Roll-you-own Ventir Trojan Detector for OS X

Roll-you-own Ventir Trojan Detector for OS X

Get Alerted If Your Computer Gets Infected With The Ventir Trojan

With this trick, you can get alerted if your system gets infected and then take steps to manually neutralize it.  The Ventir Trojan is a keylogger, which means all of your keystrokes are recorded.

How To Set This Up

According to the Securelist, this malware gets installed to the following directories:

/Users/<your username>/Library/.local
/Users/<your username>/LaunchAgents

Since the .local  folders do not exist by default on a clean system, this is the most obvious indicator of an infected machine.  So simply watching if those folders get created will provide basic detection.

Enable Folder Actions (Free Option)

1. Right-click one the the folders listed above

2. Choose Services > Folder Actions Setup…

3. Check Enable

Assign A Folder Action

  1. Click the plus sign on the right side of the window
  2. Highlight add – new item alert.scpt
  3. Click Attach
  4. Repeat the process for each folder

If a new item gets added at any of these locations, you will get a pop-up alert.  If it does happen, disconnect from the Internet and try to get rid of the malware.


High CPU-usage On Yosemite

Some users have reported high CPU-usage when they upgraded to Yosemite.  There is a much more complex setup you can do using launchd, but if you can get that CPU usage down somehow, using the built-in Folder Actions will be the easiest to work with.

Hidden Files Are Roadblocks

There is another caveat in detecting this particular malware.  Since the folders are named .local , they are hidden from the Finder (anything with a period in front of it is considered hidden in the UNIX world), so in order to see them, you will need to ShowAllFiles.  The built-in Folder Actions script that Apple provides does not account for this.  But this will at least offer you some basic knowledge if you happen to get infected.

Overcoming The Hidden File Caveat

If you are interested in seeing the files and looking for a little more advanced setup, you can use the Applescript that I created.  It works just like the Apple-provided one (mine is forked from it), except it:

  • will list the items that are detected
  • will give the option to show (and hide) all files
  • have a custom “roll-your-ownicon to distinguish it from other dialogs

Just download the script and icon and then drag-and-drop them into /Library/Scripts/Folder Action Scripts.

Now, when you go to set up Folder Actions, you will see the option for the roll-your-own-malware-detection.scpt.  All the steps to set this up are the same, just choose that script instead ofadd – new item alert.scpt .

Advanced Setup Using Hazel (Will Not Work Out-of-the-box)

In the past, I have suggested using Hazel to detect malware, but it seems that Hazel also does not work well with hidden files.   This could be overcome with some scripting, but wasn’t something I felt like getting into.  Forking the Apple-provided Applescript was much easier.

Another Option

Running the commands below will create the directories and then make them immutable, which should essentially preventing anyone but the super-user from modifying it.  Creating them yourself and locking them down means it is less-likely the malware will create them.

sudo mkdir /Library/.local/
sudo chflags schg /Library/.local/
mkdir ~/Library/.local/
sudo chflags schg ~/Library/.local/

The folder icons will have a little silver lock on it if the commands were successful.

What Does The Malware Install?

Below, you will see a list of some of the files that could possibly get installed (some only get installed if admin privileges are granted).

  • /System/Library/Extensions/updated.kext
  • /Library/.local/updated
  • /Library/.local/reweb
  • /Library/.local/update
  • /Library/.local/libweb.db
  • /Library/LaunchAgents
  • /Library/LaunchDaemons/com.updated.launchagent.plist
  • /Library/.local/kext.tar
  • /Library/.local/updated.kext
  • /Library/.local/Keymap.plist
  • /Library/.local/EventMonitor
  • /Library/.local/.logfile.
  • /Users/<your username>/Library/.local/EventMonitor
  • /Users/<your username>/Library/.local/.logfile