Re: [Fed-Talk] Misc notes on MacDefender
Re: [Fed-Talk] Misc notes on MacDefender
- Subject: Re: [Fed-Talk] Misc notes on MacDefender
- From: Dan O'Donnell <email@hidden>
- Date: Mon, 06 Jun 2011 08:15:52 -0700
- Thread-topic: [Fed-Talk] Misc notes on MacDefender
Could you run, say, tcpdump to see if the processes are sending anything
out?
On 6/5/11 12:18 PM, "Todd Heberlein" <email@hidden> wrote:
> Here are some notes missed in the mainstream press on the recent malware (I've
> seen some discussions once I started googling on the file names). MacSecurity
> creates several children & grandchildren processes that collect information
> about your filesystem and running processes. This may be used to just give the
> application the appearance that it is actually doing real stuff (e.g., only
> displaying the results in some of the NSTableViews), looking for antivirus
> software running on our machines, or harvesting this information to exfiltrate
> it out. No idea at this point.
>
> The children processes carry out the following commands that you can run from
> a shell prompt to see what they generate:
>
> df -lg | awk 'NR==1{OFS=" ";$1=$1;print;next}{OFS="|";$1=$1;print}'
>
> ps -eo pid,user,rss,lstart | awk 'NR==1{OFS="
> ";$1=$1;print;next}{OFS="|";$1=$1;print}'
>
> ps -eo pid,comm | awk 'NR==1{OFS="
> ";$1=$1;print;next}{OFS="|";$1=$1;print}'
>
> The output of the first command gets written to the file "dmem.txt" in the
> user's home directory, while the output of the next two commands get written
> to "proc.txt", also in the home directory. Since the third command replaces
> the output of the second command, you won't find the second command's results
> in your file system.
>
>
> The application does look professional (if a little annoying in its behavior).
> For programmers with these skills it would have been an easy step to take this
> a little bit further and make it a legitimate program instead of malware. It
> bothers me that people with these skills are going down this road.
>
> Todd
__________________________________________________________________________
This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden