Recently I read an article about a sophisticated multi-platform piece of malware that works on OS X (read the article here). I wanted to share a supplemental bash script I wrote to detect evidence of this malware on your system. See below for the goodies:
#!/bin/bash
currentUser="$(ls -l /dev/console | awk '{ print $3 }')"
userHomeDir="$(dscl . read /Users/"${currentUser}" NFSHomeDirectory | awk -F ": " '{ print $2 }')"
filearray=()
if [[ -f "${userHomeDir}/Library/App Store/storeuserd" ]];then
filearray+=("storeuserd")
fi
if [[ -f "${userHomeDir}/Library/com.apple.spotlight/SpotlightHelper" ]];then
filearray+=("SpotlightHelper")
fi
if [[ -f "${userHomeDir}/Library/Dock/com.apple.dock.cache" ]];then
filearray+=("com.apple.dock.cache")
fi
if [[ -f "${userHomeDir}/Library/Skype/SkypeHelper" ]];then
filearray+=("SkypeHelper")
fi
if [[ -f "${userHomeDir}/Library/Dropbox/DropboxCache" ]];then
filearray+=("DropboxCache")
fi
if [[ -f "${userHomeDir}/Library/Google/Chrome/nacld" ]];then
filearray+=("Google/Chrome/nacld")
fi
if [[ -f "${userHomeDir}/Library/Firefox/Profiles/profiled" ]];then
filearray+=("Firefox/Profiles/profiled")
fi
if [[ -f "${userHomeDir}/Library/LaunchAgents/storeuserd.plist" ]];then
filearray+=("storeuserd.plist")
fi
if [[ ${#filearray[@]} -gt 0 ]];then
echo "<result>Files found: ${filearray[@]}. Total number of files: ${#filearray[@]}</result>"
else
echo "<result>No suspicious 'Mokes.a' malware files found</result>"
fi
exit
Also, you can use this find command to search your system for any of the temporary files this malware might leave behind:
sudo find -Ex / -type f -regex '.*[ss|aa|kk|dd][0-9]-[0-9]{6}-[0-9]{6}-[0-9]{3}.*[sst|aat|kkt|ddt]$'