search

PaloAltoNetworks / WireLurkerDetector

Script for detecting the WireLurker malware family
http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/
ISC License
412 stars 73 forks source link

What does a detection alert look like? #10

Open HowieAtTF opened 9 years ago

HowieAtTF commented 9 years ago

I created a shell script that will download the detector, and run it. I tested it, and it performs the whole process. I would like to know what an alert looks like so that I can use that to trigger the shell script to notify me. I'm hoping to push out the shell script via Casper.

denkb commented 9 years ago

HowieAtTF - how are you going to collect your results? You write up an EA for Casper yet?

HowieAtTF commented 9 years ago

I planned to collect the results from the Casper log, but also setup a smart group that includes systems that have the malware. When I run this on my own system, it works as expected, but since I'm not infected, I don't know what the software says if the malware is present. That's really all I need to know.

denkb commented 9 years ago

@HowieAtTF - Running the script via Remote Control or a policy, does not produce a "result" in any of jamf logs. I see the executing entry of the policy to run the scrip within jamf.log but no result. You see a result? I like that approach to comb the log for the result but i sort of need that first.

secmobi commented 9 years ago

Hi guys. I don't know how to use Casper. Basically, if you run the Python file under any shell, and if anyline output from stdout begins with "[!] ", that's a signal of infection.

iJake commented 9 years ago

For use with an Extension Attribute in Casper add another print statement with result tags to each of the possible outputs at the end of the script. for example:

    print "[!] WARNING: Your OS X system is highly suspicious of being infected by the WireLurker.\n" \
          "[!] You may need to delete all malicious or suspicious files and/or applications above.\n" \
          "[!] For more information about the WireLurker, please refer: \n"\
          "[!] http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"
    print "<result>Infected</result>"
VertigoRay commented 9 years ago

You should read the code, bro:

Looks to me like you'll exit 1 if there's an infection, otherwise, exit 0. You should work off that instead of parsing the StdOut/Err. If you're set on parsing output, looks like you should just look for lines beginning with [!] ... that shows up at the beginning of all the infected warning messages in this script.