Monitor OS X LaunchAgents folders to help prevent malware attacks

Recently the
Mac platform has been hit with a few malware attacks, the most notable of which is the Flashback malware, but the same vulnerabilities that this and others have used are now cropping up in other malware as well, including yesterday’s news of the SabPab malware and its MacKontrol variant, and also the Olyx malware that is a variant of the Tibet malware we previously discussed.

Some of these attacks are targeted attacks on the system that seem to be focused on specific groups in China or Tibet, but others like Flashback are more widespread and are built to target everyone using Mac systems as thieves have jumped on the opportunity to take advantage of unpatched vulnerabilities.


The LaunchAgents folders may contain numerous launcher files for various system and application processes such as scheduled updater routines, but have also been used by malware developers to launch their criminal activity.

(Credit:
Screenshot by Topher Kessler/CNET)

Despite this wave of attacks and the variants of each that have followed, all of these attacks use one thing in common, which is the use of launch agent scripts that are placed in the LaunchAgents folder within either the user’s Library or the global Library folders.

The launch agents folder (and its paired LaunchDaemons folder for managing service processes) is a location where scripts are stored for automatically managing system processes, such as ensuring a process stays active at all times, or launches it conditionally. For instance, the “backupd” process for Time Machine is scripted to run the backup process every hour. Alternatively you can script a program of your choice to launch whenever a network connection is detected, or have it always stay open and relaunch even if it is forced to quit.

Most of the time developers use these scripts to manage their programs, but you can also create them for your own needs. Recently I discussed how to create a custom launch agent to change
Safari‘s downloads folder whenever an external drive is attached to the system.

The LaunchAgents and LaunchDaemons folders may be present in the user account’s Library folder, but are also mirrored in the Library folders at the root of the hard drive and that in the System folder. When you boot OS X, the LaunchAgent scripts in the System folder and global Library folder will be loaded, and when you log in to your account then any scripts in the LaunchAgent folder within your user account will be loaded.

The basic anatomy of a launch agent file is as follows:


The most important component of the launch agent file is the “ProgramArguments” or “Program” key, which shows where the executable file is located that the launch agent is targeting.

(Credit:
Screenshot by Topher Kessler/CNET)

Each agent file contains a list of keys followed by their values. The keys and values used will be different, depending on the agent’s uses, but the main components are those outlined in the red squares, which are the label, and the Program Arguments (sometimes called simply “Program”). These are both the name of the script that is passed to the launcher so it can be identified, and the executable file that is being managed by the script. The rest of the agent file contains other conditions for running the specified program, such as the “StartInterval” key here which tells the system launcher to run this program with the conditions specified here every 3523 seconds.

When it comes to the recent malware attacks on OS X, it is this Launch Agent structure that is being used to initially load the malware and infect Mac systems. The malware exploits the user or a system vulnerability and places an executable file on the system (usually within the user account). The malware then places a launch agent file similar to the one above in the username/Library/LaunchAgents/ folder, which targets the malicious executable and continually launches it. In some instances the targeted executable is the malware that attempts to steal personal information, but at other times this is only the initial phase and the malware then downloads and installs additional components that are harder to detect.

While each malware is different and variants might use different names for files and the locations of where they put them, most to date have used one of the system’s various LaunchAgents folder as a starting point for their malware. As a result, we can also use these folders to help proactively detect and prevent such malware intrusions.


Checking this box in the AppleScript Editor utility will add the script menu to the menu bar.

(Credit:
Screenshot by Topher Kessler/CNET)

There are two options available for doing this:

Set up a Folder Actions notification
One technology in OS X that you can use to monitor folders is Folder Actions, which link applescripts to folders on the system so if they are changed then the scripts will run. While developing such a script might be difficult for some users, Apple offers one that you can use as-is to issue a notice whenever an item is added to a folder. To do this, you will need to do the following:

  1. Enable the Applescript menu
    Go to the /Applications/Utilities/ folder and open the program called AppleScript Editor. Then go to the preferences of this application and check the box to Show Script Menu in menu bar.” The resulting menu will be shown next to the battery life, date, and Wi-Fi indicators on the right-hand side of your menu bar.

  2. Use the “add – new item alert” script as the script to append to the Launch Agents folders.

    (Credit:
    Screenshot by Topher Kessler/CNET)

  3. Enable Folder actions
    This menu contains a number of scripts, all of which are in the /Library/Scripts/ folder. A subset of these are called “Folder Action Scripts” (in the Folder Actions submenu) which can be used to attach a script to a folder and enable folder actions. In this menu you also should have a link to the Folder Actions Setup utility, which can be used to configure your various folder action scripts. You can use either this utility or the “Enable Folder Actions” script to enable folder actions on the system.
  4. Add a new-item folder action
    Now all you need to do is add a folder item to the LaunchAgents folder. In the Folder Actions submenu, select the Attach Script to Folder option, followed by choosing the “add – new item alert” option from the list of scripts that appears. Then click Choose and follow this with selecting the folder to which you want to apply the action.

    In this case, go to the username/Library/ folder, select the LaunchAgents folder, and click the Open button. In OS X Lion you will not see the Library folder by default, so first go to the Finder’s Go menu, press the Option key, and then select Library. Then drag the Library folder to the Finder sidebar, and it should then become available in the sidebar in the Open dialogue.


This alert will show when an item is placed in any of the monitored folders, and clicking Yes will open the folder and present the item to you.

(Credit:
Screenshot by Topher Kessler/CNET)

Repeat step 3 for the following folders on the system:

/Library/LaunchAgents
/Library/LaunchDaemons
/System/Library/LaunchAgents
/System/Library/LaunchDaemons
username/Library/LaunchAgents
username/Library/LaunchDaemons

When this is done, if a file is added to any of these folders, you will see a folder action alert that warns you a file has been added, and if you click OK you will be taken to the folder and shown the new file (it will be highlighted). You can then open the file in TextEdit to see its contents, or otherwise investigate it to determine if it is legitimate or part of a malware package. For the most part, files should only be added to these folders when you purposefully install a program or if you create your own launch agents for custom purposes, so if you randomly see this script run and display a new launch agent, then be suspicious.

Steps you can take if you see this happen and find a suspect launch agent file is to immediately remove the file from this folder (move it to the trash) and then restart the system. This will clear it from the system launchers and prevent it from being automatically loaded. You can then remove it from the trash to investigate the file further.


Check this box to lock the launch agent folder and prevent any additional files from being added to it.

(Credit:
Screenshot by Topher Kessler/CNET)

Lock the LaunchAgent folders
In addition to setting up a Folder Actions script, you can also lock the LaunchAgents folder. OS X supports a file and folder locking flag that will override permissions settings and prevent any modification to the file or folder. This flag can be set by getting information on a folder and then simply checking the Locked check box. If you do this to the LaunchAgents folder, then no program or process will be permitted to alter it, and therefore prevent any unwarranted additions to the folders.

The problem with doing this is if you add any new programs that require launch agents, then they will likely run into errors when you try to install or run them. The easy way around this is to unlock the folders if such errors occur; this should not need to be done very often because you will likely not need to regularly install programs that use launch agents. Once your programs are all installed and set up, then the locked LaunchAgents folders will still allow the scripts within them to run, but will prevent any new additions to the folders.

Be sure to not only lock the LaunchAgents and LaunchDaemons folders within your user library, but also do those in the global and system libraries mentioned above.

While some people may find using a malware scanner like ClamXav, Sophos, or VirusBarrier is a preferred method of rooting out malware, these tools first require proper definitions in order to identify and remove malicious files. Unfortunately sometimes these definitions take a while to be updated, as we have seen with the recent SabPub malware that has apparently been around for over a month and avoided the radar because of the attention the Flashback malware was getting.

Therefore, these two steps should be an easy way to help proactively guard against future malware breakouts that could affect OS X, since the criminals behind them seem to be primarily abusing the system launchers through these folders in order to at least initially run their malware in the background.


Questions? Comments? Have a fix? Post them below or !
Be sure to check us out on Twitter and the CNET Mac forums.

Article source: http://reviews.cnet.com/8301-13727_7-57415311-263/monitor-os-x-launchagents-folders-to-help-prevent-malware-attacks/?part=rss&tag=feed&subj=

View full post on National Cyber Security » Virus/Malware/Worms