Open source Knock Knock tool reveals OS X malware

  • 31 October 2014
  • 0 replies
  • 142 views

Userlevel 7
Author: Zeljka Zorz HNS Managing Editor
Posted on 31.10.2014At this year's Virus Bulletin conference held last month in Seattle, security researcher Patrick Wardle spoke about methods of malware persistence on Mac OS X.

The video of his very interesting presentation can be viewed here, and his paper has also been made available.

In the last few minutes of his talk, he presented a tool he made himself, and which shows users all the different persistent items (scripts, commands, binaries, etc.), that are set to execute automatically on their OS X machine.

It's called KnockKnock, and it's open source.

"Knock Knock is command line python script that displays persistent OS X binaries that are set to execute automatically at each boot. Since Knock Knock takes an unbiased approach it can generically detect persist OS X malware, both today, and in the future," he noted on the project's GitHub page.

"It should be noted though, this approach will also list legitimate binaries. However, as Knock Knock by default, will filter out unmodified Apple-signed binaries, the output is greatly reduced, leaving a handful of binaries that quickly can be examined and manually verified." Full Article

0 replies

Be the first to reply!

Reply