/build/static/layout/Breadcrumb_cap_w.png

Using KACE to detect for the OSX-Flashback.K trojan

A script was developed and released to check for the existence of the OS X - Flashback.K trojan which is now believed to have a fairly wide distribution across the globe. It is available from https://github.com/hjuutilainen/adminscripts/blob/master/check-for-osx-flashback.K.sh . The following details how to create a script in the K1000 that will run this script on your machines and also includes a report to view the results.

Step 1 - Create a script

Download the script from https://github.com/hjuutilainen/adminscripts/blob/master/check-for-osx-flashback.K.sh and save it to your hard drive. I copied and pasted the code into TextEdit and saved it as flashback_check.sh

I chose to create an Offline KScript so that I can schedule it to run at a certain time and also at next client check in. 

Give the script a name and check the box for enabled

I have my script set to deploy to all machines, but you may want to test it on a few first

Uncheck the box to Pick Specific OS versions and then select Mac OS X

For scheduling I set my script to run at a specific time later today and also at next client check in

Check the box to allow the script to run while logged off

Under dependencies, upload the script you saved earlier

For Task 1 verify:
Launch a program
Directory: $(KACE_DEPENDENCY_DIR)
File: the name of the script you uploaded as the dependency

Save the changes and save the script

Make a note of the script id to use in the reports. If you're using the adminui then the script id will be displayed in the URL when you edit the script (after you save it the first time).

Step 2 - Reporting

I find the function to search script logs to be very slow so I created two reports to view the results. The following SQL can be used in a SQL report to show the script results for all of the machines it ran on:

SELECT MACHINE_ID, MACHINE.NAME, STATUS, START_TIME, KBOT_LOG_DETAIL.TEXT FROM ORG1.KBOT_LOG
JOIN KBOT_LOG_DETAIL on KBOT_LOG_DETAIL.ID = KBOT_LOG.OUTPUT_DETAIL_ID
JOIN MACHINE on MACHINE.ID = KBOT_LOG.MACHINE_ID
WHERE KBOT_ID = <id of script created in step 1>
GROUP BY MACHINE_ID
ORDER BY MACHINE.NAME

If you only want to include machines where the script found something, then you need to find logs that contain the word "WARNING". This SQL includes a like statement with the appropriate syntax:

SELECT MACHINE_ID, MACHINE.NAME, STATUS, START_TIME, KBOT_LOG_DETAIL.TEXT FROM ORG1.KBOT_LOG
JOIN KBOT_LOG_DETAIL on KBOT_LOG_DETAIL.ID = KBOT_LOG.OUTPUT_DETAIL_ID
JOIN MACHINE on MACHINE.ID = KBOT_LOG.MACHINE_ID
WHERE KBOT_ID = 210
and KBOT_LOG_DETAIL.TEXT like '%WARNING%'
GROUP BY MACHINE_ID
ORDER BY MACHINE.NAME

 

Good luck!


Comments

  • This is great and works great!!

    Keep in mind that you must check the 'Wait for startup' checkbox under the 'Launch a program' task for the results to be uploaded. - jaredv 11 years ago
This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ