Flashback trojan EA

Jumping on this thread a bit late. I see a couple scripts on this page and a few suggestions...is there a final version that I can grab?

Thanks,
Don

I received a positive hit this morning using the script from "talkingmoose" posted above. However, in JSS when I view details on this "infected" computer, I see this listed for the EA's value:

/Users/Shared/.mcafeevirusenterprise.so user [username redacted] is infected

Does this make any sense to anyone? I was expecting it to tell me that Firefox or Safari were infect, not something about mcafee.

You're actually seeing two lines but the JSS is not handling the carriage return between them.

Did you see Greg's correction just after I posted the modified script? Replace "-print0" with "-0" and see if that makes a difference. I don't think the "/Users/Shared/.mcafeevirusenterprise.so" line should be there.

Ah, nope, missed that post! Thanks for the correction. I've changed the script my EA and will see what happens.

Ok so here is @talkingmoose's script with the edit (replace "-print0" with "-0"):

#!/bin/bash

app_list=()

mkfifo result_fifo
cat < result_fifo &
exec 3>result_fifo

echo "<result>"

while read -r -d $''; do
    app_list+=("$REPLY")
done < <(/usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") ' -0 2> /dev/null)

for browser in "${app_list[@]}"; do
    defaults read "${browser}"/Contents/Info LSEnvironment 2> /dev/null && echo "${browser} is infected" >&3
done

for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
    defaults read /Users/"${username}"/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null && echo "user ${username} is infected" >&3
done

if [[ -f /Users/Shared/.libgmalloc.dylib ]]; then
    echo "/Users/Shared/ is infected" >&3
fi

exec 3>&-
unlink result_fifo

echo "</result>"

Yeah, Don, that's pretty easy. The script's output contains the words "is infected" (and no output if a machine is not infected), so you can easily create a Smart group to show any machines with this particular Extension Attribute's value set to "like" "infected".

I received a positive hit this morning using the script from "talkingmoose" posted above. However, in JSS when I view details on this "infected" computer, I see this listed for the EA's value: /Users/Shared/.mcafeevirusenterprise.so user [username redacted] is infected Does this make any sense to anyone? I was expecting it to tell me that Firefox or Safari were infect, not something about mcafee.

What you are seeing is the file to check for the next steps of cleaning the virus.

If you look at my post for the User cleaner and run that against this user WHILE THE USER IS LOGGED IN TO CLEAN LAUNCHD then you will be able to get rid of it for them.

If you look at Step 10 on this page https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml the file that is showing up in your result

/Users/Shared/.mcafeevirusenterprise.so

is the path you would fill in for "%path_obtained_in_step9% " if you were cleaning by hand.

Hope this helps.

Here is my user cleaner script.
https://jamfnation.jamfsoftware.com/discussion.html?id=4219

...is there a way to create a Smart Computer Group that will show any computers that are infected? This way we can set up an alert. Don

I made 3 Smart Groups.

Like Damien I started with one that was only "like infected"

When it became apparent that I was only seeing infections in Safari and in the Users I created two additional groups for "like user" and "like safari"

And I created these:

https://jamfnation.jamfsoftware.com/discussion.html?id=4219
https://jamfnation.jamfsoftware.com/discussion.html?id=4220

...and we need a way to unmark an answer cuz I totally just meant to reply and wasn't thinking/looking at the buttons

...and we need a way to unmark an answer cuz I totally just meant to reply and wasn't thinking/looking at the buttons

Vote this up if you agree ;)
https://jamfnation.jamfsoftware.com/featureRequest.html?id=165

You're actually seeing two lines but the JSS is not handling the carriage return between them. Did you see Greg's correction just after I posted the modified script? Replace "-print0" with "-0" and see if that makes a difference. I don't think the "/Users/Shared/.mcafeevirusenterprise.so" line should be there.

If you upgrade to 8.51 you will get newlines in EA display again *WOOT!*

Also, the output SHOULD be there as it tells you what to do next in the F-Secure steps for manual removal.

The reason it is there scripting wise is because of the way I chose to do the redirection.

For example in this line:

defaults read "${browser}"/Contents/Info LSEnvironment 2> /dev/null && echo "${browser} is infected" >&3

the stderr of the defaults command gets redirected to /dev/null with "2>" but the stdout is not redirected. Then the echo is redirected file descriptor 3.

What I intended to do in the first version, which is send everything to 3 would require command grouping with {}. But ultimately none of that is really necessary.

p.s. I actually am watching tutorials on how to use git now because I have been making improvements since posting this and not posting the changes...like after realizing all the fifo nonsense was stupid and unnecessary... :P

Here is what I use now. I upgraded to 8.51 so as I mentioned before there is now newlines so it makes sense to add back in the "Not infected" as some have asked for. That means you will have to change the Smart group for all of them to "like is infected" instead of just "like infected"

#!/bin/bash

app_list=()

echo "<result>"

while read -r -d $''; do
    app_list+=("$REPLY")
done < <(/usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") ' -0 2> /dev/null)

for browser in "${app_list[@]}"; do
    if defaults read "${browser}"/Contents/Info LSEnvironment 2> /dev/null; then
         echo "${browser} is infected"
    else
        echo "${browser} is NOT infected"
    fi
done

for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
    if defaults read /Users/"${username}"/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null; then
        echo "user ${username} is infected"
    else
        echo "user ${username} is NOT infected"
    fi
done

echo "</result>"

Here is what the output looks like on the command line now.

<result>
/Applications/Safari.app is NOT infected
/Applications/Google Chrome.app is NOT infected
/Applications/Firefox.app is NOT infected
user bob is NOT infected
user macports is NOT infected
user ryan is NOT infected
</result>

And here is the result in the JSS

/Applications/Google Chrome.app is NOT infected
/Applications/Firefox.app is NOT infected
/Applications/Safari.app is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user rmanly_stu is NOT infected

student usernames converted to ---- and trimmed for public posting

RUN SOFTWARE UPDATE

https://support.apple.com/kb/HT5242

I've made some mods for my environment, and am cutting my teeth on the JSS these days.

Unfortunately I'm bound by ITIL / Change Management and can't be more aggressive with it, but I figure it does the job.

Points for the comment being as long as the script itself!

#!/bin/bash

# JSS Flashback Checker Extension Attribute script
# credit to rmanly and talkingmoose on the jamfnation 
# forum for the basis of this script
#
# modified by Dave Castelletti @davecastelletti (admittedly a scripting- & JSS novice)
#   Intent of mods for OS-variable large environment: 
#       10.4-10.7 compatibility
#       Efficient output to Extension Attribute (set as visible in JSS inventory)
#   Improvements needed: 
#       mailer using org's open relay to tail the system.log | grep lines containing "infected"
#       Figure out why some 10.5/10.6 return a blank $AppResult
#
#   Associated Policy to trigger this script
#       RunOnce AllComputers UpdateInventory (simple as it gets!)
#   Associatted SmartGroups
#       FlashbackInfected = EA like 'infected', associated with ongoing inventory for group
#           removal once cleaned
#       FlashbackFixNeeded-10.6 = Associated with removal policy scope (Update8 pkg push)
#       FlashbackFixNeeded-10.7 = Associated with removal policy scope (2012-003 pkg push)
#
# Feedback welcomed via the twitter. My n00bulb doth shine brightly.

# Original broke on my 10.4 tests; eliminated from results
OLD=`sw_vers | grep "10.4" | wc -l`
if [ $OLD -ne 0 ]; then
    echo "<result>N/A (10.4)</result>"
    exit 0
fi

app_list=()

while read -r -d $''; do
    app_list+=("$REPLY")
done < <(/usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") ' -0 2> /dev/null)

# wrote details to system.log for manual dive or, ideally, sendmail to the MacEng team
# in order to keep the DB small and the JSS web copy concise (lots of users on some boxes!)
for browser in "${app_list[@]}"; do
    if defaults read "${browser}"/Contents/Info LSEnvironment 2> /dev/null; then
        logger "${browser} is infected with Flashback"
        AppResult="${browser} Infected"
    else
        AppResult="Apps Clean"
    fi
done

# details also in system.log
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
    if defaults read /Users/"${username}"/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null; then
        logger "user ${username} is infected with Flashback"
        UserResult="User Infected"
    else
        UserResult="Users Clean"
    fi
done

echo "<result>$AppResult, $UserResult<result>"

For those who prefer downloads:

10.7
http://support.apple.com/downloads/DL1515/en_US/JavaForOSX.dmg

10.6
http://support.apple.com/downloads/DL1516/en_US/JavaForMacOSX10.6.dmg

Awesome work everybody! This saves will save me so much work. I'm added this EA to our environment now.

i concur

Points for the comment being as long as the script itself!

I say major points for actually adding comments. It's a habit I need to work on.