Posted on 04-03-2012 04:53 PM
I just threw this together - mostly as an excuse to play with named pipes. It will tell you if one of the big 3 browsers or non-hidden users are infected with Flashback.
*IF* I actually find it anywhere I will come up with something to remove it.
#!/bin/bash
app_list=()
mkfifo result_fifo
cat < result_fifo &
exec 3>result_fifo
echo "<result>"
while read -r -d $''; do
app_list+=("$REPLY")
done < <(find / ( -iname "google chrome.app" -o -iname "safari.app" -o -iname "firefox.app" ) -print0 2> /dev/null)
for browser in "${app_list[@]}"; do
defaults read "${browser}"/Contents/Info LSEnvironment 2> /dev/null && echo "${browser} is infected" >&3
done
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
defaults read /Users/"${username}"/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null && echo "user ${username} is infected" >&3
done
exec 3>&-
unlink result_fifo
echo "</result>"
p.s. It would be REALLY awesome if the EA display in the JSS supported newlines again.
Solved! Go to Solution.
Posted on 04-12-2012 10:36 AM
...is there a way to create a Smart Computer Group that will show any computers that are infected? This way we can set up an alert.
Don
Posted on 04-12-2012 01:20 PM
Here is what I use now. I upgraded to 8.51 so as I mentioned before there is now newlines so it makes sense to add back in the "Not infected" as some have asked for. That means you will have to change the Smart group for all of them to "like is infected" instead of just "like infected"
#!/bin/bash
app_list=()
echo "<result>"
while read -r -d $''; do
app_list+=("$REPLY")
done < <(/usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") ' -0 2> /dev/null)
for browser in "${app_list[@]}"; do
if defaults read "${browser}"/Contents/Info LSEnvironment 2> /dev/null; then
echo "${browser} is infected"
else
echo "${browser} is NOT infected"
fi
done
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
if defaults read /Users/"${username}"/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null; then
echo "user ${username} is infected"
else
echo "user ${username} is NOT infected"
fi
done
echo "</result>"
Here is what the output looks like on the command line now.
<result>
/Applications/Safari.app is NOT infected
/Applications/Google Chrome.app is NOT infected
/Applications/Firefox.app is NOT infected
user bob is NOT infected
user macports is NOT infected
user ryan is NOT infected
</result>
And here is the result in the JSS
/Applications/Google Chrome.app is NOT infected
/Applications/Firefox.app is NOT infected
/Applications/Safari.app is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user rmanly_stu is NOT infected
student usernames converted to ---- and trimmed for public posting
Posted on 04-12-2012 01:55 PM
Posted on 04-04-2012 04:21 AM
EA Display, vote it up if you haven't
https://jamfnation.jamfsoftware.com/featureRequest.html?id=110
Posted on 04-04-2012 05:30 AM
Mmh, pipes!
But why not replace "find" with "mdfind" to make use of the awesome speed of spotlight? You could even leave out "-onlyin /" to search all local volumes in lightning speed...
# /usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") '
/Applications/Firefox.app
/Applications/Safari.app
/Applications/Google Chrome.app
Posted on 04-05-2012 12:31 PM
Related topic: This might grow into a bigger problem. Now I am worried about all of the websites offering scripts that promise to check and clean the Mac from the flashback trojan.
Posted on 04-05-2012 01:59 PM
@cvgs Ohh that is much faster :)
Nice.
Posted on 04-05-2012 02:08 PM
@sean I thought I had voted up on that a while ago but just did it again.
It is pretty annoying. My original script for this had an if then else statement for the checks so it would go
/Application/Safari.app is NOT infected
/Application/Firefox.app is infected
rmanly is infected
etc..but on student machines with tons of mobile accounts the result was incomprehensible without newlines so I took out all the NOTs
Posted on 04-05-2012 02:48 PM
This EA is very helpful, thanks!!!
Posted on 04-05-2012 04:52 PM
Has anyone found a threat yet?
Posted on 04-05-2012 05:02 PM
#Would this work? How would I echo back that the computer is not infected?
SAFARI_BROWSERS=$(/usr/bin/mdfind "kMDItemCFBundleIdentifier == 'com.apple.safari'")
echo "<result>"
defaults read "$SAFARI_BROWSERS"/Contents/Info LSEnvironment 2> /dev/null && echo "$SAFARI_BROWSERS" is infected"" 2>&1
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
defaults read /Users/"${username}"/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null && echo "user ${username} is infected" 2>&1
done
echo "</result>"
Posted on 04-06-2012 05:32 AM
when I tried the EA with the mfind tweak all I get is
/private/tmp/extensionAttributeScript: line 25: syntax error near unexpected token `<' /private/tmp/extensionAttributeScript: line 25: `done < </usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") ''
Posted on 04-06-2012 06:27 AM
That modified line should look like this:
done < <(/usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") ' -print0 2> /dev/null)
Posted on 04-06-2012 06:44 AM
that got passed that line - but now it's returning
/private/tmp/extensionAttributeScript: line 56: syntax error: unexpected end of file
However, i went back and counted the lines in the EA - and it's only 37 lines...... unless I stretch the box out then it's 28...
Posted on 04-06-2012 08:17 AM
This is Ryan's script with Christoph's suggested mdfind modification. I added another check for /Users/Shared/.libgmalloc.dylib.
#!/bin/bash
app_list=()
mkfifo result_fifo
cat < result_fifo &
exec 3>result_fifo
echo "<result>"
while read -r -d $''; do
app_list+=("$REPLY")
done < <(/usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") ' -print0 2> /dev/null)
for browser in "${app_list[@]}"; do
defaults read "${browser}"/Contents/Info LSEnvironment 2> /dev/null && echo "${browser} is infected" >&3
done
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
defaults read /Users/"${username}"/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null && echo "user ${username} is infected" >&3
done
if [[ -f /Users/Shared/.libgmalloc.dylib ]]; then
echo "/Users/Shared/ is infected" >&3
fi
exec 3>&-
unlink result_fifo
echo "</result>"
Posted on 04-06-2012 08:37 AM
First, a big "Thank you" to everyone for the script and modifications.
My question, I know how to make a policy to run this but how do I get it to report back to me on what computers are infected?
When I run it on a couple of my test computers, I have to actually view each computer's install log to see the result.
Thanks again and I apologize for the ignorant question.
Posted on 04-06-2012 09:45 AM
I wouldn't create a policy. Just create an Extension Attribute and recon your machines or wait for them to check in and provide an inventory. If you have Smart Group that checks the Extension Attribute for "like" infected and check off Send Email Notification on Change that should take care of it.
Posted on 04-06-2012 11:39 AM
Thanks Golbiga....
It's a Friday... I'm forgetting everything I learned it seems.
Enjoy the weekend everyone!
Posted on 04-06-2012 12:14 PM
Thanks for crafting the scripts!
A note confirming speed improvement with using talkingmoose's script compared to the first one posted by rmanly. recon time went from 5m 04s down to 2m 34s on my test device.
So far none discovered. I am tempted figure out how to fake my test device so I know the detection is working.
Posted on 04-06-2012 12:20 PM
This is great! thank you! It's completing VERY quickly now.
Is the only output should be infected? If it's clean then there is nothing output?
Posted on 04-06-2012 02:20 PM
@talkingmoose- Just a slight modification to your last script... shouldn't be a -print0, but a -0.
done < <(/usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") ' -0 2> /dev/null)
Unsure about elsewhere, but my few test systems don't have kMDItemCFBundleIdentifier for Safari. So, instead for that one, I'm using kMDItemFSName == "Safari.app". The other two apps have kMDItemCFBundleIdentifier.
And thanks to rmanly, talkingmoose and cvgs for the code. Really quite useful.
Posted on 04-06-2012 03:29 PM
You may get a faster response doing an onlyin, but there is nothing to say that Firefox or Chrome could be anywhere on the system.
You may also wish to check launchctl for a set environment variable "DYLD_INSERT_LIBRARIES". You could run this as a login hook
Something like:
userPID=`ps -ef | grep "loginwindow console" | grep -v grep | awk '{print $2}'`
launchctl bsexec $userPID su $3 -c 'launchctl getenv DYLD_INSERT_LIBRARIES'
Write the response to your own file, plist for example and make an EA against that and you can remove it with the unset option.
Posted on 04-08-2012 09:40 AM
@sean
Could you elaborate on what you mean on your last post? Write out the output to plist and EA that output?
Cheers
Posted on 04-09-2012 10:49 AM
Thought you all would like to know that we got a positive hit over here using the original EA posted by Ryan. About to update with the version posted by William. Thank you Ryan, Christoph, and William for your work on this.
Now..any suggestions on automating removal of Flashback?
Posted on 04-09-2012 11:30 AM
Got two hits here right after lunch.
@vescala I will work on a script for removing it this afternoon.
I would have done it last Thursday but I got distracted figuring out how to disable Java in all the browsers via script.
Posted on 04-09-2012 06:20 PM
FYI here is the output of my original and how it shows up in the JSS.
Because the output of the the check on the user points to the common /Users/Shared/.libgmalloc.dylib I don't think that needs to be checked for seperately. It's existence is part of the User being infected.
https://skitch.com/feydrmm/8t377/computer-details--glenbrook-225--jssv8.51
https://skitch.com/feydrmm/8t37w/computer-details--glenbrook-225--jssv8.51
Here is the text of the second screenie.
{
"DYLD_INSERT_LIBRARIES" = "/Applications/Safari.app/Contents/Resources/.IntenetTweak.xsl";
}
Posted on 04-10-2012 02:28 AM
@rpotvin
You could just run unsetenv and forget about it. Alternatively, if you want a report on it, you need to provide an answer to it somewhere. Since you would like to know if this variable is set on each user, network or local, then you need to run this command against users when they are logged in, so you can't really just use an EA for this. Hence, run the getenv as a login script and redirect the output to a file, any file you like, so send it to the system.log, create your own log or make you own plist, text file, etc, your choice.
Create an EA that will read the above created file. If you want an immediate report from this file, then you would want to also include a jamf recon at the end of the login script.
I haven't concisely read the docs on launchd to work out if there is a way to read the users environment variables without them being logged in, but if I get a chance I will.
Sean
Posted on 04-10-2012 03:15 PM
Nice tool created for this FYI.
https://github.com/jils/FlashbackChecker/downloads
Posted on 04-12-2012 06:44 AM
Jumping on this thread a bit late. I see a couple scripts on this page and a few suggestions...is there a final version that I can grab?
Thanks,
Don
Posted on 04-12-2012 08:01 AM
I received a positive hit this morning using the script from "talkingmoose" posted above. However, in JSS when I view details on this "infected" computer, I see this listed for the EA's value:
/Users/Shared/.mcafeevirusenterprise.so user [username redacted] is infected
Does this make any sense to anyone? I was expecting it to tell me that Firefox or Safari were infect, not something about mcafee.
Posted on 04-12-2012 09:07 AM
You're actually seeing two lines but the JSS is not handling the carriage return between them.
Did you see Greg's correction just after I posted the modified script? Replace "-print0" with "-0" and see if that makes a difference. I don't think the "/Users/Shared/.mcafeevirusenterprise.so" line should be there.
Posted on 04-12-2012 09:19 AM
Ah, nope, missed that post! Thanks for the correction. I've changed the script my EA and will see what happens.
Posted on 04-12-2012 10:35 AM
Ok so here is @talkingmoose's script with the edit (replace "-print0" with "-0"):
#!/bin/bash
app_list=()
mkfifo result_fifo
cat < result_fifo &
exec 3>result_fifo
echo "<result>"
while read -r -d $''; do
app_list+=("$REPLY")
done < <(/usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") ' -0 2> /dev/null)
for browser in "${app_list[@]}"; do
defaults read "${browser}"/Contents/Info LSEnvironment 2> /dev/null && echo "${browser} is infected" >&3
done
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
defaults read /Users/"${username}"/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null && echo "user ${username} is infected" >&3
done
if [[ -f /Users/Shared/.libgmalloc.dylib ]]; then
echo "/Users/Shared/ is infected" >&3
fi
exec 3>&-
unlink result_fifo
echo "</result>"
Posted on 04-12-2012 10:36 AM
...is there a way to create a Smart Computer Group that will show any computers that are infected? This way we can set up an alert.
Don
Posted on 04-12-2012 10:44 AM
Yeah, Don, that's pretty easy. The script's output contains the words "is infected" (and no output if a machine is not infected), so you can easily create a Smart group to show any machines with this particular Extension Attribute's value set to "like" "infected".
Posted on 04-12-2012 12:57 PM
I received a positive hit this morning using the script from "talkingmoose" posted above. However, in JSS when I view details on this "infected" computer, I see this listed for the EA's value: /Users/Shared/.mcafeevirusenterprise.so user [username redacted] is infected Does this make any sense to anyone? I was expecting it to tell me that Firefox or Safari were infect, not something about mcafee.
What you are seeing is the file to check for the next steps of cleaning the virus.
If you look at my post for the User cleaner and run that against this user WHILE THE USER IS LOGGED IN TO CLEAN LAUNCHD then you will be able to get rid of it for them.
If you look at Step 10 on this page https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml the file that is showing up in your result
/Users/Shared/.mcafeevirusenterprise.so
is the path you would fill in for "%path_obtained_in_step9% " if you were cleaning by hand.
Hope this helps.
Here is my user cleaner script.
https://jamfnation.jamfsoftware.com/discussion.html?id=4219
Posted on 04-12-2012 12:59 PM
...is there a way to create a Smart Computer Group that will show any computers that are infected? This way we can set up an alert. Don
I made 3 Smart Groups.
Like Damien I started with one that was only "like infected"
When it became apparent that I was only seeing infections in Safari and in the Users I created two additional groups for "like user" and "like safari"
And I created these:
https://jamfnation.jamfsoftware.com/discussion.html?id=4219
https://jamfnation.jamfsoftware.com/discussion.html?id=4220
Posted on 04-12-2012 01:00 PM
...and we need a way to unmark an answer cuz I totally just meant to reply and wasn't thinking/looking at the buttons
Posted on 04-12-2012 01:00 PM
...and we need a way to unmark an answer cuz I totally just meant to reply and wasn't thinking/looking at the buttons
Vote this up if you agree ;)
https://jamfnation.jamfsoftware.com/featureRequest.html?id=165
Posted on 04-12-2012 01:19 PM
You're actually seeing two lines but the JSS is not handling the carriage return between them. Did you see Greg's correction just after I posted the modified script? Replace "-print0" with "-0" and see if that makes a difference. I don't think the "/Users/Shared/.mcafeevirusenterprise.so" line should be there.
If you upgrade to 8.51 you will get newlines in EA display again *WOOT!*
Also, the output SHOULD be there as it tells you what to do next in the F-Secure steps for manual removal.
The reason it is there scripting wise is because of the way I chose to do the redirection.
For example in this line:
defaults read "${browser}"/Contents/Info LSEnvironment 2> /dev/null && echo "${browser} is infected" >&3
the stderr of the defaults command gets redirected to /dev/null with "2>" but the stdout is not redirected. Then the echo is redirected file descriptor 3.
What I intended to do in the first version, which is send everything to 3 would require command grouping with {}. But ultimately none of that is really necessary.
p.s. I actually am watching tutorials on how to use git now because I have been making improvements since posting this and not posting the changes...like after realizing all the fifo nonsense was stupid and unnecessary... :P
Posted on 04-12-2012 01:20 PM
Here is what I use now. I upgraded to 8.51 so as I mentioned before there is now newlines so it makes sense to add back in the "Not infected" as some have asked for. That means you will have to change the Smart group for all of them to "like is infected" instead of just "like infected"
#!/bin/bash
app_list=()
echo "<result>"
while read -r -d $''; do
app_list+=("$REPLY")
done < <(/usr/bin/mdfind -onlyin / ' (kMDItemCFBundleIdentifier == "com.apple.Safari") || (kMDItemCFBundleIdentifier == "com.google.Chrome") || (kMDItemCFBundleIdentifier == "org.mozilla.firefox") ' -0 2> /dev/null)
for browser in "${app_list[@]}"; do
if defaults read "${browser}"/Contents/Info LSEnvironment 2> /dev/null; then
echo "${browser} is infected"
else
echo "${browser} is NOT infected"
fi
done
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
if defaults read /Users/"${username}"/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null; then
echo "user ${username} is infected"
else
echo "user ${username} is NOT infected"
fi
done
echo "</result>"
Here is what the output looks like on the command line now.
<result>
/Applications/Safari.app is NOT infected
/Applications/Google Chrome.app is NOT infected
/Applications/Firefox.app is NOT infected
user bob is NOT infected
user macports is NOT infected
user ryan is NOT infected
</result>
And here is the result in the JSS
/Applications/Google Chrome.app is NOT infected
/Applications/Firefox.app is NOT infected
/Applications/Safari.app is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user ---- is NOT infected
user rmanly_stu is NOT infected
student usernames converted to ---- and trimmed for public posting
Posted on 04-12-2012 01:55 PM
RUN SOFTWARE UPDATE
https://support.apple.com/kb/HT5242