অাপনাকে স্বাগত এই অরুচিপুর্ণ ব্লগেে

Level: Intermediate If you know that malware or other unauthorized software is installed on a Mac but it’s not actively running, finding it can be challenging. By nature, malware usually hides in obscure locations, uses innocent-looking or misleading names, and may use other tricks to avoid detection. As before, the easiest way to find such programs is to run a commercial anti-malware utility. Such programs contain extensive databases of the characteristics of known malware programs — as well as heuristics that enable them to identify much as-yet-unknown malware — and can find them wherever they may lurk on your disk by scanning every file. If you can’t use anti-malware software for some reason, if you don’t trust its results, or if it fails to locate malicious software that you’re sure is there, you can use a few tricks to track it down. One popular hiding place for malware is the /var/tmp directory because it’s world-writable. The first thing to keep in mind is that a program can’t do any good (or any damage) when it’s simply sitting idle on your hard disk. Only when the software is actively running can it accomplish anything. Therefore, it stands to reason that the program’s designer would include some mechanism to make sure it runs — either at startup, on a recurring schedule, or in response to a frequent user action (such as launching a program you’re likely to use every day). Leopard and Snow Leopard can use any of the following main mechanisms to open programs automatically: 1. Launchd. A component of Mac OS X called Launch Services provides management for processes that must run on demand, at startup, or on a fixed schedule. A daemon called launchd runs in the background all the time and takes action based on specially formatted configuration files found in the LaunchAgents or LaunchDaemons folders located in /System, /Library, and ~/Library. You can look through all those folders manually, opening each file to see what program it runs — or save yourself some effort and download Peter Borg’s free, open-source utility, Lingon View this link , which gives you a convenient way to view and manage all the launchd items on your Mac. Most launchd items are perfectly legitimate, but if you find one you don’t recognize and discover that it points to a pro- gram you’ve never heard of, it’s worth investigating in more detail. Among the programs launchd can run are shell scripts, and although the launchd item and the shell script may both be entirely valid components of Mac OS X, a hacker or malware program may have added commands to an existing shell script that’s run automatically (such as /usr/sbin/periodic or any of the scripts it uses in the various /etc/periodic subdirectories) in order to hide their execution. If you want to make absolutely certain nothing’s hiding in any of these or many other scripts, the only reliable way is to compare them with the versions in a clean copy of (the same version of) Mac OS X. 2. Startup Items. In a standard installation of Leopard or Snow Leopard, the folder /System/Library/StartupItems is normally empty, and I’m unaware of any Apple software that uses it. However, at least one well-known Trojan horse uses this folder to store a startup item called iWorkServices, which often goes unnoticed because it looks like something that might belong there. The moral is: Be highly suspicious of anything in that folder. 3. Login Items. The final standard mechanism Leopard and Snow Leopard contain for running programs automatically is the list of Login Items found in the Accounts pane of System Preferences for each user. Anything in this list (which can include not only applications but also folders, files, or volumes) opens automatically when the user logs in; and if the Mac is configured to log in a user automatically on startup, that means these items run whenever the Mac is turned on or restarted. You can add items to this list manually, but most of its contents are placed there by installers or by applications with a preference check box something along the lines of Load at startup. To determine the location of any item in this list, hover over it with your pointer for a moment; the entire path shows up in a yellow tooltip. To remove an item, select it and then click the minus (–) button. Of course, a program need not be launched automatically; if the developer can count on users to launch it manually, that’s nearly as good. So, another way of hiding malware is to package it inside existing applications. Apart from scripts and command-line programs, all Mac OS X applications are distributed as special folders (called packages or bundles) that appear to be single files. To see what’s inside an application, Control+click its icon in the Finder and then choose Show Package Contents from the pop-up menu. In some situations, malicious code placed inside an existing application can be made to run when the user double-clicks the application to open it. Because you may not know what’s supposed to be inside any given application bundle, finding malicious software there may involve comparing applications’ contents to a known good copy on another computer — an admittedly tedious task. All Apple applications as well as any application you’ve added to Mac OS X’s application firewall and some (but not all) other third-party applications are code-signed, meaning Mac OS X can detect any changes and alert you accordingly. However, you (or another user on the Mac) may have dismissed such an alert without realizing what it meant, and an attacker could even have gone to the bother of altering an application and then adding it to the firewall to sign it, making it appear to be legitimate. Therefore, if you notice any suspicious behavior immediately after opening an application, the best way to be sure that it hasn’t been compromised is to install a fresh copy from scratch. If you also keep a copy of the previous version and compare the two, you should be able to tell what, if any, changes were made to its contents. Third party tools SubRosaSoft’s MacForensicsLab is the best-known full-featured forensics suite for Mac OS X. MacForensicsLab isn’t geared toward finding malware or security leaks. Rather, it’s designed to look for data on a hard disk that can be used as evidence that the computer was involved in some type of wrongdoing or to provide leads for law enforcement e.g. RAB or corporate officials investigating a crime or policy violation. MacForensicsLab takes the strict notion of forensics quite seriously. The program is designed from top to bottom to preserve data in the state in which it was found, to validate the integrity of that data (to prove it wasn’t tampered with after the fact), and to log every action an investigator takes so that any search or discovery can be re-created by a third party. The program can provide a detailed data trail of everything that happened with a disk to serve as evidence in legal proceedings. MacForensicsLab But it is not free of charge (around $1000), so forget it and try the following one: The Sleuth Kit A free, open-source option: the Sleuth Kit View this link , a set of command- line programs for performing various sorts of forensic analysis.