-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathWireLurkerDetectorOSX.py
151 lines (116 loc) · 4.5 KB
/
WireLurkerDetectorOSX.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""Detecting the WireLurker malware family on Mac OS X."""
__copyright__ = 'Copyright (c) 2014, Palo Alto Networks, Inc.'
__author__ = 'Claud Xiao'
__version__ = '1.0.0'
import os
import sys
import platform
import plistlib
import subprocess
MALICIOUS_FILES = [
'/Users/Shared/run.sh',
'/Library/LaunchDaemons/com.apple.machook_damon.plist',
'/Library/LaunchDaemons/com.apple.globalupdate.plist',
'/usr/bin/globalupdate/usr/local/machook/',
'/usr/bin/WatchProc',
'/usr/bin/itunesupdate',
'/Library/LaunchDaemons/com.apple.watchproc.plist',
'/Library/LaunchDaemons/com.apple.itunesupdate.plist',
'/System/Library/LaunchDaemons/com.apple.appstore.plughelper.plist',
'/System/Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist',
'/System/Library/LaunchDaemons/com.apple.systemkeychain-helper.plist',
'/System/Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist',
'/usr/bin/com.apple.MailServiceAgentHelper',
'/usr/bin/com.apple.appstore.PluginHelper',
'/usr/bin/periodicdate',
'/usr/bin/systemkeychain-helper',
'/usr/bin/stty5.11.pl',
]
SUSPICIOUS_FILES = [
'/etc/manpath.d/',
'/usr/local/ipcc/'
]
def scan_files(paths):
results = []
for f in paths:
if os.path.exists(f):
results.append(f)
return results
def is_file_hidden(f):
if not os.path.exists(f) or not os.path.isfile(f):
return False
if sys.version_info[0] >= 2 and sys.version_info[2] >= 7 and sys.version_info >= 3:
return os.stat(f).st_flags.UF_HIDDEN
else:
try:
proc = subprocess.Popen("ls -ldO '%s' | awk '{print $5}'" % f, shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
output = proc.stdout.read()
proc.communicate()
return output.find('hidden') != -1
except Exception as e:
return False
def is_app_infected(root):
try:
pl = plistlib.readPlist(os.path.join(root, 'Contents', 'Info.plist'))
be = pl['CFBundleExecutable']
bundle_exec = os.path.join(root, 'Contents', 'MacOS', be)
bundle_exec_ = bundle_exec + '_'
if is_file_hidden(bundle_exec) and is_file_hidden(bundle_exec_):
return True
the_script = os.path.join(root, 'Contents', 'Resources', 'start.sh')
the_pack = os.path.join(root, 'Contents', 'Resources', 'FontMap1.cfg')
if is_file_hidden(the_script) and is_file_hidden(the_pack):
return True
return False
except Exception:
return False
def scan_app():
infected_apps = []
for root, __, __ in os.walk('/Applications'):
if root.lower().endswith('.app'):
if is_app_infected(root):
infected_apps.append(root)
return infected_apps
def main():
print 'WireLurker Detector (version %s)' % __version__
print __copyright__
print ''
if platform.system() != 'Darwin':
print 'ERROR: The script should only be run in a Mac OS X system.'
sys.exit(-1)
print '[+] Scanning for known malicious files ...'
mal_files = scan_files(MALICIOUS_FILES)
if len(mal_files) == 0:
print '[-] Nothing is found.'
else:
for f in mal_files:
print '[!] Found malicious file: %s' % f
print '[+] Scanning for known suspicious files ...'
sus_files = scan_files(SUSPICIOUS_FILES)
if len(sus_files) == 0:
print '[-] Nothing is found.'
else:
for f in sus_files:
print '[!] Found suspicious file: %s' % f
print '[+] Scanning for infected applications ... (may take minutes)'
infected_apps = scan_app()
if len(infected_apps) == 0:
print '[-] Nothing is found.'
else:
for a in infected_apps:
print '[!] Found infected application: %s' % a
if len(mal_files) == 0 and len(sus_files) == 0 and len(infected_apps) == 0:
print "[+] Your OS X system isn't infected by the WireLurker. Thank you!"
return 0
else:
print "[!] WARNING: Your OS X system is highly suspicious of being infected by the WireLurker.\n" \
"[!] You may need to delete all malicious or suspicious files and/or applications above.\n" \
"[!] For more information about the WireLurker, please refer: \n"\
"[!] http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"
return 1
if __name__ == '__main__':
main()