OSX Backdoor.Pintsized.A threat found

tempted to infect a machine just to see what files it creates / modified.

This link shows what files are created:

http://reviews.cnet.com/8301-13727_7-57570100-263/new-mac-malware-opens-secure-reverse-shell/

Whipped up an EA to look for it based on the information in the CNET article.

Pretty simple and will say if it finds something. Doesn't tell you where, so you'll need to go find it, or modify this script to print the location (either stuffed into the EA or to be run outside of the EA to indicate where the files are).

#!/bin/bash
#
# Looks for stuff that is reported to be related to the Backdoor.Pintsized.A threat
# http://reviews.cnet.com/8301-13727_7-57570100-263/new-mac-malware-opens-secure-reverse-shell/
# 


files=('com.apple.cocoa.plist' 'cupsd' 'com.apple.cupsd.plist' 'com.apple.cups.plist' 'com.apple.env.plist')
subdirs=('/System/Library/LaunchDaemons' '/System/Library/LaunchAgents' '/Library/LaunchDaemons' '/Library/LaunchAgents' '/Users/*/Library/LaunchAgents')
threat=""

for d in ${subdirs[@]}; do
   for f in ${files[@]]}; do 
      if [ ! -z `find $d -maxdepth 1 -name $f` ]; then
         threat=1
      fi
   done    
done


if [ $threat ]; then
   echo "<result>Threat detected</result>"
else
   echo "<result>Not found</result>"
fi

Thanks for posting the EA!! Did you set the EA to look for a string for "Threat detected" or integer looking for "1"?

The smart group has for the criteria that EA "is" & "Threat detected". Use "Threat detected" as that's what the EA is populated with.

Also have another smart group where that criteria for the EA "like" and "found" - Used that to make sure the thing was working and to see how many have run it. (sure, could use "is" and "Not found" ... six of one, half dozen of another).

We haven't found any here and have over a thousand that have run it.

thanks @gregp

Cool thanks!! I'm thinking our systems will be clean too as we've been doing the updates within 48 hours, but you never know...