How to Use FSEvents to detect and delete malicious files on the OS X Platform

Source: Internet
Author: User
Tags root access

How to Use FSEvents to detect and delete malicious files on the OS X Platform

FSEvemts that supports OS X 10.7 and later versions introduces a function that can detect file directory modification behaviors. FSEvents can use the data provided by the file system event daemon (fseventsd) to record corresponding behavior operations; the daemon writes these file operations to the log files under each file (the log file is saved in a file named ". fseventsd ). Applications can use the APIS provided by FSEvents to access these log files and obtain the operation information for modifying directories, including file creation and modification, and file deletion.

Generally, malicious software tries to clear its behavior traces after illegal operations on the target system, and FSEvents can help us find these malware, and completely delete related malicious files from our system. Using this tool, even if malware has completely wiped out its operation traces, we can also find evidence of malicious operations such as case execution and illegal operations. After analyzing the FSevents log files, even after a long time, we can easily obtain the complete path, creation date, and deletion date of the malicious files.

Because we can view the historical modification records of the system, it is important to note that the log files of FSEvents do not always exist. in the fseventsd folder, this folder is only used as a transit zone for OS X system detection of file system changes. CrowdStrike's security researchers have successfully observed illegal operations four months ago in a common system. Therefore, we will provide some basic information about this forensic artifact in this article.

After a FSEventStream is created successfully, the tool also creates some default identifiers. In addition, the tool can also use some additional identifiers to indicate certain types of operation behaviors. All identifiers are shown in the following table:

-None: Default identifier. If a directory has a specific modification operation, the tool does not set an event identifier for this operation.

-MustScanSubDirs: to notify the application, you need to re-scan the affected directories and all subdirectories in the directories.

-UserDropped: an error occurs when the identifier is set. The application must perform a full scan of the directory.

-KernelDropped: an error occurs when you set the identifier. The application must perform a full scan of the directory.

-EventldsWrapped: The Event ID counter is incorrect. The previous event ID is invalid.

-HistoryDone: sets the corresponding identifier to indicate which identifiers need to be ignored before.

-RootChanged: Specifies the identifier when a change is performed under the monitored directory.

-Mount: load a file to be monitored.

-Unmount: Unmount a file that does not need to be monitored.

-ItemCreated: When a file or directory is created successfully, set the corresponding identifier.

-ItemRemoved: Specifies the identifier when the file or directory is deleted successfully.

-ItemInodeMetaMod: Specifies the identifier when the node metadata changes.

-ItemRenamed: Specifies the identifier after the file or directory name is modified.

-ItemModified: Specifies the identifier after the file or directory is modified successfully.

-ItemFinderInfoMod: After the metadata of the file finder is modified, set the corresponding identifier.

-ItemChangeOwner: Specifies the identifier when the owner of a file or directory changes.

-ItemIsFile: The operation object is a file.

-ItemIsDir: The operation object is a directory.

-ItemIsSymlink: The operation object is a symbolic link.

How to parse the log data recorded by FSEvents

FSEvents stores the log file in a folder named. fseventsd, which is located in the root directory of each file. This folder only has root access permission and contains a large number of gzipped files.

For example, the/Volumes/Macintosh HD/. fseventsd directory contains the FSEvents log of the local hard drive.

We often cannot directly obtain valuable information from these files, because the data in the event log is represented by hexadecimal. To this end, David Cowen has also developed a python-based parsing tool named "FSEventsParser", which can be used to parse the log records of FSEvent.

Use FSEvents to delete malware in OS X

For example, we can use FSEventsparser to identify malware like OS X/Iworm. Iworm is a trojan on the OS X platform. After the computer is infected with this trojan, attackers can use a social media website to obtain the IP address of the target user, connect the target host to the botnet.

Security researchers infected the Virtual Machine System with Iworm and then ran FSEventsParser. Depending on the operating mechanism of malware, they usually use daemon as the startup option. Therefore, we use FSEventsParser to monitor the/System/Library/LaunchDaemons/AND/Library/LaunchDaemons directories. After scanning, we found that a file (/Library/LaunchDaemons/com. JawaW. plist) was created in February 1, 2016 ). After filtering the data, we get the event identifier "ItemCreated", "ItemModified", and "ItemIsfile ". In addition, the system created a new folder (/Library/Application Support/JavaW) on the same day ).

Now, we have obtained the creation time and storage location of the malicious file. Then, we can use this tool to conduct a more in-depth analysis of the compromised system.

Conclusion

Nowadays, more and more enterprises and organizations choose to use Mac terminals in their work environments. This trend makes forensic analysts on the OS X platform more popular. FSEvents is a very useful tool. Even if malicious software has completely cleared their operation traces, FSEvents can still help us find and identify malicious files. From this perspective, this tool can effectively help analysts in many different investigation and evidence collection environments. In some special circumstances, many other tools cannot find valid evidence for analysis.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.