Monitor OS X LaunchAgents folders to help prevent malware attacks
While malware scanners can detect threats once definitions for them are available, you can monitor or lock your systems' launch agents folders to more proactively prevent attacks on your system.
Topher KesslerMacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Some of these attacks are targeted for specific groups in China or Tibet, but others like Flashback are more widespread and have targeted as many Mac systems as possible, by exploiting vulnerabilities in the system when browsing Web pages and posing as fake Flash installer applications.
Despite this wave of malware and the variants of each that have followed, most of these attacks have one thing in common: they use Launch Agent scripts for at least one stage of their attacks.
The LaunchAgents folders (and their paired LaunchDaemons folder for managing service processes) are locations that contain scripts to automatically manage system processes. For instance, Apple uses one of these scripts to schedule the "backupd" process for Time Machine, and have it create backups every hour.
Most of the time developers use these scripts as components to their programs, but they can also be used for your own customizations. Recently I discussed how to do this for automatically changing Safari's downloads folder whenever an external drive is attached to the system.
There are three LaunchAgent folders in an OS X installation. The first is in your user account's Library, and the scripts in it are loaded when you log in. The others are in the global Library and System/Library folders, and are loaded when the system boots.
Launch agent files are XML files containing a list of properties, whose basic anatomy is as follows:
Each agent file contains a list of keys followed by their values. The keys and values in the file will differ depending on the agent's uses, but the main components are those outlined in the red squares. These are the process Label, and the Program Arguments (sometimes called simply "Program"), which are the name of the script as it appears to the launcher, and the executable file that is being managed by the script. The rest of the agent file contains other conditional elements for running the specified program, such as the "StartInterval" key here which tells the system launcher to run this program every 3523 seconds.
In many of the recent malware attacks on OS X, this Launch Agent structure is being used to initially load the malware and infect Mac systems. The malware exploits the user or a system vulnerability and places an executable file on the system (usually within the user account). The malware then places a launch agent file in the username/Library/LaunchAgents/ folder, which targets the malicious executable and continually launches it. In some instances the targeted executable is the malware that attempts to steal personal information, but at other times this is only the initial phase and the malware then downloads and installs additional components that are harder to detect.
While malware variants might use different names for files and the locations of where they put them, most to date have used one of the system's various LaunchAgents folders (generally the one in the user account) as a starting point for their malware. As a result, we can also use these folders to help proactively detect and prevent such malware intrusions.
There are two options available for doing this:
Set up a Folder Actions notification
In OS X you can monitor folders using Folder Actions, which link applescripts to folders on the system so if they are changed then the scripts will run. While developing such a script might be difficult for some users, Apple offers a built-in script example that can be used to issue a notice whenever an item is added to a folder:
Enable the Applescript menu
Go to the /Applications/Utilities/ folder and open the program called AppleScript Editor. In the preferences settings for this application, check the box to Show Script Menu in menu bar." The resulting menu will be shown next to the battery life, date, and Wi-Fi indicators on the right-hand side of your menu bar.
Enable Folder actions
In this menu go to "Folder Actions" where you will see a link to the Folder Actions Setup utility, which can be used to configure your various folder action scripts. You can use either this utility or the "Enable Folder Actions" script in this same menu to enable folder actions on the system.
Add a new-item folder action
In the Folder Actions submenu, select the Attach Script to Folder option, followed by choosing the "add - new item alert" option from the list of scripts that appears. Then click Choose and follow this with selecting the folder to which you want to apply the action.
In this case, go to the username/Library/ folder, select the LaunchAgents folder, and click the Open button. In OS X Lion you will not see the Library folder by default, so first go to the Finder's Go menu, press the Option key, and then select Library. Then drag the Library folder to the Finder sidebar, and it should then become available in the sidebar in the Open dialogue.
Repeat step 3 for the following folders on the system:
You can check the results of this procedure by using the Folder Actions Setup utility, which is available in the new scripts menu and which will list the folder actions that you have bound to each of these folders. Some people may find this utility more intuitive than using the scripts in the menu to configure each folder.
To use this utility, select a folder in the left column and you will see the scripts that are bound to it listed in the right column. If there are no scripts listed for a folder then you can add them by clicking the plus button under the right-hand column. With this utility, you can add each of the aforementioned folders and then associate the "new item alert" script to them.
When this is done, adding a file to any of these folders will result in an alert, and if you click OK the system will display the file in the Finder. You can then open the file in TextEdit to see its contents (specifically check the "ProgramArguments" string), or otherwise investigate it to determine if it is legitimate or part of a malware package.
For the most part, files should only be added to these folders when you purposefully install a program or if you create your own launch agents for custom purposes, so if you randomly see this script run and display a new launch agent, then be suspicious.
If you find a suspect LaunchAgent file suddenly appear on your system, then immediately move the file to the Trash and then restart the system. This will clear it from the system launchers and prevent it from being automatically loaded. You can then remove the file from the trash to investigate it further, if needed.
Lock the LaunchAgent folders
In addition to setting up a Folder Actions script, you can lock the LaunchAgents folder to block all changes to it. OS X supports a file and folder locking flag that if set will override permissions settings and prevent any modification to the file or folder. To do this, get information on the item of interest and then check the "Locked" check box. If you lock the LaunchAgents folder in your user account, then no program or process will be permitted to alter it, and therefore prevent any unwarranted additions to the folders.
Locking the LaunchAgents folder has its benefits, but be aware that in some instances it may cause problems. If you add any new programs that includes LaunchAgent scripts for your user account, then you may see some errors when you try to install or run them; however, this will only happen when installing the programs. Once your programs are all installed and set up, then you should be able to lock the LaunchAgents folder without any problems.
These actions to monitor or lock the LaunchAgents folders should help prevent malware attacks by blocking an easy means for malware to be automatically run. While some people may prefer to rely on a malware scanner like ClamXav, Sophos, or VirusBarrier, these tools first require proper definitions to be available in order to identify and remove malicious files.
Unfortunately sometimes these definitions take a while to be updated, as we have seen with the recent SabPub malware that has apparently been around for over a month and avoided the radar because of the attention the Flashback malware was receiving. Therefore, monitoring the LaunchAgents folders is an easy way to help proactively guard against future malware breakouts that use these as a means of attacking the system.