OSX Backdoor.Pintsized.A threat found
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-20-2013 07:08 AM
One of our info-sec guys sent this on to me this morning... i think it's overshadowed by the Java exploit that's being hyped up...
http://www.intego.com/mac-security-blog/pint-sized-backdoor-for-os-x-discovered/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-20-2013 08:23 AM
tempted to infect a machine just to see what files it creates / modified.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-20-2013 09:24 AM
This link shows what files are created:
http://reviews.cnet.com/8301-13727_7-57570100-263/new-mac-malware-opens-secure-reverse-shell/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-20-2013 11:30 AM
Whipped up an EA to look for it based on the information in the CNET article.
Pretty simple and will say if it finds something. Doesn't tell you where, so you'll need to go find it, or modify this script to print the location (either stuffed into the EA or to be run outside of the EA to indicate where the files are).
#!/bin/bash
#
# Looks for stuff that is reported to be related to the Backdoor.Pintsized.A threat
# http://reviews.cnet.com/8301-13727_7-57570100-263/new-mac-malware-opens-secure-reverse-shell/
#
files=('com.apple.cocoa.plist' 'cupsd' 'com.apple.cupsd.plist' 'com.apple.cups.plist' 'com.apple.env.plist')
subdirs=('/System/Library/LaunchDaemons' '/System/Library/LaunchAgents' '/Library/LaunchDaemons' '/Library/LaunchAgents' '/Users/*/Library/LaunchAgents')
threat=""
for d in ${subdirs[@]}; do
for f in ${files[@]]}; do
if [ ! -z `find $d -maxdepth 1 -name $f` ]; then
threat=1
fi
done
done
if [ $threat ]; then
echo "<result>Threat detected</result>"
else
echo "<result>Not found</result>"
fi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-26-2013 10:49 AM
Thanks for posting the EA!! Did you set the EA to look for a string for "Threat detected" or integer looking for "1"?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-26-2013 11:03 AM
The smart group has for the criteria that EA "is" & "Threat detected". Use "Threat detected" as that's what the EA is populated with.
Also have another smart group where that criteria for the EA "like" and "found" - Used that to make sure the thing was working and to see how many have run it. (sure, could use "is" and "Not found" ... six of one, half dozen of another).
We haven't found any here and have over a thousand that have run it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-26-2013 11:36 AM
thanks @gregp
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-27-2013 08:45 AM
Cool thanks!! I'm thinking our systems will be clean too as we've been doing the updates within 48 hours, but you never know...