Mac OS X OSX/Flashback Trojan Detection

#TRUSTED 086b5e17abe211dd80d6a36eac838116782b44bef0b86413e36326c6795a07de9f61d8cdde2c852d9c6b42887a5ba8c0eb696ddcdb22524bf47c0c4a9271e504dcb865db9ecf84330d6361d072513ff0d1583b6d102b5a411afe5e6852168b8a3e39e2fd538c0da91a0a653fdca7e97f137c9fd249f0285a0f0507acf500f0bfe860bc4c8369342b8f233ac4f673f8a2df7d9ef85efd073f3264bf01908176be1f7074291c8c61590fcb9678f4a125a3676b47a0c8a0356e6e3debf7d3802b9bd4e59b3bdc2cb237ce55defdeb254885dfd87d4de8efd997257bd7f5025a5bcf9f903e576f8c7ff456edf15e949eba1c822d77a39389ed5800d6408bed7c70ac5cf4f8128974e2c3f043eba1189137e246b454ed5f165cecbca766db02b09484cb60fee683cc246abe89604a7bdc957c9d83cd02a42b59c92af8ec5ab66509c5f33346482ef6b54ba6be4b1a0ab42a6d3945dbe98680d83fa75b3f72318e3037f106de41e1825601165659db4fd6230ce893a36ee4b43fd52a802ed0300fda38f398a787c25f2455ebde719837e9a571aa749b33abc9b3431f6d1961e5a0e1280e37c01121d7632f69028b40672aa69bb7f0fa2344b18ab19a4b778c9219b459e5eea91a6f98b65a798efdb2843ae81c11624542d77d8ec643c4c49e842b956434a195a71ba73e8bfd5303ffd77bedca0027fc21f83c1b8b67bac3424897aec0
#TRUST-RSA-SHA256 882224d59d9104acc38b508dcf158282c94418a1b21c7b58f661ada70dd43a3675c0665a29f80685389cd3322ea47a3f7c05e13b26b95a18833b0098d4c3c5d751d349891936ad9198f7168864763704ff52253dffabe764b450a571d514b067f6870dd79c1408b0bbbb748f5ce8c5d19d093c5e8a839342148570ce9286dac650bbb227c42a0ba2c437c424edea67605a68645eecd7ef78c13c058113a2b79a73ae669036785e01d46b048b4f0c9d65f10a0f0b05284572c858c1a83ba5a79ade69787223289a89c3060918e4264166d4e267729b63f35da0a3c35cb03db241992ed26684dea4a94f1ecd718e80a79f7bf1ba6263b06e182f4d51b78a7dd05e8e5fd28eaced8b4d657104825336cca1b52f3cd71561bce9aa5c9131be22a07f6aa2c0d9a094aa81a44e1ab817ab7c42eb7a993460cb6998a9a23158aa0b872d92cec12d758d903fdd9c9e3ccf34f686f6d3ff0ed0e16546a2c652bffd9b32ba248c8acbcde123d1c73250d575a7ed978960a5cc265b415635b1c40d1af844ad408789a55988f2a0177233be70e09ebed41c6075b49bee37dfd4cd06c01583e77b1868d7fa78f4f1c2845ea8ab9408f32a0eda48ee2c0a7d73bbc230bf34559581fc3bada5df26bf98da7fb423bf2f427c1e903fee1c4e76642607068cd1778ee7e6abd4f83a4179972db0bb766a660e242e1d65a866120a1aae68e727ee3c70
#
# (C) Tenable Network Security, Inc.
#


if (!defined_func("bn_random")) exit(0);


include("compat.inc");


if (description)
{
  script_id(58619);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/21");

  script_name(english:"Mac OS X OSX/Flashback Trojan Detection");
  script_summary(english:"Checks for evidence of Flashback");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote Mac OS X host appears to have been compromised."
  );
  script_set_attribute(
    attribute:"description",
    value:
"Using the supplied credentials, Nessus has found evidence that the
remote Mac OS X host has been compromised by a trojan in the
OSX/Flashback family of trojans. 

The software is typically installed by means of a malicious Java
applet or Flash Player installer.  Depending on the variant, the
trojan may disable antivirus, inject a binary into every application
launched by the user, or modifies the contents of certain web pages
based on configuration information retrieved from a remote server."
  );
  # http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_a.shtml
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?c4179f48"
  );
  # http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_b.shtml
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?4e3d8537"
  );
  # http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_c.shtml
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?e7646983"
  );
  # http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?93236f0a"
  );
  # http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?3d57fa4e"
  );
  # http://www.intego.com/mac-security-blog/new-flashback-variant-continues-java-attack-installs-without-password/
  script_set_attribute(
    attribute:"see_also", 
    value:"http://www.nessus.org/u?7f51a6ed"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Restore the system from a known set of good backups."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"cvss_score_source", value:"manual");
  script_set_attribute(attribute:"cvss_score_rationale", value:"Tenable research analyzed the issue and assigned a score for it.");


  script_set_attribute(attribute:"plugin_publication_date", value:"2012/04/06");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2012-2026 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version");

  exit(0);
}

include('ssh_func.inc');
include('macosx_func.inc');
include('debug.inc');
include('command_builder.inc');

enable_ssh_wrappers();

if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");

var os = get_kb_item("Host/MacOSX/Version");
if (!os) exit(0, "The host does not appear to be running Mac OS X.");

var report, app, cmd, res, libs, homes, user, home, cmd1, cmd2, cmd3;

report = "";
foreach app (make_list("Safari", "Firefox"))
{
  cmd = strcat("defaults read /Applications/", app, ".app/Contents/Info LSEnvironment");
  res = exec_cmd(cmd:cmd);
  if (strlen(res) && "DYLD_INSERT_LIBRARIES" >< res)
  {
    libs = egrep(pattern:"DYLD_INSERT_LIBRARIES", string:res);
    libs = str_replace(find:'\n', replace:'\n                          ', string:libs);
    report += '\n  Command               : ' + cmd +
              '\n  DYLD_INSERT_LIBRARIES : ' + libs;
  }
}

homes = get_users_homes();

dbg::detailed_log(lvl:1, msg:'get_users_homes',
  msg_details:{
    'users home path':{'lvl':1, 'value':homes}
    }
);

if (isnull(homes)) exit(1, "Failed to get list of users' home directories.");

foreach user (sort(keys(homes)))
{
  home = homes[user];
  # Check path for unexpected chars
  if (!command_builder::validate_no_injection_denylist(home))
  {
    dbg::detailed_log(lvl:1, msg:'Exiting due to injection attempt in users home dir',
        msg_details:{
          'home dir':{'lvl':1, 'value':home}
        }
    );
    exit(1, 'Unexpected characters in current user home directory: ' + obj_rep(home));
  }

  if (home == "/var/empty" || home == "/dev/null") continue;

  cmd1 = strcat('defaults read "', home, '"/.MacOSX/environment DYLD_INSERT_LIBRARIES');
  cmd2 = strcat('ls "', home, '"/Library/LaunchAgents');
  cmd3 = strcat('ls -a1 "', home, '"/');
  res = exec_cmds(cmds:make_list(cmd1, cmd2, cmd3));
  if (!isnull(res))
  {
    if (
      strlen(res[cmd1]) &&
      "DYLD_INSERT_LIBRARIES" >< res[cmd1] &&
      "DYLD_INSERT_LIBRARIES) does not exist" >!< res[cmd1]
    )
    {
      libs = egrep(pattern:"DYLD_INSERT_LIBRARIES", string:res);
      libs = str_replace(find:'\n', replace:'\n                          ', string:libs);
      report += '\n  User                  : ' + user +
                '\n  Command               : ' + cmd +
                '\n  DYLD_INSERT_LIBRARIES : ' + libs;

    }
    if (strlen(res[cmd2]) && "com.java.update.plist" >< res[cmd2])
    {
      report += '\n  User : ' + user +
                '\n  File : ' +  home + '/Library/LaunchAgents/com.java.update.plist';
    }
    if (strlen(res[cmd3]) && res[cmd3] =~ "^\.jupdate$")
    {
      report += '\n  User : ' + user +
                '\n  File : ' +  home + '/.jupdate';
    }
  }
}


if (report)
{
  if (report_verbosity > 0) security_hole(port:0, extra:report);
  else security_hole(0);
  exit(0);
}

exit(0, "No evidence of OSX/Flashback was found.");