-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathRemoveFlashback.sh
More file actions
executable file
·85 lines (71 loc) · 2.35 KB
/
RemoveFlashback.sh
File metadata and controls
executable file
·85 lines (71 loc) · 2.35 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/bin/sh
#
# RemoveFlashback.sh
# -- Flashback virus removal tool --
# by Yoshioka Tsuneo
# Ref:
# F-Secure Weblog - Mac Flashback Infections
# http://www.f-secure.com/weblog/archives/00002345.html
#
timestamp=`date '+%Y%m%d-%H%M%S'`
infected=0
tmpfilename_base=/tmp/RemoveFlashback.$$
safari_plist_base="/Applications/Safari.app/Contents/Info"
# safari_plist_base="`pwd`/test-Info"
macosx_environment_plist="${HOME}/.MacOSX/environment"
# macosx_environment_plist="${HOME}/work/RemoveFlashback/test-environment"
check_libraries()
{
plist_base="$1"
libraries="$2"
infected=1
grep -a -o '__ldpath__[ -~]*' "${libraries}" | while read line; do
ldpath=${line/#__ldpath__/}
if [ -f "$ldpath" ];then
echo "Possible infected file: ${ldpath} . If this is malware, please remove manually."
# rm -i "${ldpath}"
fi
done
}
check_safari_plist(){
local plist_base=$1
if ! [ -e "${plist_base}.plist" ]; then return 0; fi
if ! defaults read "${plist_base}" LSEnvironment > "${tmpfilename_base}.plist" 2>/dev/null ]; then
return 0
fi
libraries=$(defaults read "${tmpfilename_base}" "DYLD_INSERT_LIBRARIES")
if [ $? -eq 0 ]; then
check_libraries "${plist_base}" "$libraries"
fi
echo "Found LSEnvironmemt in ${plist_base}.plist LSEnvironment. Removing..."
sudo cp -p "${plist_base}.plist" "${plist_base}.plist.${timestamp}"
sudo defaults delete "${plist_base}" LSEnvironment
sudo chmod 644 "${plist_base}.plist"
}
check_macosx_environment_plist()
{
local plist_base=$1
if ! [ -e "${plist_base}.plist" ]; then return 0; fi
libraries=$(defaults read "${plist_base}" "DYLD_INSERT_LIBRARIES" 2>/dev/null)
if [ "$?" -ne "0" ]; then
return 0
fi
check_libraries "${plist_base}" "$libraries"
echo "Found DYLD_INSERT_LIBRARIES in ${plist_base}.plist. Removing..."
cp -p "${plist_base}.plist" "${plist_base}.plist.${timestamp}"
defaults delete "${plist_base}" DYLD_INSERT_LIBRARIES
}
check_safari_plist "${safari_plist_base}"
check_macosx_environment_plist "${macosx_environment_plist}"
if [ -f "${tmpfilename_base}.plist" ]; then
rm "${tmpfilename_base}.plist"
fi
if [ "`launchctl getenv DYLD_INSERT_LIBRARIES`" != "" ]; then
infected=1
echo "Found DYLD_INSERT_LIBRARIES in launchctl environment. Removing..."
launchctl unsetenv DYLD_INSERT_LIBRARIES
fi
if [ "$infected" -eq "0" ];then
echo "No Flashback virus found. This Mac looks clean."
fi
exit $infected