drewreece/flashback-test.sh

## flashback-test.sh
#!/bin/bash
# Flashback.k test -
# Quick check to see if the Mac has the signs that are mentined at f-secure.com
# http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml for more info
#
# Steps From f-secure.com...
#1. Run the following command in Terminal:
#defaults read /Applications/Safari.app/Contents/Info LSEnvironment
#2. Take note of the value, DYLD_INSERT_LIBRARIES
#3. Proceed to step 8 if you got the following error message:
#"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"
#4. Otherwise, run the following command in Terminal:
#grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%
#5. Take note of the value after "__ldpath__"
#6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):
#sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
#sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
#7. Delete the files obtained in steps 2 and 5
#8. Run the following command in Terminal:
#defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
#9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
#"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"
#10. Otherwise, run the following command in Terminal:
#grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%
#11. Take note of the value after "__ldpath__"
#12. Run the following commands in Terminal:
#defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
#launchctl unsetenv DYLD_INSERT_LIBRARIES
#13. Finally, delete the files obtained in steps 9 and 11.
#14. Run the following command in Terminal:
#ls -lA ~/Library/LaunchAgents/
#15. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.
#16. Run the following command in Terminal:
#defaults read ~/Library/LaunchAgents/%filename_obtained_in_step15% ProgramArguments
#17. Take note of the path. If the filename does not start with a ".", then you might not be infected with this variant.
#18. Delete the files obtained in steps 15 and 17.

# delete our temp app lists
function cleanup(){
  rm /tmp/app-list
  rm /tmp/app-url-list
}


# http://www.f-secure.com/weblog/archives/00002336.html
# Suggests it can infect Firefox so to be sure check every known browser
browsers[0]="Safari"
browsers[1]="Google Chrome"
browsers[2]="Firefox"
browsers[3]="Opera"
browsers[4]="WebKit"
browsers[5]="Chromium"
browsers[6]="Netscape"
browsers[7]="OmniWeb"
browsers[8]="Internet Explorer"
browsers[9]="Camino"
browsers[10]="Fluid" #need to know every Fluid.app browser too - good luck with that :)
browsers[11]="Flock"
browsers[12]="SeaMonkey"
browsers[13]="Shiira"
browsers[14]="iCab"
browsers[15]="Sunrise"
browsers[16]="TrailBlazer"

# Create list of Applications known to system profiler
system_profiler SPApplicationsDataType > /tmp/app-list

# Parse out known browsers into file paths
for name in "${browsers[@]}"
  do
  # find the NAME.app & get it's path
  grep "${name}.app" /tmp/app-list | sed -e 's/      Location: //' >>  /tmp/app-url-list
done

# Tidy up app-url-list
sort -u /tmp/app-url-list -o /tmp/app-url-list

while read app; do
  echo -e "Checking...\t$app"
  # Step 1 - LSEnvironment test (in every browser)
  LSPATH=`/usr/bin/defaults read "$app/Contents/Info" LSEnvironment 2> /dev/null`
  if [[ $? -eq 0 ]]; then
    echo -e "Step 1,\nfound a path for LSEnvironment: $LSPATH \nyou look infected, check out... \nhttp://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml"
    echo "...exiting"
    cleanup
    exit 0
  fi
done < /tmp/app-url-list
cleanup

# Step 9 - DYLD_INSERT_LIBRARIES test
LIBPATH=`/usr/bin/defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null`
if [[ $? -eq 0 ]]; then
  echo -e "Step 9,\nfound a path for DYLD_INSERT_LIBRARIES: $LIBPATH \nyou look infected, check out... \nhttp://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml "
  echo "...exiting"
  cleanup
  exit 0
fi

banner -w 40 "OK"
echo "flashback.k doesn't seem to be in any browsers on this system."
exit 0
	#!/bin/bash
	# Flashback.k test -
	# Quick check to see if the Mac has the signs that are mentined at f-secure.com
	# http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml for more info
	#
	# Steps From f-secure.com...
	#1. Run the following command in Terminal:
	#defaults read /Applications/Safari.app/Contents/Info LSEnvironment
	#2. Take note of the value, DYLD_INSERT_LIBRARIES
	#3. Proceed to step 8 if you got the following error message:
	#"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"
	#4. Otherwise, run the following command in Terminal:
	#grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%
	#5. Take note of the value after "__ldpath__"
	#6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):
	#sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
	#sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
	#7. Delete the files obtained in steps 2 and 5
	#8. Run the following command in Terminal:
	#defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
	#9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
	#"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"
	#10. Otherwise, run the following command in Terminal:
	#grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%
	#11. Take note of the value after "__ldpath__"
	#12. Run the following commands in Terminal:
	#defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
	#launchctl unsetenv DYLD_INSERT_LIBRARIES
	#13. Finally, delete the files obtained in steps 9 and 11.
	#14. Run the following command in Terminal:
	#ls -lA ~/Library/LaunchAgents/
	#15. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.
	#16. Run the following command in Terminal:
	#defaults read ~/Library/LaunchAgents/%filename_obtained_in_step15% ProgramArguments
	#17. Take note of the path. If the filename does not start with a ".", then you might not be infected with this variant.
	#18. Delete the files obtained in steps 15 and 17.

	# delete our temp app lists
	function cleanup(){
	rm /tmp/app-list
	rm /tmp/app-url-list
	}


	# http://www.f-secure.com/weblog/archives/00002336.html
	# Suggests it can infect Firefox so to be sure check every known browser
	browsers[0]="Safari"
	browsers[1]="Google Chrome"
	browsers[2]="Firefox"
	browsers[3]="Opera"
	browsers[4]="WebKit"
	browsers[5]="Chromium"
	browsers[6]="Netscape"
	browsers[7]="OmniWeb"
	browsers[8]="Internet Explorer"
	browsers[9]="Camino"
	browsers[10]="Fluid" #need to know every Fluid.app browser too - good luck with that :)
	browsers[11]="Flock"
	browsers[12]="SeaMonkey"
	browsers[13]="Shiira"
	browsers[14]="iCab"
	browsers[15]="Sunrise"
	browsers[16]="TrailBlazer"

	# Create list of Applications known to system profiler
	system_profiler SPApplicationsDataType > /tmp/app-list

	# Parse out known browsers into file paths
	for name in "${browsers[@]}"
	do
	# find the NAME.app & get it's path
	grep "${name}.app" /tmp/app-list \| sed -e 's/ Location: //' >> /tmp/app-url-list
	done

	# Tidy up app-url-list
	sort -u /tmp/app-url-list -o /tmp/app-url-list

	while read app; do
	echo -e "Checking...\t$app"
	# Step 1 - LSEnvironment test (in every browser)
	LSPATH=`/usr/bin/defaults read "$app/Contents/Info" LSEnvironment 2> /dev/null`
	if [[ $? -eq 0 ]]; then
	echo -e "Step 1,\nfound a path for LSEnvironment: $LSPATH \nyou look infected, check out... \nhttp://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml"
	echo "...exiting"
	cleanup
	exit 0
	fi
	done < /tmp/app-url-list
	cleanup

	# Step 9 - DYLD_INSERT_LIBRARIES test
	LIBPATH=`/usr/bin/defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null`
	if [[ $? -eq 0 ]]; then
	echo -e "Step 9,\nfound a path for DYLD_INSERT_LIBRARIES: $LIBPATH \nyou look infected, check out... \nhttp://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml "
	echo "...exiting"
	cleanup
	exit 0
	fi

	banner -w 40 "OK"
	echo "flashback.k doesn't seem to be in any browsers on this system."
	exit 0