New Nasty making the rounds - Backdoor.MAC.Eleanor

Yeah, looks like they'd already taken it down. I checked there and even a few google searches. Wasn't too popular to begin with from what I can tell.

I personally think the likelihood of having this in the fleet is very low - there are probably also other EA's out there, this is another to see if installed by returning either "None" or the path to each instance of ~/Library/.dropbox

#!/usr/bin/perl -w

my $userlist = `dscl . list /Users`;
chomp $userlist;

my @excludedusers = split(" ","daemon nobody _amavisd _appleevents _appowner _appserver _ard _assetcache _astris _atsserver _avbdeviced _calendar _ces _clamav _coreaudiod _coremediaiod _cvmsroot _cvs _cyrus _devdocs _devicemgr _displaypolicyd _distnote _dovecot _dovenull _dpaudio _eppc _ftp _gamecontrollerd _geod _iconservices _installassistant _installer _jabber _kadmin_admin _kadmin_changepw _krb_anonymous _krb_changepw _krb_kadmin _krb_kerberos _krb_krbtgt _krbfast _krbtgt _launchservicesd _lda _locationd _lp _mailman _mbsetupuser _mcxalr _mdnsresponder _mysql _netbios _netstatistics _networkd _nsurlsessiond _nsurlstoraged _ondemand _postfix _postgres _qtss _sandbox _screensaver _scsd _securityagent _serialnumberd _softwareupdate _spotlight _sshd _svn _taskgated _teamsserver _timezone _tokend _trustevaluationagent _unknown _update_sharing _usbmuxd _uucp _warmd _webauthserver _windowserver _www _wwwproxy _xserverdocs");

my @userslist = split("
", $userlist);
my @users;

my $result = "";

foreach my $u (@userslist) {

        my $match = 0;

        foreach my $e (@excludedusers) {

                if ("$u" eq "$e") {
                        $match = 1;
                }
        }

        if ($match == 0) {
                push(@users, $u);
        }

}

foreach (@users) {

        my $home = `dscl . -read /Users/$_ NFSHomeDirectory | cut -d " " -f 2`;
        chomp $home;

        if (-e "$home/Library/.dropbox") {
                $result = $result . "
$home/Library/.dropbox";
        }

}

$result =~ s/^
+//;

if ($result =~ /^$/) {
        system "echo "<result>None</result>"";
} else {
        system "echo "<result>$result</result>"";
}

To find infected results you will need a smart group similar to this.

@lisacherie is the blank field supposed to work? I thought that broke?

Hi @donmontalvo !

It still works at least on 9.96, haven't tried it with 9.97.

I think some people may have used the or instead of and in the smart group logic, which would make the results incorrect.

The screen shot above is what I've used with success. (Never had any infected, tested it by creating an empty file where the malware would).

Did you see any infected clients?

Hi Lisa, McAfee ENSM handles vulnerabilities, which is a good thing, when the team that manages that service is collaborative and responsive. :) I was curious about using blank fields in logic.