Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Check for flashback on Mac OSX
#!/bin/bash
# Flashback.k test -
# Quick check to see if the Mac has the signs that are mentined at f-secure.com
# http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml for more info
#
# Steps From f-secure.com...
#1. Run the following command in Terminal:
#defaults read /Applications/Safari.app/Contents/Info LSEnvironment
#2. Take note of the value, DYLD_INSERT_LIBRARIES
#3. Proceed to step 8 if you got the following error message:
#"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"
#4. Otherwise, run the following command in Terminal:
#grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%
#5. Take note of the value after "__ldpath__"
#6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):
#sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
#sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
#7. Delete the files obtained in steps 2 and 5
#8. Run the following command in Terminal:
#defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
#9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
#"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"
#10. Otherwise, run the following command in Terminal:
#grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%
#11. Take note of the value after "__ldpath__"
#12. Run the following commands in Terminal:
#defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
#launchctl unsetenv DYLD_INSERT_LIBRARIES
#13. Finally, delete the files obtained in steps 9 and 11.
#14. Run the following command in Terminal:
#ls -lA ~/Library/LaunchAgents/
#15. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.
#16. Run the following command in Terminal:
#defaults read ~/Library/LaunchAgents/%filename_obtained_in_step15% ProgramArguments
#17. Take note of the path. If the filename does not start with a ".", then you might not be infected with this variant.
#18. Delete the files obtained in steps 15 and 17.
# delete our temp app lists
function cleanup(){
rm /tmp/app-list
rm /tmp/app-url-list
}
# http://www.f-secure.com/weblog/archives/00002336.html
# Suggests it can infect Firefox so to be sure check every known browser
browsers[0]="Safari"
browsers[1]="Google Chrome"
browsers[2]="Firefox"
browsers[3]="Opera"
browsers[4]="WebKit"
browsers[5]="Chromium"
browsers[6]="Netscape"
browsers[7]="OmniWeb"
browsers[8]="Internet Explorer"
browsers[9]="Camino"
browsers[10]="Fluid" #need to know every Fluid.app browser too - good luck with that :)
browsers[11]="Flock"
browsers[12]="SeaMonkey"
browsers[13]="Shiira"
browsers[14]="iCab"
browsers[15]="Sunrise"
browsers[16]="TrailBlazer"
# Create list of Applications known to system profiler
system_profiler SPApplicationsDataType > /tmp/app-list
# Parse out known browsers into file paths
for name in "${browsers[@]}"
do
# find the NAME.app & get it's path
grep "${name}.app" /tmp/app-list | sed -e 's/ Location: //' >> /tmp/app-url-list
done
# Tidy up app-url-list
sort -u /tmp/app-url-list -o /tmp/app-url-list
while read app; do
echo -e "Checking...\t$app"
# Step 1 - LSEnvironment test (in every browser)
LSPATH=`/usr/bin/defaults read "$app/Contents/Info" LSEnvironment 2> /dev/null`
if [[ $? -eq 0 ]]; then
echo -e "Step 1,\nfound a path for LSEnvironment: $LSPATH \nyou look infected, check out... \nhttp://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml"
echo "...exiting"
cleanup
exit 0
fi
done < /tmp/app-url-list
cleanup
# Step 9 - DYLD_INSERT_LIBRARIES test
LIBPATH=`/usr/bin/defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null`
if [[ $? -eq 0 ]]; then
echo -e "Step 9,\nfound a path for DYLD_INSERT_LIBRARIES: $LIBPATH \nyou look infected, check out... \nhttp://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml "
echo "...exiting"
cleanup
exit 0
fi
banner -w 40 "OK"
echo "flashback.k doesn't seem to be in any browsers on this system."
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment