the path for any infections you do have when viewing the computer to confirm whether smart group criteria is correct.

I actually think it was partly because I made the changes off vpn but on the DMZ server, and it didn't replicate the EA.



Quick question though, for the infected section



Infected
EAName is NOT None
EAName is NOT


Are they an "and" or an "or"?

AND 🙂 otherwise the OR would match all the clean Macs.

Theory behind it courtesy of a google search and a CS dept kindly sharing their deck.
https://courses.cs.washington.edu/courses/cse370/08wi/pdfs/lectures/04-Logic%20gates.pdf



Had a whole semester on this back in the day - then building it on bread boards. :)

@lisacherie what exactly is the Criteria I am setting for the Smart Computer Group? Sorry, I'm drawing a blank here



I uploaded the script and deployed to my MacBook for testing, now I am trying to figure out what I need to do to set up the Smart Group.



Thanks!

@apanages Per @lisacherie 's post



It needs 2 smart groups:

Infected
EAName is NOT None
EAName is NOT

Not Infected
EAName is None


that being said, I had to change the infected EAName is NOT None to EAName not like None in order to register correctly.

Thanks, @lisacherie.

@jwojda Thank-you.

MRT was updated to remove this. 



plutil -p /Library/Receipts/InstallHistory.plist | grep 14U2301


If you get 0 => "com.apple.pkg.MRT.14U2301" you've gotten the background update for MRT. Or just check MRT for version 1.14.

Malwarebytes uninstall script anything is available?

Reply


Terms & ConditionsCookie settings