Blog Archives

Terminal tricks for defeating adware

So, your browser is acting up, redirecting you to scamsites, offers for MacKeeper and Mac Cleaner and other unwanted software. You have what is technically known as ‘an adware’ infection. It’s not a virus, it’s not a ‘trojan’ and it’s not a ‘worm’, but it is a nuisance and may well be associated with any of the above. What to do?

Here’s 10 Terminal tricks you can use to help identify and remove adware items. It won’t cover every situation: adware mutates faster than a flu virus on amphetamines, but it will catch 90% of the cases currently out there. For the ones it doesn’t, see the ‘Getting Help’ section at the end of this post.

I’m going to split this up into two phases, ‘Gathering Information’ and ‘Dealing with the Results’. After explaining the first half-dozen commands individually, I’ll then give you one ‘master’ or ‘mother’ command which combines them into a single execution, but you should read through the explanations first so that you know what you’re doing and what to expect.

Gathering Info
First, most adware wants to persist on your mac across logins and restarts, and that means it has to put an executable somewhere where macOS will look on start up. One place most users should be familiar with and check first is the Login Items in System Preferences ‘Users & Groups’ pane. A lot of adware will insert itself there for good measure, but most will almost certainly be in other, trickier to find places.

This is where our first Terminal trick comes in. This Terminal trick will output the contents of the main locations where adware typically hides:

1. List the contents of your Launch* folders:


ls -alF /Lib*/Launch*/ ~/Lib*/Launch*/


That’ll output the contents of three different directories, /Library/LaunchAgents, /Library/LaunchDaemons, and ~/Library/LaunchAgents. If you’re planning on getting help by publishing the results in a public forum like Apple Support Communities, then you might want to use this version, which will scrub your username out of the results:

2. Same trick, redacting personal info:


w=`id -un`;ls -alF /Lib*/Launch*/ ~/Lib*/Launch*/ | sed "s@$w@[redacted]@g"


The output of that command will have a load of files with names like ‘com.company.filename.plist’. To give you an example here’s what mine outputs (note, none of these are adware files; unsurprisingly, my Mac is adware free!).

Slipping a shell script into the /etc/ directory is a common adware trick, so let’s also run this one, which will output any files in /etc/ that have the .sh shell script extension:

3. Find shell scripts in /etc/:


ls -alF /etc/*.sh


(this one won’t contain your user name, so we don’t need to redact anything).

A lot of adware persists by running sneaky little AppleScripts from a shell script. We can detect if any of these are at work with this little spell:

4. List osascript processes targeting your browser:


ps -axo ppid,pid,command | grep 'osascript -e global' | egrep -i "if is_Firefox_running|if is_Safari_running|if is_Chrome_running" | grep -v "grep" | grep -v ' 1 ' | awk '{ print $1, $2}'


All this command outputs is two numbers, perhaps like this:

7783 7792
7783 7825
8978 8987

We’ll discuss what to do with those in the ‘Dealing with Results’ section below.

Next, we want to see what processes are actually running in the background. This will both confirm and possibly add to information we collected earlier. To do this, we need a little trick which looks like the same command twice, but which in fact operates on two different lists of processes:

5. List loaded background processes:


w=`id -un`; r="s@$w@[redacted]@g"; launchctl list | grep -v apple | sed "$r"; sudo launchctl list | grep -v apple | sed "$r"; sudo -K


When you run this one, a list of processes will be output, and then you’ll be asked to supply an Admin password on the command line (where even the key presses won’t be visible when you type). Supply the password and a second list will be produced. We will want to examine both later.

A file name common to a widespread family of adware is rec_script.sh, and this can be hidden anywhere in the user or local Library folders, so let’s run this one, too (here we will add the redacting again in case you’re posting the results in a public forum). You’ll need to supply an admin password for this though:

6. Find a common adware executable:


w=`id -un`; sudo find /Library ~/Library -name "*rec_script.sh*" | sed "s@$w@[redacted]@g"; sudo -K


This one may take a couple of seconds to complete.

That concludes the first step of our info gathering stage, but for convenience, I’m going give you them all again concatenated into one, single ‘mother of all commands’ 😀 string. Even more conveniently, I’ve added code to output the results to a text file on your Desktop, called ‘adware_search.txt’, so after running the code below go look for ~/Desktop/adware_search.txt in Finder. If you’re posting to a public forum, it’s much easier to copy and paste the results from the text editor rather than from Terminal.

TL;DR
If you triple-click anywhere in the block of code below, you can copy and paste the whole block into Terminal and execute all of the commands given above in one fell swoop. Remember you’ll need a password.

7. The ‘Mother’ of all the above:


w=`id -un`; r="s@$w@[redacted]@g"; f="/Users/"$w"/Desktop/adware_search.txt"; ls -alF /Lib*/Launch*/ ~/Lib*/Launch*/ /Users/Shared /usr/local/bin | sed "$r" >> "$f"; printf "\n\n/etc:\n" >> "$f";ls -alF /etc/*.sh 2>/dev/null >> "$f"; printf "\n\n# osacript processes:\n" >> "$f"; ps -axo ppid,pid,command | grep 'osascript -e global' | egrep -i "if is_Firefox_running|if is_Safari_running|if is_Chrome_running" | grep -v "grep" | grep -v ' 1 ' | awk '{ print $1, $2}' | sed "$r" >> "$f"; printf "\n\n# User launchd:\n" >> "$f"; launchctl list | grep -v apple | sed "$r" >> "$f"; printf "\n\n# Root launchd:\n" >> "$f"; sudo launchctl list | grep -v apple | sed "$r" >> "$f"; printf "\n\n# Find rec_script.sh:\n" >> "$f"; sudo find /Library ~/Library -name "*rec_script.sh*" | sed "$r" >> "$f"; sudo -K


Interlude: Playing Safe
Before we move on to dealing with the results, I want to stress that you don’t want to be deleting files that you’re not sure of. Good practice is to move files to a temporary Quarantine folder, or at least move them to but don’t empty the Trash.

Even better practice is to make sure you have an up-to-date, bootable backup disk as well as a Time Machine backup, so that you can easily recover your system if you make a mistake and delete something you shouldn’t.

Dealing with the results
Looking at the output of the first Terminal command given above (Trick 1 or 2), how can you tell which are good and which are bad? In a lot of cases, you’ll recognise the app or developer name. TunnelBear, for example. “Sure, yeah, I’ve got that” and so on. Others, however, will look and sound weird, like these (all genuine adware file names):

com.glutting_Panagia.plist
com.pPHGASlN.plist
com.phellonic.plist

Google anything you’re not sure of, and see if it’s already been identified as adware. See ‘Getting Help’ at the end of this post if you’re not sure.

Walking up & down the tree
Assuming you’ve found some candidates for removal, the next job is to find the parent and child processes associated with each. We do that with a couple more Terminal tricks.

For the first one, we want to find any process that contains the same name as our suspected adware. For each suspect, take the unique part of the name for your search term. With this one we can put all our candidates in one command like so:

8. Search for your target’s family members:


w=`id -un`; ps -axo ppid,pid,command | egrep -i "glutting_Panagia| pPHGASlN | phellonic" | grep -v ' 1 ' | grep -v grep | sed "s@$w@[redacted]@g"


Note the part after egrep -i that’s inside quote marks. Each search term is separated between a vertical bar, aka the pipe character. Note that the terms themselves are not inside quote marks individually. One pair of double-quote marks is used to encapsulate all terms.

So to use the command above replace “glutting_Panagia| pPHGASlN | phellonic” with “search term 1 | search term 2 | search term 3”, where ‘search term n’ is your search term. Of course, you can have more or less than three search terms. Just add or remove as required.

When you examine the results, so long as the first number is not ‘1’ (it shouldn’t be if you executed the command correctly, as all those should have been excluded), follow the file path shown under the ‘Command’ column using either Finder or the Terminal. If you’re sure you’ve found a baddie, send it to the Trash or your quarantine folder! If you’re not sure, see ‘Getting Help’ below.

You will need to construct and run the next command separately for each suspect. The output will give you the path to the binary being executed by the plist. In many cases, you’ll have already found that from the previous commands, but in some cases – particularly if the plist has failed for some reason or if the binary isn’t running when you do your search – it won’t. This one’s the trickiest because you’re going to have to construct most of it yourself. Here’s an example (this is actually a legitimate file, but it will serve for our purposes):

cat /Library/LaunchAgents/com.razer.rzupdater.plist | grep -iA3 program

Let’s look at how that command is structured:

9. Find more children:


cat [path to file] | grep -iA3 program


You get the ‘path to file’ part from the results of your /Library/Launch* searches, and there’s no harm in practising this one on good files to get used to the output. For each item you search, it should return something that looks like this:

Here we see the path to the executable that the plist is launching. If this were a bad guy, I’d be straight over there to send him where he belongs, too.

After working through all your suspects with Trick 8, now take a look at the results of the command to output shell script file names from /etc/ (Trick 3). If there were any results at all (hopefully there wasn’t), you’re going to have to open that file in a text editor and determine whether it is malicious or not. This is the hardest part for the novice, because there’s certainly plenty of reasons to have a shell script in /etc/ depending on what 3rd party software you’re running. I can only repeat here what I have said above: see the ‘Getting Help’ section below if in any doubt.

Next, let’s take a look at the results for the osascript processes (Trick 4). Hopefully, you got no results, but if you had two sets of numbers outputted like this:

7783 7792

then the first number is the parent process ID, and the second number is the child ID. We want to find and eliminate both the parent (again, so long as this number is not ‘1’) and the child.

Take the first number and execute this in Terminal

10. More parents on the loose:


ps [number]


Take a note of the path that’s shown and ensure it doesn’t belong to a legitimate app that you recognise. Again, if in doubt, ask Google, or see ‘Getting Help’ below.

Now, do the same with the second number, the child process. Work through however many numbers were output, ‘quarantining’ as you go.

Almost there! Take a look at the output of the two launchd lists (Trick 5). You should have a good idea by now which ones are suspect and which are OK. You may have found the paths to any suspicious ones already, but if not, we’ll use the same command as we just used with the osascript processes. Here’s the output on my machine of the Trick 5 command (all legitimate) for comparison:

We’re only interested in the first number (the second one is status code). For any suspicious process, take the first number shown in the list, and use the Trick 10 command on these to find the parent file path (you know what to do with the ones that aren’t legitimate!).

If there is only a ‘-‘ dash instead of a number, it means that process is or was loaded but is not currently running. That dash may or may not be followed by another number that is not ‘0’. That number is just an error code and isn’t really relevant to us here. For any of your suspects that have failed like that, hopefully the info you gathered earlier will give you some clues (if not, see ‘Getting Help’ next).

Finally, anything found in the ‘find’ command (Trick 6) is almost certainly malware. Of course, be mindful that it’s entirely possible a legit’ script could accidentally have a name clash and be called rec_script.sh, but it’s highly unlikely and definitely should be examined closely. Also, if you see that the path is within an application bundle like this …Contents/MacOS/rec_script.sh, don’t hesitate to pull the trigger on that one.

Getting Help
I want to repeat that doing this safely and effectively takes practice and experience, and you should in no way be surprised that, if you don’t have that experience, you’re not sure whether something you’re looking at is good or bad, or that you go through all of this and still can’t find the problem. There’s some fairly obscure ways that adware and other malware can infest and persist on your mac that only experts will be able to advise you on. Throughout this post I’ve glossed over a few situations where you’ll draw a blank, and that’s because most of the other techniques for spotting malware require that experience.

To ameliorate this, I wrote an app called DetectX Swift to deal with this and many other things, and you can download it and use it without any requirement to pay. You can also use it to get personal, free-of-charge, help from me through the Help > Report a Problem to Sqwarq Support if your troubles persist.

Let me be clear why I don’t charge for this personal service: the payoff for me is I get to improve my app’s heuristics from what I learn about infections that DetectX doesn’t automatically detect. All information is kept strictly confidential and I do not sell or use your email address or other information for any marketing purposes whatsoever.

If you want to read more about me, also see the about page on DetectX’s parent site, Sqwarq.com.

Happy hunting! 🙂

 

learning the Terminal – Part One



This is the first in a series of planned tutorials for anyone who wants to find out what Terminal can do and how they can use it to increase the usability of their computer. Unlike other Terminal tutorials, I’m going to assume that you’re not interested in giving up the desktop for the command line to do things like move and copy files that you can do more easily in Finder. Rather, I’m only going to focus on those things that it’s generally more difficult (or impossible!) to do in the GUI than it is in Terminal.

Let’s get started. Open Spotlight (try the hotkey command + spacebar or click the spy glass in the top right corner) , then type term and press Return.

When Terminal opens, the first thing you may want to do is make the text a bit easier to see in the Terminal window.

Hold down command-shift-+ to increase the size. Try it a couple of times till the text is a comfortable size. If you overshoot, just use command- – (minus key) to reduce text size.

Now you’re sitting comfortably in your Terminal window, let’s learn our first spell. Actually, we’re not going to learn one so much as make our own!

In order to do that, we want to open a hidden file and edit it. In Terminal, type

emacs .bash_profile

(There’s a space after ’emacs’, and, don’t forget that . dot right before the ‘b’)

What you see after this screen may vary depending on whether .bash_profile has any pre-existing content or not. If there is anything in the file already, ignore it and use the arrow key to move the cursor to a clean line at the bottom. If the file is empty, then just start typing. The first line we want to type is

function show

Now press Return and enter a single, left curly bracket

{

Press Return again and type (or copy and paste) this:

ls –alF

There’s a space between the ‘s’ and the dash, and all the letters are lowercase except the ‘F’, which must be uppercase.

Press Return and provide the closing curly bracket

}

It should look like the area inside the orange rectangle:




Now hold down the control key on your keyboard while you first press x and then c. Notice at the bottom of the screen you get a ‘save’ warning.

Press the y key on your keyboard, and you should find yourself returned back to the Terminal prompt.

Type exit at the prompt to logout of the Terminal, and then on the keyboard press Command-W to close the window, and Command-N to open a new Terminal session.

What did we just do?
We defined and saved a new Terminal command called show which we can now use whenever we enter Terminal to easily see all the files and folders – including all the hidden ones – in any given directory. To see what we just did, type show at the command line. You should get an output that is formatted something like this:



As you can see I’ve annotated the screenshot to show some of the features that the show command gives us. First of all, notice the file and folder names that begin with a . dot. These are your hidden files and folders (Remember: they are usually hidden for a reason, so don’t go messing with them unless you know what you’re doing!). The show command also helps us distinguish between files and folders by appending a / slash to the end of folder names. Although not shown here, you may also see some names with an * at the end. That means it’s an executable file — in other words, its purpose is to run some programme or command.

The show command is very useful for seeing exactly what is in a folder, but of course we need to know how to move between folders in order to see anything other than our own home directory.

Suppose I want to have a look in that folder called ‘Shared’. Then what I do is I type

cd Sh

then press the tab key on the keyboard. The rest of the name is filled in for me by Terminal:

cd Shared/

The tab key is a very useful trick for moving around in Terminal when you are faced with long names. Generally, you only have to type in enough to make the file or folder name unique and hitting tab will complete the rest of the name for you. However, if I only type

cd S

and then press tab, nothing happens. Terminal can’t complete the name because there’s more than one choice. However, if I press tab again, Terminal will give me a list of the all names that begin with S:

cd S

pressing tab twice gives:

cd S
Shared/ SnowLpd/

Now I can see all the options, and how much I have to type to make a unique choice. In this case, I only have to type either ‘cd Sh’ or ‘cd Sn’ to allow Terminal to know which one I want when I press the tab key. Pressing Return after the tab completion will take me to the folder.

Try it with a folder from your own list.

After changing to a new folder, perhaps your screen is getting a bit messy. Let’s clean it up before doing show again. On the keyboard, press control-L to get a clear screen (notice that all your previous commands and outputs are still available if you scroll up!).

Now type show again to see your files and folders, pick a folder (if there is one), and type cd plus the first few letters of the name. Fill it out with the tab key and then press Return.

Again, type show to find out what’s inside. You can keep going deeper into the directory tree by using cd and show on any folders you find.

The last thing we need to know for today is how to go back up the tree, or to move back to the parent folder. Again we’re going to use the ‘cd’ command, but this time you don’t need to type any names. Just a space and then two dots

cd ..

(don’t forget there’s a space between the ‘d’ and the two dots). This will always take you to the parent folder of the folder you’re currently in, all the way up to your hard disk’s parent directory. If you want, you can make a new up command (just like we made show) as a shortcut for ‘cd ..’. Have a look at the smallest of the screenshots above and see if you can do it. 🙂

So now you know how to move around and see all the hidden and un-hidden contents of your drive, go and explore and get yourself used to these first basic commands.

When you’ve finished with your Terminal session, type exit and press Return. You can then close the window and go back to GUI land!

SUMMARY
. at the beginning of a name means ‘hidden’
/ at the end of a name means ‘Folder’
* at the end of a name means ‘executable file’

cd – move in to that folder
cd .. – move back to the parent folder
emacs – opens the Terminal textfile editor
show – shows a complete list of a directory, including hidden files

control-L – clears the Terminal screen
tab – will try to complete file or folder names
tab (twice) – will offer choices

Related Posts:
learning the Terminal – Part Two
learning the Terminal – Part Three
learning the Terminal – Part Four

%d bloggers like this: