Mac backdoor - malware bytes post

lisacherie
Contributor II

I saw mention of this on slack today - so wrote an EA that would see if any of the fleet had the two files present. It's rather rough and doesn't do the checksum if the files are there, however could be used to identify any macs for further investigation.

https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/

It needs 2 smart groups:

Infected
EAName is NOT None
EAName is NOT

Not Infected
EAName is None

#!/usr/bin/perl -w
my $userlist = `dscl . list /Users`;
chomp $userlist;
my @excludedusers = split(" ","daemon nobody _amavisd _appleevents _appowner _appserver _ard _assetcache _astris _atsserver _avbdeviced _calendar _ces _clamav _coreaudiod _coremediaiod _cvmsroot _cvs _cyrus _devdocs _devicemgr _displaypolicyd _distnote _dovecot _dovenull _dpaudio _eppc _ftp _gamecontrollerd _geod _iconservices _installassistant _installer _jabber _kadmin_admin _kadmin_changepw _krb_anonymous _krb_changepw _krb_kadmin _krb_kerberos _krb_krbtgt _krbfast _krbtgt _launchservicesd _lda _locationd _lp _mailman _mbsetupuser _mcxalr _mdnsresponder _mysql _netbios _netstatistics _networkd _nsurlsessiond _nsurlstoraged _ondemand _postfix _postgres _qtss _sandbox _screensaver _scsd _securityagent _serialnumberd _softwareupdate _spotlight _sshd _svn _taskgated _teamsserver _timezone _tokend _trustevaluationagent _unknown _update_sharing _usbmuxd _uucp _warmd _webauthserver _windowserver _www _wwwproxy _xserverdocs");
my @userslist = split("
", $userlist);
my @users;
my $result = "";
foreach my $u (@userslist) {

    my $match = 0;
    foreach my $e (@excludedusers) {
        if ("$u" eq "$e") {
            $match = 1;
        }   
    }
    if ($match == 0) {
        push(@users, $u);
    }
}
foreach (@users) {
    my $home = `dscl . -read /Users/$_ NFSHomeDirectory | cut -d " " -f 2`;
    chomp $home;
    printf "home is $home
";
    if (-e "$home/.client") {
        $result = $result . "
$home/.client";
    }

    if (-e "$home/Library/LaunchAgents/com.client.client.plist") {
        $result = $result . "
$home/Library/LaunchAgents/com.client.client.plist";
    }
}
$result =~ s/^
+//;
if ($result =~ /^$/) {
    system "echo "<result>None</result>"";
} else {
    system "echo "<result>$result</result>"";
}
15 REPLIES 15

jwojda
Valued Contributor II

thank you!

sean
Valued Contributor

FWIW, the find command can use wildcards:

echo "<result>"`find /Users/*/Library/LaunchAgents -name com.client.client.plist -exec bash -c "echo {} | cut -d / -f 3" ;`"</result>"

lisacherie
Contributor II

The querying of NFSHomeDirectory accounts for any edge cases where a user may have a non standard home directory location.

roiegat
Contributor III

Great info guys! Testing the scripts and will deploy as EA.

jwojda
Valued Contributor II

well, all of a sudden I'm getting notifications about machines hitting the infected smart group. Do you have you any info on apple's patch? The malware bytes post didn't say much. I assume it's gatekeeper. Does it remove the infection automagically?

lisacherie
Contributor II

Not to be dismissive - do you have the Boolean logic correct in the smart group?
A similar check for Eleanor last year, some people had the Boolean logic around the wrong way resulting in false positives.

The EA in inventory should list the path for any infections you do have when viewing the computer to confirm whether smart group criteria is correct.

jwojda
Valued Contributor II

I actually think it was partly because I made the changes off vpn but on the DMZ server, and it didn't replicate the EA.

Quick question though, for the infected section

Infected EAName is NOT None EAName is NOT

Are they an "and" or an "or"?

lisacherie
Contributor II

AND :) otherwise the OR would match all the clean Macs.

lisacherie
Contributor II

Theory behind it courtesy of a google search and a CS dept kindly sharing their deck.
https://courses.cs.washington.edu/courses/cse370/08wi/pdfs/lectures/04-Logic%20gates.pdf

Had a whole semester on this back in the day - then building it on bread boards. :)

apanages
New Contributor

@lisacherie what exactly is the Criteria I am setting for the Smart Computer Group? Sorry, I'm drawing a blank here

I uploaded the script and deployed to my MacBook for testing, now I am trying to figure out what I need to do to set up the Smart Group.

Thanks!

jwojda
Valued Contributor II

@apanages Per @lisacherie 's post

It needs 2 smart groups: Infected EAName is NOT None EAName is NOT Not Infected EAName is None

that being said, I had to change the infected EAName is NOT None to EAName not like None in order to register correctly.

dan-snelson
Valued Contributor II

Thanks, @lisacherie.


--
Dan

apanages
New Contributor

@jwojda Thank-you.

Kaltsas
Contributor III

MRT was updated to remove this.

plutil -p /Library/Receipts/InstallHistory.plist | grep 14U2301

If you get 0 => "com.apple.pkg.MRT.14U2301" you've gotten the background update for MRT. Or just check MRT for version 1.14.

mani2care
Contributor

Malwarebytes uninstall script anything is available?