| #!/usr/bin/python | |
| """Identify or remove files known to be involved in Adware/Malware | |
| infection. | |
| Most of the code applies to building a list of malware files. Thus, | |
| both extension attribute and removal handling are included. | |
| Cleans files as a Casper script policy; thus, it expects four total | |
| arguments, the first three of which it doesn't use, followed by | |
| --remove | |
| """ | |
| import glob | |
| import os | |
| import re | |
| import shutil | |
| import sys | |
| import syslog | |
| # https://support.apple.com/en-us/ht203987 | |
| known_malware = { | |
| '/System/Library/Frameworks/v.framework', | |
| '/System/Library/Frameworks/VSearch.framework', | |
| '/Library/PrivilegedHelperTools/Jack', | |
| '/Library/InputManagers/CTLoader/', | |
| '/Library/Application Support/Conduit/', | |
| '/Applications/SearchProtect.app', | |
| '/private/etc/launchd.conf', | |
| '/Applications/Genieo', | |
| '/Applications/InstallMac', | |
| '/Applications/Uninstall Genieo', | |
| '/Applications/Uninstall IM Completer.app', | |
| '/usr/lib/libgenkit.dylib', | |
| '/usr/lib/libgenkitsa.dylib', | |
| '/usr/lib/libimckit.dylib', | |
| '/usr/lib/libimckitsa.dylib', | |
| '/Library/PrivilegedHelperTools/com.genieoinnovation.macextension.client', | |
| '/Library/Frameworks/GenieoExtra.framework', | |
| '/Library/LaunchAgents/com.genieo.completer.update.plist', | |
| '/Library/LaunchAgents/com.genieo.engine.plist', | |
| '/Library/LaunchAgents/com.genieoinnovation.macextension.client.plist', | |
| '/Library/LaunchAgents/com.genieoinnovation.macextension.plist', | |
| '/Library/LaunchDaemons/com.genieoinnovation.macextension.client.plist', | |
| '/Library/LaunchDaemons/Jack.plist' | |
| '/Users/*/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin', | |
| '/Users/*/Library/Internet Plug-Ins/TroviNPAPIPlugin.plugin', | |
| '/Users/*/Library/Application Support/Genieo/', | |
| '/Users/*/Library/Application Support/com.genieoinnovation.Installer/', | |
| '/Users/*/Conduit/', | |
| '/Users/*/Trovi/', | |
| '/Users/*/Library/Caches/com.Conduit.takeOverSearchAssetsMac', | |
| '/Users/*/Library/Caches/com.VSearch.bulk.installer', | |
| '/Users/*/Library/Caches/com.VSearch.VSinstaller', | |
| '/Users/*/Library/LaunchAgents/com.genieo.completer.download.plist', | |
| '/Users/*/Library/LaunchAgents/com.genieo.completer.ltvbit.plist', | |
| '/Users/*/Library/LaunchAgents/com.genieo.completer.update.plist', | |
| '/Users/*/Library/Preferences/com.genieo.global.settings.plist.lockfile', | |
| '/Users/*/Library/Preferences/com.geneio.settings.plist.lockfile', | |
| '/Users/*/Library/Preferences/com.geneio.global.settings.plist', | |
| '/Users/*/Library/Saved Application State/com.genieo.RemoveGenieoMac.savedState', | |
| '/Users/*/Library/Saved Application State/com.VSearch.bulk.installer.savedstate', | |
| '/Users/*/Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist'} | |
| found_malware = {match for filename in known_malware for match in | |
| glob.glob(filename)} | |
| # Look for "ProjectX" variants. | |
| # This adware seems to have a different name each time it pops up. | |
| # Apple's solution is too broad. We look at the files Apple suggests, | |
| # but then also search within to see if they are calling a known | |
| # binary file, "agent.app/Contents/MacOS/agent". | |
| projectx_files = { | |
| '/Library/LaunchAgents/com.*.agent.plist', | |
| '/Library/LaunchDaemons/com.*.helper.plist', | |
| '/Library/LaunchDaemons/com.*.daemon.plist', | |
| } | |
| projectx_candidates = {match for filename in projectx_files for match in | |
| glob.glob(filename)} | |
| agent_regex = re.compile('.*/Library/Application Support/(.*)/Agent/agent.app/Contents/MacOS/agent') | |
| for candidate in projectx_candidates: | |
| with open(candidate, 'r') as candidate_file: | |
| launchd_job = candidate_file.read() | |
| if re.search(agent_regex, launchd_job): | |
| found_malware.add(candidate) | |
| # If we find a Launch[Agent|Daemon] that has ProgramArguments | |
| # which runs "agent", find the unique name for this instance. | |
| # We can then use it to find the Application Support folder. | |
| obfuscated_name = re.search(agent_regex, launchd_job).group(1) | |
| found_malware.add('/Library/Application Support/%s' % obfuscated_name) | |
| # Is this an EA or a script execution (Casper scripts always have 3 | |
| # args, so we can't just use the first argument. | |
| if len(sys.argv) == 1: | |
| # Extension attribute (First arg is always script name). | |
| result = '<result>' | |
| if found_malware: | |
| result += 'True\n' | |
| for item in enumerate(found_malware): | |
| result += "%d: %s\n" % item | |
| else: | |
| result += 'False' | |
| print('%s</result>' % result) | |
| elif "--remove" in sys.argv: | |
| # Removal script. | |
| syslog.syslog(syslog.LOG_ALERT, "Looking for malware") | |
| for item in found_malware: | |
| try: | |
| if os.path.isdir(item): | |
| shutil.rmtree(item) | |
| elif os.path.isfile(item): | |
| os.remove(item) | |
| syslog.syslog(syslog.LOG_ALERT, "Removed malware file: %s" % item) | |
| except OSError as e: | |
| syslog.syslog(syslog.LOG_ALERT, | |
| "Failed to remove malware file: %s, %s" % (item, e)) |
This comment has been minimized.
This comment has been minimized.
|
uh, and I think you're missing |
This comment has been minimized.
This comment has been minimized.
|
Oh thanks! Was going to dig out your other gists for the MacKeeper stuff. Does it install any frameworks/binaries anywhere else?
|
This comment has been minimized.
This comment has been minimized.
|
I found a few machines with these: |
This comment has been minimized.
This comment has been minimized.
|
I installed Genieo fresh this morning and they've changed some of the files in use. This is going to be a moving target :/ |
This comment has been minimized.
This comment has been minimized.
|
Just installed MacKeeper and it's now /Users//Library/LaunchAgents/com.mackeeper.MacKeeper.Helper.plist |
This comment has been minimized.
This comment has been minimized.
|
Hey Shea, I found that this is still missing quite a bit of adware. I modified your version with more definitions and added a section so it will delete chrome and firefox preferences files if adware is found. !/usr/bin/python"""Identify or remove files known to be involved in Adware/Malware Most of the code applies to building a list of malware files. Thus, Cleans files as a Casper script policy; thus, it expects four total import glob known_malware = { found_malware = {match for filename in known_malware for match in settings_files = { active_settings = {match for filename in settings_files for match in Look for "ProjectX" variants.This adware seems to have a different name each time it pops up.Apple's solution is too broad. We look at the files Apple suggests,but then also search within to see if they are calling a knownbinary file, "agent.app/Contents/MacOS/agent".projectx_files = { projectx_candidates = {match for filename in projectx_files for match in agent_regex = re.compile('./Library/Application Support/(.)/Agent/agent.app/Contents/MacOS/agent') Is this an EA or a script execution (Casper scripts always have 3args, so we can't just use the first argument.if len(sys.argv) == 1: elif "--remove" in sys.argv: |
This comment has been minimized.
This comment has been minimized.
|
Just for the record I want to state that the above contributions include software not considered malware or adware, but just undesirable to admins in an enterprise environment. |
This comment has been minimized.
They missed at least another two: