[Fed-Talk] Misc notes on MacDefender
[Fed-Talk] Misc notes on MacDefender
- Subject: [Fed-Talk] Misc notes on MacDefender
- From: Todd Heberlein <email@hidden>
- Date: Sun, 05 Jun 2011 12:18:15 -0700
Here are some notes missed in the mainstream press on the recent malware (I've seen some discussions once I started googling on the file names). MacSecurity creates several children & grandchildren processes that collect information about your filesystem and running processes. This may be used to just give the application the appearance that it is actually doing real stuff (e.g., only displaying the results in some of the NSTableViews), looking for antivirus software running on our machines, or harvesting this information to exfiltrate it out. No idea at this point.
The children processes carry out the following commands that you can run from a shell prompt to see what they generate:
df -lg | awk 'NR==1{OFS=" ";$1=$1;print;next}{OFS="|";$1=$1;print}'
ps -eo pid,user,rss,lstart | awk 'NR==1{OFS=" ";$1=$1;print;next}{OFS="|";$1=$1;print}'
ps -eo pid,comm | awk 'NR==1{OFS=" ";$1=$1;print;next}{OFS="|";$1=$1;print}'
The output of the first command gets written to the file "dmem.txt" in the user's home directory, while the output of the next two commands get written to "proc.txt", also in the home directory. Since the third command replaces the output of the second command, you won't find the second command's results in your file system.
The application does look professional (if a little annoying in its behavior). For programmers with these skills it would have been an easy step to take this a little bit further and make it a legitimate program instead of malware. It bothers me that people with these skills are going down this road.
Todd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden