

Mac Trojan Disables XProtect Updates - llambda
http://www.f-secure.com/weblog/archives/00002256.html

======
deweller
From [http://www.f-secure.com/v-descs/trojan-
downloader_osx_flashb...](http://www.f-secure.com/v-descs/trojan-
downloader_osx_flashback_c.shtml):

To detect manually, check

    
    
        /Applications/Safari.app/Contents/Info.plist
        /Applications/Firefox.app/Contents/Info.plist
    

and look for

    
    
        <key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
        <string>%path_of_detected_file_from_step_1%</string></dict>

~~~
mceachen
On the f-secure site, where's the tool to use for step 1?

Grep is defeated by whitespace additions, so ruby to the rescue. (No FITNESS
OR SUITABILITY IS TO BE INFERRED TO THE FOLLOWING. THIS SCRIPT MAY CAUSE
PSORIASIS, LOOSE BOWELS, AND NEARBY CATS TO ACT ALOOF)

    
    
        #!/usr/bin/env ruby
        
        # See http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_c.shtml
        
        require 'rubygems'
        require 'open-uri'
        require 'plist'
        
        `ls -1 /Applications/*/Contents/Info.plist`.split("\n").each do |f|
          begin
            p = Plist.parse_xml(open(f))
            e = p["LSEnvironment"]
            if e && e["DYLD_INSERT_LIBRARIES"]
              puts "ACK. Go take a look at #{f} and see if you're infected."
            end
          rescue StandardError => e
            puts "Failed to parse #{f}: #{e}"
          end
        end

~~~
onedognight
For those playing along at home, if you find yourself parsing the output of
_ls_ in any language, you are doing it wrong (tm). First doing so execs a
program rather than just making a function call, and second you are trusting
the filenames to not contain special characters, in this case newlines
(unlikely, I know, but why not be robust). The function the author was looking
for is glob (and it exists in ruby, perl, shell, C, etc).

    
    
      Dir.glob('/Applications/*/Contents/Info.plist') do |f|
        puts f
      end
    

Shorter and better.

~~~
mceachen
Right, `ls` could be shrinkwrapped. But then so could the entire ruby
environment.

You're missing an each after your glob. Also -- did you know about [] alias
for glob?

    
    
         Dir['/Applications/*/Contents/Info.plist'].each do |f|
           ...
         end

~~~
onedognight
Thanks, I didn't know about [] as an alias for glob(). Also, while you do need
the .each in the [] version you don't need it in the glob() version.

------
andrewpi
Isn't XProtect updated daily, and couldn't it now detect this trojan before it
can do any damage?

