Luxembourg CIRC develops LaunchAgent monitoring tool for OS X
Following my recent outlining of a procedure for monitoring LaunchAgents, the Luxembourg CIRC created an easy-to-use setup utility that handles the procedure for you.
LaunchAgent scripts in OS X can be used to automatically run programs and scripts and are a common route that malware developers use to run their malware in OS X once either the system is exploited or the user has been fooled into installing malware.
Because of this, I recently wrote a procedure forthat warn whenever changes are made to the various LaunchAgent folders and thereby help detect such attacks, which have been used in some recent and notable malware scams in OS X including DNSChanger, MacDefender, and the most recent Flashback malware.
The procedure I outlined makes use of Apple's built-in Folder Actions technology in OS X, which is used to run specified Applescripts whenever a change happens to a specified folder. Because LaunchAgent scripts are only automatically opened from specific LaunchAgent and LaunchDaemon folders on the system, you can use the Folder Actions feature to watch these locations and send yourself notifications if any files are added to them.
Unfortunately, the Folder Actions feature is relatively hidden, so setting up this notification system for each system you own requires repeating the steps I outlined; however, following the publication of these steps, the Computer Incident Response Center of Luxembourg (similar to US-CERT) created a small and convenient utility based on my procedure, that can perform these steps for you. By simply running the application, you'll enable Folder Actions and bind the appropriate scripts to the LaunchAgent and LaunchDaemon folders on the system.
If you haven't already enabled this feature, then I highly recommend you do so either with this utility or through the manual approach I outlined; however, regardless of which approach you take, be sure to check the results by opening the Folder Actions Setup utility in the /System/Library/CoreServices/ folder, and use it to check the scripts bound to each folder. You can also ensure the scripts work as intended by revealing these folders (click the Show Folder button in the utility to do so for the highlighted folder) and dragging any file to them -- this should result in a warning about the change.
This tool from CIRCL is a great option to use, especially if you wish to enable these notifications on multiple systems; however, as with my original instructions, it enables notifications on only the folders that automatically launch scripts in OS X. This should be plenty to help proactively counter malware attacks, but this notification system can be used for more than just LaunchAgent folders. In many cases malware has been installed on other components of the system that are usually not used on a day-to-day basis, and therefore can be monitored. Such locations include the following directories:
To add these folders to the notifications, after following my procedure or running the CIRCL utility, you'll need to use Apple's Folder Actions Setup utility to add these folders and bind the notification script to them.
Special thanks goes to the Luxembourg CIRC team for developing this utility, and let's hope this helps stem future malware attacks on OS X.