Jamf Nation Community

RyRy · ‎04-09-2012

Given the concern that the Flashback Trojan is generating, I’m sharing a script which detects and reports infection of the Trojan. Using this script as an extension attribute you can report on whether each of the three major browsers is infected and if the latest java update has been applied. Finally, leveraging smart groups you can detect if one or more of the conditions is true and take action on a given box.

Example Return Value:
Safari:1,Chrome:0,FireFox:0,DyldLibraries:0,JavaPatched:0 = Safari Browser is infected and Java needs to be patched.

#!/bin/bash

SafariInfected=0
if [[ -z `defaults read /Applications/Safari.app/Contents/Info LSEnvironment 2>&1 | grep "does not exist"` ]]; then
    SafariInfected=1
fi

ChromeInfected=0
if [[ -z `defaults read /Applications/Google Chrome.app/Contents/Info LSEnvironment 2>&1 | grep "does not exist"` ]]; then
    ChromeInfected=1
fi

FirefoxInfected=0
if [[ -z `defaults read /Applications/Firefox.app/Contents/Info LSEnvironment 2>&1 | grep "does not exist"` ]]; then
    FirefoxInfected=1
fi

DyldInsertLibrariesInfected=0
if [[ -z `defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES 2>&1 | grep "does not exist"` ]]; then
    DyldInsertLibrariesInfected=1
fi

JavaPatched=0
if [[ -n `which java` ]]; then
    JavaVersion=`java -version 2>&1 | grep "java version" | awk '{print $3}'`
    JavaVersionNumber=`echo $JavaVersion | sed -e "s/["._]//g"`
    if [[ $JavaVersionNumber -lt 16031 ]]; then
        JavaPatched=0
    else
        JavaPatched=1
    fi
else
    JavaPatched=1
fi

echo "<result>Safari:$SafariInfected,Chrome:$ChromeInfected,FireFox:$FirefoxInfected,DyldLibraries:$DyldInsertLibrariesInfected,JavaPatched:$JavaPatched</result>"

rmanly · ‎04-09-2012

;)

I like it but what happens if Firefox is on the Desktop?

https://jamfnation.jamfsoftware.com/discussion.html?id=4171

RyRy · ‎04-09-2012

Good point. This does not "search" as your script does. I have a decent degree of certainty where our browsers will be located, but that won't be true for all environments. Seems like a combination of the two would be beneficial. :)

rmanly · ‎04-09-2012

I am actually only seeing it in Safari and in User accounts here so I am going to revise this a little bit. Make it so that they can easily be sorted into one of two Smart Groups and then disinfect them based on which Smart group they are in.

I am doing this all theoretically based on the info. at f-secure because I wasn't able to get ahold of a teacher's infected machine before they left for the day :(

rmanly · ‎04-09-2012

I love the idea of checking Java version.

I started forcing all software updates on the majority of machines late last week but just in case I want to force the java update.

It took a few minutes of playing around but I came up with this, give it a shot. It returns just the portion of the version number after the _.

$ java -version 2>&1 | awk -F_ '/version/{printf "%d
",$2}'
31

This way you won't have to assign multiple variables etc.

ega · ‎04-10-2012

Any chance this could be uploaded as an importable extension?

bbass · ‎04-10-2012

We check the version of Java using CFBundleVersion. It's a little less sticky than trying to awk the "real" version number from 'java version'.

We then use this extension attribute to list the installed version.

----

#!/bin/sh

javaVersion=defaults read /Library/Java/Home/bundle/version CFBundleVersion

if [ -e /Library/Java/Home/bundle/ ]; then echo "<result>$javaVersion</result>"
else echo "<result>Not Installed</result>"
fi

exit 0

----

From there it's a simple smart group config that allows us to scope machines that need the latest versions.

Note, the Latest Java versions (according to Apple's numbering schemes) are...

10.7: 14.2.1
10.6: 13.7.0

This is pretty much exactly what we do to keep Flash up to date, too.

apple4ever · ‎04-13-2012

Awesome! Thanks I'm putting this into our environment right now.

Jamf Nation Community

Flashback Trojan Extension Attribute