Flashback Mac Malware Analysis and Removal

Posted on Updated on

Flashback is Mac malware that has recently been showing up with a vengeance. The latest version .K is exploiting a newly patched java vulnerability on OS X.  F-secure recently posted about detecting and removing it from a system. In this post, I’ll cover some addition artifacts found on an infected machine and include a script to remove it.

/Var/log/secure

When responding to an infected system, I noticed that in the /var/log/secure.log it included a couple of indicators of infection. The indicators below may help you detect infected users if you are using syslog for your OS X devices. Seeing a “/bin/sh” followed by the “suppressing keychain prompt” within a couple of minutes of each other that has been a solid indicator in the log. When looking through the systems, the suppressing keychain prompt did not show up in a years worth of logs until after it was infected.

Mar 31 14:17:32 K-MacBook-Pro com.apple.SecurityServer[24]: UID 501 authenticated as user k (UID 501) for right ‘system.privilege.admin’ Mar 31 14:17:32 K-MacBook-Pro com.apple.SecurityServer[24]: Succeeded authorizing right ‘system.privilege.admin’ by client ‘/private/tmp/Software Update’ for authorization created by ‘/private/tmp/Software Update’
Mar 31 14:17:32 K-MacBook-Pro com.apple.SecurityServer[24]: Succeeded authorizing right ‘system.privilege.admin’ by client ‘/usr/libexec/security_authtrampoline’ for authorization created by ‘/private/tmp/Software Update’
Mar 31 14:17:32 K-MacBook-Pro authexec[318]: executing /bin/sh
Mar 31 14:19:55 K-MacBook com.apple.SecurityServer[25]: suppressing keychain prompt for invalidly signed client /Applications/Safari.app(658)

Mac Times

I also collected file system MAC times on the infected machine.  You can see the malware being created .QUICKHEALXGEN.png and .QUICKHEALXGEN.xsl. Additionally you see chmod and mv accessed. This matches up with F-secure analysis.

2012 Mar 31 Sat 14:17:32
102 m.c. drwxr-xr-x 0  0  0  /Applications/Safari.app
374 m.c. drwxr-xr-x 0  0 0  /Applications/Safari.app/Contents
4643 m.c. -rw-rw-rw- 501 20  0 /Applications/Safari.app/Contents/Info.plist
20400 m.c. drwxr-xr-x 0 0   0  /Applications/Safari.app/Contents/Resources
403744 m… -rwxrwxrwx 501 0 0 /Applications/Safari.app/Contents/Resources/ .QUICKHEALXGEN.png
26168 m… -rwxrwxrwx 501 0 0 /Applications/Safari.app/Contents/Resources/.QUICKHEALXGEN.xsl
62656 .a.. -r-xr-xr-x 0 0 0 /bin/chmod
44848 .a.. -r-xr-xr-x 0 0   0  /bin/mv

Virus Total

Submitting the malware to virus total had poor results with only 8 out of 42 detecting it as of April 4th.

Cleaning Script

This script has several components: It checks for both types of infections discussed by F-Secure,  backups a copy of the two plist files and names them .infected, prompts user if they want to clean the infection and also prompts the user to disable java in Safari. While I have tested this script on the cleanup of the Safari Info.plist, I have not seen an infection of the environment.plist. The cleanup should work, but  please test it before you use it. I will not be held liable for any problems. 

I have built in a simple update function that will check for a new version using the -u switch at the command line. If a new outbreak happens, I’ll try and keep it updated. You can submit bug fixes to the blog or to the email address in the script.

To run the program, unzip the download below and double click on the flashback-detect.command file. It will prompt you for your password and check to see if your infected.  You can also run it from terminal using the flashback-detect.sh.

Get the script HERE.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s