Flashback Trojan Extension Attribute
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-09-2012 12:29 PM
Given the concern that the Flashback Trojan is generating, I’m sharing a script which detects and reports infection of the Trojan. Using this script as an extension attribute you can report on whether each of the three major browsers is infected and if the latest java update has been applied. Finally, leveraging smart groups you can detect if one or more of the conditions is true and take action on a given box.
Example Return Value:
Safari:1,Chrome:0,FireFox:0,DyldLibraries:0,JavaPatched:0 = Safari Browser is infected and Java needs to be patched.
#!/bin/bash
SafariInfected=0
if [[ -z `defaults read /Applications/Safari.app/Contents/Info LSEnvironment 2>&1 | grep "does not exist"` ]]; then
SafariInfected=1
fi
ChromeInfected=0
if [[ -z `defaults read /Applications/Google Chrome.app/Contents/Info LSEnvironment 2>&1 | grep "does not exist"` ]]; then
ChromeInfected=1
fi
FirefoxInfected=0
if [[ -z `defaults read /Applications/Firefox.app/Contents/Info LSEnvironment 2>&1 | grep "does not exist"` ]]; then
FirefoxInfected=1
fi
DyldInsertLibrariesInfected=0
if [[ -z `defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES 2>&1 | grep "does not exist"` ]]; then
DyldInsertLibrariesInfected=1
fi
JavaPatched=0
if [[ -n `which java` ]]; then
JavaVersion=`java -version 2>&1 | grep "java version" | awk '{print $3}'`
JavaVersionNumber=`echo $JavaVersion | sed -e "s/["._]//g"`
if [[ $JavaVersionNumber -lt 16031 ]]; then
JavaPatched=0
else
JavaPatched=1
fi
else
JavaPatched=1
fi
echo "<result>Safari:$SafariInfected,Chrome:$ChromeInfected,FireFox:$FirefoxInfected,DyldLibraries:$DyldInsertLibrariesInfected,JavaPatched:$JavaPatched</result>"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-09-2012 12:45 PM
;)
I like it but what happens if Firefox is on the Desktop?
https://jamfnation.jamfsoftware.com/discussion.html?id=4171
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-09-2012 01:11 PM
Good point. This does not "search" as your script does. I have a decent degree of certainty where our browsers will be located, but that won't be true for all environments. Seems like a combination of the two would be beneficial. :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-09-2012 02:22 PM
I am actually only seeing it in Safari and in User accounts here so I am going to revise this a little bit. Make it so that they can easily be sorted into one of two Smart Groups and then disinfect them based on which Smart group they are in.
I am doing this all theoretically based on the info. at f-secure because I wasn't able to get ahold of a teacher's infected machine before they left for the day :(
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-09-2012 05:56 PM
I love the idea of checking Java version.
I started forcing all software updates on the majority of machines late last week but just in case I want to force the java update.
It took a few minutes of playing around but I came up with this, give it a shot. It returns just the portion of the version number after the _.
$ java -version 2>&1 | awk -F_ '/version/{printf "%d
",$2}'
31
This way you won't have to assign multiple variables etc.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-10-2012 02:19 PM
Any chance this could be uploaded as an importable extension?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-10-2012 02:32 PM
We check the version of Java using CFBundleVersion. It's a little less sticky than trying to awk the "real" version number from 'java version'.
We then use this extension attribute to list the installed version.
----
#!/bin/sh
javaVersion=defaults read /Library/Java/Home/bundle/version CFBundleVersion
if [ -e /Library/Java/Home/bundle/ ]; then
echo "<result>$javaVersion</result>"
else
echo "<result>Not Installed</result>"
fi
exit 0
----
From there it's a simple smart group config that allows us to scope machines that need the latest versions.
Note, the Latest Java versions (according to Apple's numbering schemes) are...
10.7: 14.2.1
10.6: 13.7.0
This is pretty much exactly what we do to keep Flash up to date, too.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-13-2012 08:01 AM
Awesome! Thanks I'm putting this into our environment right now.