Created
April 5, 2012 20:59
-
-
Save drewreece/2314150 to your computer and use it in GitHub Desktop.
Check for flashback on Mac OSX
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Flashback.k test - | |
| # Quick check to see if the Mac has the signs that are mentined at f-secure.com | |
| # http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml for more info | |
| # | |
| # Steps From f-secure.com... | |
| #1. Run the following command in Terminal: | |
| #defaults read /Applications/Safari.app/Contents/Info LSEnvironment | |
| #2. Take note of the value, DYLD_INSERT_LIBRARIES | |
| #3. Proceed to step 8 if you got the following error message: | |
| #"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist" | |
| #4. Otherwise, run the following command in Terminal: | |
| #grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2% | |
| #5. Take note of the value after "__ldpath__" | |
| #6. Run the following commands in Terminal (first make sure there is only one entry, from step 2): | |
| #sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment | |
| #sudo chmod 644 /Applications/Safari.app/Contents/Info.plist | |
| #7. Delete the files obtained in steps 2 and 5 | |
| #8. Run the following command in Terminal: | |
| #defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES | |
| #9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following: | |
| #"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist" | |
| #10. Otherwise, run the following command in Terminal: | |
| #grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9% | |
| #11. Take note of the value after "__ldpath__" | |
| #12. Run the following commands in Terminal: | |
| #defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES | |
| #launchctl unsetenv DYLD_INSERT_LIBRARIES | |
| #13. Finally, delete the files obtained in steps 9 and 11. | |
| #14. Run the following command in Terminal: | |
| #ls -lA ~/Library/LaunchAgents/ | |
| #15. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care. | |
| #16. Run the following command in Terminal: | |
| #defaults read ~/Library/LaunchAgents/%filename_obtained_in_step15% ProgramArguments | |
| #17. Take note of the path. If the filename does not start with a ".", then you might not be infected with this variant. | |
| #18. Delete the files obtained in steps 15 and 17. | |
| # delete our temp app lists | |
| function cleanup(){ | |
| rm /tmp/app-list | |
| rm /tmp/app-url-list | |
| } | |
| # http://www.f-secure.com/weblog/archives/00002336.html | |
| # Suggests it can infect Firefox so to be sure check every known browser | |
| browsers[0]="Safari" | |
| browsers[1]="Google Chrome" | |
| browsers[2]="Firefox" | |
| browsers[3]="Opera" | |
| browsers[4]="WebKit" | |
| browsers[5]="Chromium" | |
| browsers[6]="Netscape" | |
| browsers[7]="OmniWeb" | |
| browsers[8]="Internet Explorer" | |
| browsers[9]="Camino" | |
| browsers[10]="Fluid" #need to know every Fluid.app browser too - good luck with that :) | |
| browsers[11]="Flock" | |
| browsers[12]="SeaMonkey" | |
| browsers[13]="Shiira" | |
| browsers[14]="iCab" | |
| browsers[15]="Sunrise" | |
| browsers[16]="TrailBlazer" | |
| # Create list of Applications known to system profiler | |
| system_profiler SPApplicationsDataType > /tmp/app-list | |
| # Parse out known browsers into file paths | |
| for name in "${browsers[@]}" | |
| do | |
| # find the NAME.app & get it's path | |
| grep "${name}.app" /tmp/app-list | sed -e 's/ Location: //' >> /tmp/app-url-list | |
| done | |
| # Tidy up app-url-list | |
| sort -u /tmp/app-url-list -o /tmp/app-url-list | |
| while read app; do | |
| echo -e "Checking...\t$app" | |
| # Step 1 - LSEnvironment test (in every browser) | |
| LSPATH=`/usr/bin/defaults read "$app/Contents/Info" LSEnvironment 2> /dev/null` | |
| if [[ $? -eq 0 ]]; then | |
| echo -e "Step 1,\nfound a path for LSEnvironment: $LSPATH \nyou look infected, check out... \nhttp://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml" | |
| echo "...exiting" | |
| cleanup | |
| exit 0 | |
| fi | |
| done < /tmp/app-url-list | |
| cleanup | |
| # Step 9 - DYLD_INSERT_LIBRARIES test | |
| LIBPATH=`/usr/bin/defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null` | |
| if [[ $? -eq 0 ]]; then | |
| echo -e "Step 9,\nfound a path for DYLD_INSERT_LIBRARIES: $LIBPATH \nyou look infected, check out... \nhttp://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml " | |
| echo "...exiting" | |
| cleanup | |
| exit 0 | |
| fi | |
| banner -w 40 "OK" | |
| echo "flashback.k doesn't seem to be in any browsers on this system." | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment