Monitor OS X LaunchAgents folders to help prevent malware attacks
Recently the Mac platform has been hit with a few malware attacks, the most notable being the Flashback malware. The same vulnerabilities that this and others have used are now cropping up in other malware as well. These include yesterday's news of the SabPab malware and its MacKontrol variant, and also the Olyx malware that is a variant of the Tibet malware we previously discussed.
Some of these attacks are targeted for specific groups in China or Tibet, but others like Flashback are more widespread and have targeted as many Mac systems as possible, by exploiting vulnerabilities in the system when browsing Web pages and posing as fake Flash installer applications.
Despite this wave of malware and the variants of each that have followed, most of these attacks have one thing in common: they use Launch Agent scripts for at least one stage of their attacks.
The LaunchAgents folders (and their paired LaunchDaemons folder for managing service processes) are locations that contain scripts to automatically manage system processes. For instance, Apple uses one of these scripts to schedule the "backupd" process for Time Machine, and have it create backups every hour.
Most of the time developers use these scripts as components to their programs, but they can also be used for your own customizations. Recently I discussed how to do this for automatically changing Safari's downloads folder whenever an external drive is attached to the system.
There are three LaunchAgent folders in an OS X installation. The first is in your user account's Library, and the scripts in it are loaded when you log in. The others are in the global Library and System/Library folders, and are loaded when the system boots.
Launch agent files are XML files containing a list of properties, whose basic anatomy is as follows:
Each agent file contains a list of keys followed by their values. The keys and values in the file will differ depending on the agent's uses, but the main components are those outlined in the red squares. These are the process Label, and the Program Arguments (sometimes called simply "Program"), which are the name of the script as it appears to the launcher, and the executable file that is being managed by the script. The rest of the agent file contains other conditional elements for running the specified program, such as the "StartInterval" key here which tells the system launcher to run this program every 3523 seconds.
In many of the recent malware attacks on OS X, this Launch Agent structure is being used to initially load the malware and infect Mac systems. The malware exploits the user or a system vulnerability and places an executable file on the system (usually within the user account). The malware then places a launch agent file in the username/Library/LaunchAgents/ folder, which targets the malicious executable and continually launches it. In some instances the targeted executable is the malware that attempts to steal personal information, but at other times this is only the initial phase and the malware then downloads and installs additional components that are harder to detect.
While malware variants might use different names for files and the locations of where they put them, most to date have used one of the system's various LaunchAgents folders (generally the one in the user account) as a starting point for their malware. As a result, we can also use these folders to help proactively detect and prevent such malware intrusions.
There are two options available for doing this:
Set up a Folder Actions notification
In OS X you can monitor folders using Folder Actions, which link applescripts to folders on the system so if they are changed then the scripts will run. While developing such a script might be difficult for some users, Apple offers a built-in script example that can be used to issue a notice whenever an item is added to a folder:
- Enable the Applescript menu
Go to the /Applications/Utilities/ folder and open the program called AppleScript Editor. In the preferences settings for this application, check the box to Show Script Menu in menu bar." The resulting menu will be shown next to the battery life, date, and Wi-Fi indicators on the right-hand side of your menu bar. - Enable Folder actions
In this menu go to "Folder Actions" where you will see a link to the Folder Actions Setup utility, which can be used to configure your various folder action scripts. You can use either this utility or the "Enable Folder Actions" script in this same menu to enable folder actions on the system. - Add a new-item folder action
In the Folder Actions submenu, select the Attach Script to Folder option, followed by choosing the "add - new item alert" option from the list of scripts that appears. Then click Choose and follow this with selecting the folder to which you want to apply the action.In this case, go to the username/Library/ folder, select the LaunchAgents folder, and click the Open button. In OS X Lion you will not see the Library folder by default, so first go to the Finder's Go menu, press the Option key, and then select Library. Then drag the Library folder to the Finder sidebar, and it should then become available in the sidebar in the Open dialogue.
Repeat step 3 for the following folders on the system:
/Library/LaunchAgents
/Library/LaunchDaemons
/System/Library/LaunchAgents
/System/Library/LaunchDaemons
username/Library/LaunchAgents
You can check the results of this procedure by using the Folder Actions Setup utility, which is available in the new scripts menu and which will list the folder actions that you have bound to each of these folders. Some people may find this utility more intuitive than using the scripts in the menu to configure each folder.
To use this utility, select a folder in the left column and you will see the scripts that are bound to it listed in the right column. If there are no scripts listed for a folder then you can add them by clicking the plus button under the right-hand column. With this utility, you can add each of the aforementioned folders and then associate the "new item alert" script to them.
When this is done, adding a file to any of these folders will result in an alert, and if you click OK the system will display the file in the Finder. You can then open the file in TextEdit to see its contents (specifically check the "ProgramArguments" string), or otherwise investigate it to determine if it is legitimate or part of a malware package.
For the most part, files should only be added to these folders when you purposefully install a program or if you create your own launch agents for custom purposes, so if you randomly see this script run and display a new launch agent, then be suspicious.
If you find a suspect LaunchAgent file suddenly appear on your system, then immediately move the file to the Trash and then restart the system. This will clear it from the system launchers and prevent it from being automatically loaded. You can then remove the file from the trash to investigate it further, if needed.
Lock the LaunchAgent folders
In addition to setting up a Folder Actions script, you can lock the LaunchAgents folder to block all changes to it. OS X supports a file and folder locking flag that if set will override permissions settings and prevent any modification to the file or folder. To do this, get information on the item of interest and then check the "Locked" check box. If you lock the LaunchAgents folder in your user account, then no program or process will be permitted to alter it, and therefore prevent any unwarranted additions to the folders.
Locking the LaunchAgents folder has its benefits, but be aware that in some instances it may cause problems. If you add any new programs that includes LaunchAgent scripts for your user account, then you may see some errors when you try to install or run them; however, this will only happen when installing the programs. Once your programs are all installed and set up, then you should be able to lock the LaunchAgents folder without any problems.
These actions to monitor or lock the LaunchAgents folders should help prevent malware attacks by blocking an easy means for malware to be automatically run. While some people may prefer to rely on a malware scanner like ClamXav, Sophos, or VirusBarrier, these tools first require proper definitions to be available in order to identify and remove malicious files.
Unfortunately sometimes these definitions take a while to be updated, as we have seen with the recent SabPub malware that has apparently been around for over a month and avoided the radar because of the attention the Flashback malware was receiving. Therefore, monitoring the LaunchAgents folders is an easy way to help proactively guard against future malware breakouts that use these as a means of attacking the system.
Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.
Source
Tags:
- Monitor Os X Launchagents Folders To Help Prevent Malware Infections
- Monitor Os X Launchagents Folders To Help Prevent Malware On Website
- Monitor Os X Launchagents Folders To Help Prevent Crashes
- Monitor Os X Launchagents Folders To Help Pr event Being Hit
- How To Unlock Aoc Monitor Osd
- Best Monitor Osd Settings For Fps Gaming Vg289 Pc
- Aoc Monitor Osd Locked
Blog Archive
-
▼
2023
(199)
-
▼
January
(84)
- Logan Paul Has Just Signed With The WWE
- Heat Pump Vs. Furnace: Learn The Difference Betwee...
- Soon You'll Be Able To Book Office Spaces Through ...
- How To Fix 5 Common Causes For Your Home Internet ...
- Polar Pro Venture3+ Lens, Filter Pack Helps You Ge...
- Find Out What's Coming In The Mail Before It's Del...
- This 43-Inch Amazon Fire TV Is Down To Its Lowest ...
- Save Up To $250 On A Premium Samsung Tablet Today ...
- Wordle: What To Know About The Viral Word Game
- Gaming Monitors From CES 2022 To Get Hyped For
- 2023 Honda CR-V Teased Ahead Of Summer Debut
- James Webb Space Telescope's Smooth Launch Extende...
- Save Big On Motorola Phones With Prices Starting A...
- Ouya Teams With Xiaomi To Bring Video Games To China
- The Best Cat Toys, According To Our Favorite Felines
- Nvidia To Buy SoftBank's Arm Chip Division For $40...
- 5 Great Last-minute Gifts To Make With Your 3D Pri...
- GM Announces Plans For National EV Fast Charging N...
- 2022 Kia Sorento Receives Price Hikes Across The B...
- T-Mobile Is Offering Unlimited Google Photos Storage
- Amazon To Acquire One Medical In Major Boost To It...
- Lenovo Glasses T1 Are Wearable Displays That Also ...
- 'MythBusters' Adam Savage Tests DJI Inspire 1 4K Q...
- Best Home Security Deals For Black Friday: Save On...
- TikTok Live To Feature Hour-Long Sketch Comedy Sho...
- Air Frying Vs. Baking: What's The Best Cooking Met...
- Crocheted Predator Costume Goes On The Hunt For Ha...
- Acer Goes After The Classroom With New Durable Spi...
- Google Store Stumbles During Pixel 6 Phone Launch
- WhatsApp Will Let You Move Chat History Between IO...
- Monitor OS X LaunchAgents Folders To Help Prevent ...
- Motorola Edge Plus 2022 Vs. 2020: It's Not An Easy...
- GoPro, Red Bull Partner To Capture The World Of Ex...
- Facebook's $37.5 Million Location Tracking Settlem...
- Apple Rumored To Be Working On A Foldable IPad/Mac...
- Asus ROG Phone 6, 6 Pro Gaming Phones Bring Samsun...
- Nintendo Of America Testers Allege Sexual Harassme...
- Kia EV9 Electric Concept Previews A 3-row Producti...
- These Stunning Pens Bring Back The Joy Of Writing
- 7 Ways To Save Money On Car Insurance
- Best Immersion Blender For 2022
- The IPhone At 15: How Apple's Phone Became The Cen...
- TikTok's China Equivalent Limits Kids To 40 Minute...
- You Can Now Play Wordle On NYT Crossword App
- How To Remove Wallpaper In An Old Or Period House
- 60 Super-cool Kitchen Gadgets You Can Get For Less...
- Apple's 16-inch MacBook Pro Gets Graphics Boost Wi...
- MLB TV Review: Subscribers May Balk At Increased B...
- Monkeypox Outbreak: Symptoms, Variants And Trends ...
- Samsung Galaxy S22 Ultra Vs. Pixel 6 Pro: It's A T...
- Asus ZenBook Duo 14 UX482 Review: A Dual-screen La...
- Leaked Pics Of Huawei's Updated Freebuds Show Wire...
- Samsung QN90B QLED Vs. LG C2 OLED: Which TV Is Bes...
- Don't Swap Your Gas-Guzzler For An Electric Vehicl...
- 6 Important Things To Know About Your Social Secur...
- Universe's Most Massive Known Star Imaged With Unp...
- Xiaomi Mi Smart Projector 2: High Style, Low Brigh...
- Asus ZenBook 13 UX333 Review: New Asus ZenBooks Pa...
- WWE Hell In A Cell 2020: Results, Full Recap And N...
- Red Alert! New Honda Civic Type R Coming Next Year...
- Meta Has A Giant New AI Supercomputer To Shape The...
- 2022 Kia EV6 Review: Best Foot Forward
- Shop Coach Outlet's Varsity Collection With Prices...
- Pixar's 'Turning Red' Teams Up With Firefox To Cel...
- Shopping At Wayfair? These 3 Simple Tips Will Make...
- Facebook Is Growing Its Daily Users Again
- Moto G Fast Vs. G Power Vs. G Stylus: Motorola Bud...
- WWE Elimination Chamber 2022: Start Times, Full Ca...
- The IPhone SE, Not The Mini, May Be The Future Of ...
- RedMagic 7S Pro's Highlight Feature May Be Its Hid...
- 2021 Honda Accord Reveal: Fresh Style, More Tech B...
- Motorola Edge Plus Hands-on: A $1,000 5G Phone Wit...
- Best High-Tech Ski Gear For 2022
- Google In Hot Water For Sending Unwanted Ad Emails
- Hisense Recalls French-Door Fridge Due To Injury R...
- The App That Helps Prepare You For Death
- Your MacBook Trackpad Has An Annoying Setting You ...
- Acer Chromebook R11 Review: A Finger-friendly Hybr...
- The IPhone At 15: Steve Jobs Revealed His Greatest...
- Universe's Most Massive Known Star Imaged With Unp...
- Bored Kids? Get Them This Indoor Beginner Drone Fo...
- Thirsty Suitors: Battle Your Exes In This Colorful...
- HP's New Spectre Laptops Have A Webcam Kill Switch...
- Are USDA Loans Available To Everyone? How To Know ...
-
▼
January
(84)
Total Pageviews
Search This Blog
Popular Posts
-
Carta de motivação academica wayne, carta de motivação academica charter, carta de motivação academica virtual education, carta de motivação...
-
Ukuran hp samsung galaxy j1 ace neo, ukuran hp samsung galaxy j1 ace specifications, ukuran hp samsung galaxy j1 ace software, ukuran hp sam...
-
Contoh soalan fizik spm 2019, contoh soalan fizik spm 2018, contoh soalan fizik spm 2017, contoh soalan fizik kertas 3, contoh soalan fizik ...