Recently, a new virus for Mac systems was released and there’s an article that talks about how you can determine if your Mac is infected.
Right now the easiest way to tell if your computer has been infected is to run some commands in Terminal, a piece of software you’ll find in the Utilities folder in your Mac’s Applications folder. If you want to find it without digging, just do a Spotlight search for “Terminal.”
Once there, copy and paste each one of the code strings below into the terminal window. The command will run automatically:
If your system is clean, the commands will tell you that those domain/default pairs “does not exist.” If you’re infected, it will spit up the patch for where that malware has installed itself on your system.
So how do I make an automatic group for Mac’s using custom relevance so that any Mac that any of the lines above that don’t result in “does not exist” will populate an automatic group say called “Infected Mac”. Better yet, a fixlet that is assigned to this group to auto clean.
This is the relevance I used for an analysis to detect the infection. To use it as relevance for a group, you should only need to replace the value output statement
with True and the Not Infection/Found statements with False.
Sarafi -
if (exists file “/Applications/Safari.app/Contents/Info.plist”) then (if (exists dictionary “LSEnvironment” of dictionary of file “/Applications/Safari.app/Contents/Info.plist”) then (string “DYLD_INSERT_LIBRARIES” of dictionary “LSEnvironment” of dictionary of file “/Applications/Safari.app/Contents/Info.plist”) else (“Infection Not Found”)) else (“File Not Found”)
Firefox
if (exists file “/Applications/Firefox.app/Contents/Info.plist”) then (if (exists dictionary “LSEnvironment” of dictionary of file “/Applications/Firefox.app/Contents/Info.plist”) then (string “DYLD_INSERT_LIBRARIES” of dictionary “LSEnvironment” of dictionary of file “/Applications/Firefox.app/Contents/Info.plist”) else (“Infection Not Found”)) else (“File Not Found”)
User Environment
(if (exists file ("/Users/" & name of current user & “/.MacOSX/environment.plist”)) then (if (exists string “DYLD_INSERT_LIBRARIES” of dictionary of file ("/Users/" & name of current user & “/.MacOSX/environment.plist”)) then (string “DYLD_INSERT_LIBRARIES” of dictionary of file ("/Users/" & name of current user & “/.MacOSX/environment.plist”)) Else (“Not Infected”)) else (“File not Found”))
You guys are great. This is perfect! Now if there’s a Mac cleaning tool I can assign to this automatic group that’s icing on the cake. Detect infected Macs and clean them in one swat. That’s automation right there.
This is what I came up with for detection for analysis an action:
((system version >= “10.5” AND system version < ") OR (system version >= “10.6” AND system version < ") OR (system version >=“10.7” AND system version < ")) AND (((exists string “LSEnvironment” of dictionary of it) of file “/Applications/Safari.app/Contents/Info.plist”) OR ((exists folder “/Users” AND exists folders whose (exists folder “.MacOSX” of it) of folder “/Users” AND exists folder “.MacOSX” whose (exists file “environment.plist” of it) of folders whose (exists folder “.MacOSX” of it) of folder “/Users”) AND ((exists string “DYLD_INSERT_LIBRARIES” of dictionary of it) of file “environment.plist” of folder “.MacOSX” whose (exists file “environment.plist” of it) of folders whose (exists folder “.MacOSX” of it) of folder “/Users”)))
I made an automatic group with jgstew’s example (thanks for that by the way) but there looks to be one issue. The section at the beginning in this clause "OR (system version >=“10.7” AND system version < " has a red highlight (error) on the period in the 10.7
Quotes were missing and I had to add a parentheses… hopefully put it in the right spot. I fixed it part way… but the empty double quotes need filling before you can use this:
((system version >= "10.5" AND system version < ") OR (system version >= "10.6" AND system version < ") OR (system version >="10.7" AND system version < ")) AND ((exists string "LSEnvironment" of dictionary of it) of file "/Applications/Safari.app/Contents/Info.plist") OR ((exists folder "/Users" AND exists folders whose (exists folder ".MacOSX" of it) of folder "/Users" AND exists folder ".MacOSX" whose (exists file "environment.plist" of it) of folders whose (exists folder ".MacOSX" of it) of folder "/Users") AND ((exists string "DYLD_INSERT_LIBRARIES" of dictionary of it) of file "environment.plist" of folder ".MacOSX" whose (exists file "environment.plist" of it) of folders whose (exists folder ".MacOSX" of it) of folder "/Users"))
Thanks all! What I ended up doing to make this less complicated is just took the versions out completely and just made an automatic group with this as a relevance:
(((exists string “LSEnvironment” of dictionary of it) of file “/Applications/Safari.app/Contents/Info.plist”) OR ((exists folder “/Users” AND exists folders whose (exists folder “.MacOSX” of it) of folder “/Users” AND exists folder “.MacOSX” whose (exists file “environment.plist” of it) of folders whose (exists folder “.MacOSX” of it) of folder “/Users”) AND ((exists string “DYLD_INSERT_LIBRARIES” of dictionary of it) of file “environment.plist” of folder “.MacOSX” whose (exists file “environment.plist” of it) of folders whose (exists folder “.MacOSX” of it) of folder “/Users”)))
Since this malware can only infect specific versions of the Mac OS, the relevance won’t ever be true for those non-affected versions of Mac so there’s no reason to even include the version info.
I also added a check that says OS contains Mac and both the relevance statement and the OS contains mac must be true.