Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

[OS X] MSA-Log Beta


  • Please log in to reply
7 replies to this topic

#1 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:07:21 PM

Posted 10 January 2015 - 10:28 PM

MSA-Log Beta
Detect malicious items on OS X based computers.
 
Download v0.4: https://msa.ian.sh/MSA.zip
 
MSA-Log ("MSA" herein) is a powerful tool for detecting malware on OS X based computers. It was written by me as a suitable read-only alternative to OTL. It is written in the Bash scripting language. The goal is to make removal of OS X viruses easier and simpler as they become more prevalent. 
 
MSA will have support for FIX lines, and can already remove adware (however it cannot escalate in v0.4). Please note that this tool is preliminary and is in beta. It can be easily terminated or circumvented by malware. Better methods to evade common tactics will be implemented in the future.
 
A full tutorial will be released with v0.5.

 
Thanks!  :thumbup2:

Edited by iangcarroll, 02 May 2015 - 02:17 PM.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:21 PM

Posted 12 January 2015 - 02:58 PM

Thanks for posting about the tool.

How about listing running processes? I know that you list daemons, but it may also be useful to see a snapshot of the current processes. Maybe include a whitelist to filter out standard ones.

Then provide a command line arg that will allow people to turn off whitelisting.

#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 PM

Posted 12 January 2015 - 03:08 PM

Damn Ian, was about time for you to post here. Finally a reporting tool under OS X.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 iangcarroll

iangcarroll
  • Topic Starter

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:07:21 PM

Posted 12 January 2015 - 04:14 PM

Thanks for posting about the tool.How about listing running processes? I know that you list daemons, but it may also be useful to see a snapshot of the current processes. Maybe include a whitelist to filter out standard ones.Then provide a command line arg that will allow people to turn off whitelisting.


Yeah, I'm not sure why I didn't include that.

In 0.3 the following will be added:
  • Recently created directories in various places, mainly the Library.
  • File hash flags
  • Process enumeration (hence above)

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:21 PM

Posted 12 January 2015 - 05:05 PM

Thanks..I am sure I will be suggesting more things as I use the tool.

 

Do you plan on any detections for certain infections or adware?  Or is this just a basic enumeration tool that helpers need to interpret?



#6 iangcarroll

iangcarroll
  • Topic Starter

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:07:21 PM

Posted 12 January 2015 - 05:27 PM

Thanks..I am sure I will be suggesting more things as I use the tool.

 

Do you plan on any detections for certain infections or adware?  Or is this just a basic enumeration tool that helpers need to interpret?

 

I'll have sections to help with detection of Flashback and others as time goes along, along with basic out-of-date checks. Not sure about adware.


Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#7 iangcarroll

iangcarroll
  • Topic Starter

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:07:21 PM

Posted 20 January 2015 - 08:18 PM

v0.3 is out, with a lot of things:


Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#8 iangcarroll

iangcarroll
  • Topic Starter

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:07:21 PM

Posted 05 February 2015 - 07:53 PM

v0.4 has been released, including the following:

  • Per-line timestamps have been removed. They've been replaced with a FIX: indicator (in spots that can be fixed). 
  • Adware removal code is now there, along with a small ruleset for Conduit, MacKeeper and a few others. Need more rules + browser extension support. If a file cannot be removed (MSA cannot elevate past the current user yet), it will be shown as a [detection], otherwise shown as a [removal].
  • Code for FIX lines is almost complete.
  • Launch Daemons/Agents now are simply the bundle ID, making for an easier log.
  • Made the log a bit friendlier.
  • Notification Center alerts now show for progress on the scan (progress bar isn't currently possible)
  • Fix file (formerly options, but it'll include fix lines soon) now is more "modular", allowing you to init:msa and init:adware for starting the log and enabling adware removal, respectively.
  • Detections for Flashback, WireLurker and the disabling of kernel extension signing has been added (and cannot be enabled/disabled)
  • Code signing detection has been fixed.
  • Processes no longer show the arguments nor the PID or anything else, but do show the full path (with the exception of the core processes)
  • Hash detections for processes has been implemented, but isn't fully working and has thus been disabled.
  • Recent files now pulls from /System/Library, which already makes a long log (and can be disabled with newfiles:false)
  • Chrome extension handling now looks a lot better; firefox soon to come

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users