Roll-your-own Protection From A New Malware Called XSLCmd

A nasty piece of malware on OS X is XSLCmd.  Using a neat trick, you can get alerted if your computer gets infected.  This malware can open a reverse shell, list and transfer files, and install additional malware.  Definitely not something you want.  The problem with some malware–especially zero-day attacks–is that your anti-virus program might not detect it.  But using this trick you can at least know something got installed to your Mac that shouldn’t be there.

How To Set This Up

Enable Folder Actions

According to the research, this malware installs itself to the following two locations.

/Library/Logs
/Users/YOUR_-- USERNAME/Library/LaunchAgents

You may also want to add this folder (see the Installation Routine section to find out why):

/bin
  1. Right-click one the the folders listed above
  2. Choose Services > Folder Actions Setup…
  3. Check Enable

Assign A Folder Action

  1. Click the plus sign on the right side of the window
  2. Highlight add – new item alert.scpt
  3. Click Attach
  4. Repeat the process for each folder

ryo-xlscmd-protection

If a new item gets added at any of these location, you will get a pop-up alert.  If it does happen, disconnect from the Internet and try to get rid of the malware.

xlscmd-added-to-logs

Leave a Reply