Knock Knock, who’s there?

28. October 2014 Security 4

I saw an interesting video today which talks about the kinds of OS X malware and the ways they can persist. Now when it comes to ways that OS X malware can keep itself alive even after a reboot there is nothing new in this video, however the tool that was created by the author Patrick Wardle is pretty cool. Basically it checks all the locations and ways malware is known to be persistent. The known LaunchDeamons and LaunchAgents, browser plugins/extensions and Login Items are all checked but it goes a little deeper than that. Code is also checked, like plist files’ use of “RunAtLoad” or “KeepAlive” which could indicate persistent malware.

The tool is currently in Beta and command line only but worth checking out if you want to learn more about what goes on under the OS X hood. Or maybe you suspect a malware infection and your antivirus product is coming up dry. If you know me you know my opinion of OS X’s built-in anti malware tools X-Protect and Gatekeeper; They are fairly useless. Antivirus applications perform much better and have a much better chance at offering you protection but again, these products are (just like X-Protect) reactive. Based on signatures, hashes, location data and file names they almost always offer protection after the fact. True heuristics is very hard to find in OS X products which is sad because that may offer the best possible protection as it is proactive, not reactive. The Knock Knock tool can be easily extended with new plugins. If a new way of persistence is discovered, a simple python plugin can be written and added to the Knock Knock functionality.

I ran the tool on my Mac and found nothing that shouldn’t be there. When I ran the tool on an infected Mac however, it was able to point out a huge amount of malware. VSearch, Genieo, iWorm, CoinThief, CodecM, Revir, a ton of browser plugins, a keylogger and much more were found to be persistent in one way or another. Over 50 total. Now of course this tool is not an antivirus application. It doesn’t monitor your Mac constantly and it doesn’t tell you “this file belongs to this malware” but I like the functionality it offers. You’ll need to know a bit about OS X, which file belongs and which doesn’t. What is a possible threat and needs further investigating and what is harmless. However for those that want to learn more about their Mac’s internals, think they are infected with malware or research malware, this is a nice tool to add to the collection. If the developer keeps working on this tool, possibly give it a GUI and make it run on a Mac all the time, this would be a great way to keep an eye on your system.

The video can be found here.
The slides for the video can be found here.
Knock Knock can be downloaded here.

4 thoughts on “Knock Knock, who’s there?”

  • 1
    Michael A on November 1, 2014 Reply

    As a long time user of Mac, windows and installed and viewed a number of Linux distros I never got into command line other than pre win3 and very basic so just wondering if you can direct me to some basic instructions as in what to do to install Knock Knock and or what to type in the terminal window.

    • 2
      Jay on November 1, 2014 Reply

      I received several requests for this and will try to get something online within the next few days.

      • 3
        Howard on November 9, 2014 Reply

        I second the request. Thank you.

  • 4
    Jay on April 24, 2015 Reply

    I never got around to that Knock Knock follow up but now it has a user interface that makes it a lot easier to use. Check it out here:

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.