Help

Transmission - keydnap v1.5 - Keychain Backdoor

zetaomegagon
New Contributor III

Posted on ‎09-02-2016 02:17 PM

I haven't seen any discussion on this:

Attackers Infect Transmission Torrent Client With OS X Malware - TorrentFreak

Another attack on Transmission, this time for creating a backdoor to the keychain data.

www.welivesecurity.com
Article 1
Article 2

Below is a script I made that kills the suspect processes and removes suspect paths/files (as per the Transmission website and Article 1).

I'm pretty new to scripting and JAMF (and system administration!), and I know that people probably aren't using Transmission, but I hope this helps someone-- even if it just provides a base so that you don't have to copy the paths from the websites :)

Also, this is the first time I've used Arrays. I think this is a pretty simple (and clear) example of Arrays for those that are overwhelmed by them like I was.

#!/bin/bash #-xe

#=============================== PURPOSE ======================================#
#
#                   Test for Keydnap v1.5 and remove it.
#
#==============================================================================#



#============================== VARIABLES =====================================#
LOGGED_IN_USER=$(w | grep 'console' | awk '{ print $1 }')

M_PROCS=( "icloudproc" 
          "License.rtf" 
          "icloudsyncd" 
          "/usr/libexec/icloudsyncd -launchd netlogon.bundle" )


M_PATHS=( "/Library/Application Support/com.apple.iCloud.sync.daemon/" 
          "/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist" 
          "/Users/$LOGGED_IN_USER/Library/Application Support/com.apple.iCloud.sync.daemon/" 
          "/Users/$LOGGED_IN_USER/Application Support/com.geticloud/" 
          "/Users/$LOGGED_IN_USER/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist" 
          "/Users/$LOGGED_IN_USER/Library/LaunchAgents/com.geticloud.icloud.photo.plist" 
          "/Applications/Transmission.app/Contents/Resources/License.rtf" 
          "/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf" )
#==============================================================================#



#================================ BODY ========================================#

## Kill malicious processes
for M_PROC in "${M_PROCS[@]}"; do
  if [[ -e "$(ps -ax | grep -v grep | grep "$M_PROC")" ]]; then
    echo "Killing ${M_PROC} process."
    killall "$M_PROC"
    echo "${M_PROC} process killed."
  else
    echo "${M_PROC} process not detected."
  fi
done

echo -e "
"

## Remove malicious paths and files
for M_PATH in "${M_PATHS[@]}"; do
  if [[ -e "$(ps -ax | grep -v grep | grep "$M_PATH")" ]]; then
    echo "Removing '${M_PATH}'."
    rm -rf "$M_PATH"
    echo "'${M_PATH}' removed."
  else
    echo "'${M_PATH}' not detected."
  fi
done

#==============================================================================#
# ShellCheck - shell script analysis tool
# version: 0.3.8
# license: GNU General Public License, version 3
# website: http://www.shellcheck.net
Labels:
0 Kudos
0 REPLIES 0