Has anyone made the changes to the Palo Alto Wirelurker detector script so it can be used as a Extension Attribute?
Thanks.
Page 1 / 1
I haven't tested this thoroughly, but I just removed all the print statements except for the last ones, which show whether or not it was detected.
https://github.com/PaloAltoNetworks-BD/WireLurkerDetector
#!/usr/bin/env python
# -*- coding: utf-8 -*-
__copyright__ = 'Copyright (c) 2014, Palo Alto Networks, Inc.'
__author__ = 'Claud Xiao'
__version__ = '1.0.0'
import os
import sys
import platform
import plistlib
import subprocess
MALICIOUS_FILES = [
'/Users/Shared/run.sh',
'/Library/LaunchDaemons/com.apple.machook_damon.plist',
'/Library/LaunchDaemons/com.apple.globalupdate.plist',
'/usr/bin/globalupdate/usr/local/machook/',
'/usr/bin/WatchProc',
'/usr/bin/itunesupdate',
'/Library/LaunchDaemons/com.apple.watchproc.plist',
'/Library/LaunchDaemons/com.apple.itunesupdate.plist',
'/System/Library/LaunchDaemons/com.apple.appstore.plughelper.plist',
'/System/Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist',
'/System/Library/LaunchDaemons/com.apple.systemkeychain-helper.plist',
'/System/Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist',
'/usr/bin/com.apple.MailServiceAgentHelper',
'/usr/bin/com.apple.appstore.PluginHelper',
'/usr/bin/periodicdate',
'/usr/bin/systemkeychain-helper',
'/usr/bin/stty5.11.pl',
]
SUSPICIOUS_FILES = [
'/etc/manpath.d/',
'/usr/local/ipcc/'
]
def scan_files(paths):
results = []
for f in paths:
if os.path.exists(f):
results.append(f)
return results
def is_file_hidden(f):
if not os.path.exists(f) or not os.path.isfile(f):
return False
if sys.version_info[0] >= 2 and sys.version_info[2] >= 7 and sys.version_info >= 3:
return os.stat(f).st_flags.UF_HIDDEN
else:
try:
proc = subprocess.Popen("ls -ldO '%s' | awk '{print $5}'" % f, shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
output = proc.stdout.read()
proc.communicate()
return output.find('hidden') != -1
except Exception as e:
return False
def is_app_infected(root):
try:
pl = plistlib.readPlist(os.path.join(root, 'Contents', 'Info.plist'))
be = pl['CFBundleExecutable']
bundle_exec = os.path.join(root, 'Contents', 'MacOS', be)
bundle_exec_ = bundle_exec + '_'
if is_file_hidden(bundle_exec) and is_file_hidden(bundle_exec_):
return True
the_script = os.path.join(root, 'Contents', 'Resources', 'start.sh')
the_pack = os.path.join(root, 'Contents', 'Resources', 'FontMap1.cfg')
if is_file_hidden(the_script) and is_file_hidden(the_pack):
return True
return False
except Exception:
return False
def scan_app():
infected_apps = []
for root, __, __ in os.walk('/Applications'):
if root.lower().endswith('.app'):
if is_app_infected(root):
infected_apps.append(root)
return infected_apps
def main():
if platform.system() != 'Darwin':
print 'ERROR: The script should only be run in a Mac OS X system.'
sys.exit(-1)
mal_files = scan_files(MALICIOUS_FILES)
if len(mal_files) == 0:
pass
else:
for f in mal_files:
pass
sus_files = scan_files(SUSPICIOUS_FILES)
if len(sus_files) == 0:
pass
else:
for f in sus_files:
pass
infected_apps = scan_app()
if len(infected_apps) == 0:
pass
else:
for a in infected_apps:
pass
if len(mal_files) == 0 and len(sus_files) == 0 and len(infected_apps) == 0:
print "<result>Not detected</result>"
return 0
else:
print "<result>Wirelurker detected</result>"
return 1
if __name__ == '__main__':
main()I know that this doesn't answer your question, but this is related good news----
WireLurker Mac OS X Malware Found, Shut Down
http://apple-beta.slashdot.org/story/14/11/06/1853237/wirelurker-mac-os-x-malware-found-shut-down
Thanks kstrick - I received the stand down at about the same time you sent your response...
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.