Created
April 5, 2012 01:42
-
-
Save ezkl/2307318 to your computer and use it in GitHub Desktop.
Poorly Written Flashback Trojan Scan
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| browser_regex='Firefox|Chrome|Safari' | |
| infected=0 | |
| shift | |
| echo "=============================" | |
| echo "Scanning for Flashback Trojan" | |
| echo "=============================" | |
| echo | |
| shopt -s nullglob | |
| for i in $(ls /Applications); | |
| do | |
| dir=$i | |
| if [[ $dir =~ $browser_regex ]]; then | |
| result=$(defaults read $dir/Contents/Info LSEnvironment 2>&1 >/dev/null) | |
| if [[ $result =~ 'LSEnvironment) does not exist' ]]; then | |
| echo "$dir appears clean." | |
| else | |
| echo "$dir potentially infected!" | |
| $infected=1 | |
| fi | |
| fi | |
| shift | |
| done | |
| home_environment=$(defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES 2>&1 >/dev/null) | |
| if [[ $home_environment =~ 'DYLD_INSERT_LIBRARIES) does not exist' ]]; then | |
| echo "Home environment appears clean." | |
| else | |
| echo "Home environment potentially infected!" | |
| $infected=1 | |
| fi | |
| shift | |
| echo | |
| echo "=============================" | |
| if [[ $infected = 0 ]]; then | |
| echo "Flashback Trojan NOT detected." | |
| else | |
| echo "Flashback Trojan WAS detected." | |
| fi | |
| echo "=============================" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Instructions:
curl https://raw.github.com/gist/2307318/a31f69719c0f076f3cd44717c892f9f03d2c5b52/flashback_trojan_scan.sh | sh