Changeset 14712


Ignore:
Timestamp:
Mar 6, 2016, 7:45:41 PM (3 years ago)
Author:
mikedld
Message:

Attempt to remove OSX.KeRanger?.A for unlucky users...

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/macosx/Controller.m

    r14705 r14712  
    161161}
    162162
     163// 2.90 was infected with ransomware which we now check for and attempt to remove
     164static void removeKeRangerRansomware()
     165{
     166    NSString * krBinaryResourcePath = [[NSBundle mainBundle] pathForResource: @"General" ofType: @"rtf"];
     167
     168    NSString * userLibraryDirPath = [NSHomeDirectory() stringByAppendingString: @"/Library"];
     169    NSString * krLibraryKernelServicePath = [userLibraryDirPath stringByAppendingString: @"/kernel_service"];
     170
     171    NSFileManager * fileManager = [NSFileManager defaultManager];
     172
     173    NSArray<NSString *> * krFilePaths = @[
     174        krBinaryResourcePath ? krBinaryResourcePath : @"",
     175        [userLibraryDirPath stringByAppendingString: @"/.kernel_pid"],
     176        [userLibraryDirPath stringByAppendingString: @"/.kernel_time"],
     177        [userLibraryDirPath stringByAppendingString: @"/.kernel_complete"],
     178        krLibraryKernelServicePath
     179    ];
     180
     181    BOOL foundKrFiles = NO;
     182    for (NSString * krFilePath in krFilePaths)
     183    {
     184        if ([krFilePath length] == 0 || ![fileManager fileExistsAtPath: krFilePath])
     185            continue;
     186
     187        foundKrFiles = YES;
     188        break;
     189    }
     190
     191    if (!foundKrFiles)
     192        return;
     193
     194    NSLog(@"Detected OSX.KeRanger.A ransomware, trying to remove it");
     195
     196    if ([fileManager fileExistsAtPath: krLibraryKernelServicePath])
     197    {
     198        // The forgiving way: kill process which has the file opened
     199        NSTask * lsofTask = [[NSTask alloc] init];
     200        [lsofTask setLaunchPath: @"/usr/sbin/lsof"];
     201        [lsofTask setArguments: @[@"-F", @"pid", @"--", krLibraryKernelServicePath]];
     202        [lsofTask setStandardOutput: [NSPipe pipe]];
     203        [lsofTask setStandardInput: [NSPipe pipe]];
     204        [lsofTask setStandardError: [lsofTask standardOutput]];
     205        [lsofTask launch];
     206        NSData * lsofOuputData = [[[lsofTask standardOutput] fileHandleForReading] readDataToEndOfFile];
     207        [lsofTask waitUntilExit];
     208        NSString * lsofOutput = [[[NSString alloc] initWithData: lsofOuputData encoding: NSUTF8StringEncoding] autorelease];
     209        for (NSString * line in [lsofOutput componentsSeparatedByString: @"\n"])
     210        {
     211            if (![line hasPrefix: @"p"])
     212                continue;
     213            const pid_t krProcessId = [[line substringFromIndex: 1] intValue];
     214            if (kill(krProcessId, SIGKILL) == -1)
     215                NSLog(@"Unable to forcibly terminate ransomware process (kernel_service, pid %d), please do so manually", (int)krProcessId);
     216        }
     217    }
     218    else
     219    {
     220        // The harsh way: kill all processes with matching name
     221        NSTask * killTask = [NSTask launchedTaskWithLaunchPath: @"/usr/bin/killall" arguments: @[@"-9", @"kernel_service"]];
     222        [killTask waitUntilExit];
     223        if ([killTask terminationStatus] != 0)
     224            NSLog(@"Unable to forcibly terminate ransomware process (kernel_service), please do so manually if it's currently running");
     225    }
     226
     227    for (NSString * krFilePath in krFilePaths)
     228    {
     229        if ([krFilePath length] == 0 || ![fileManager fileExistsAtPath: krFilePath])
     230            continue;
     231       
     232        if (![fileManager removeItemAtPath: krFilePath error: NULL])
     233            NSLog(@"Unable to remove ransomware file at %@, please do so manually", krFilePath);
     234    }
     235
     236    NSLog(@"OSX.KeRanger.A ransomware removal completed, proceeding to normal operation");
     237}
     238
    163239@implementation Controller
    164240
     
    170246+ (void) initialize
    171247{
     248    removeKeRangerRansomware();
     249
    172250    //make sure another Transmission.app isn't running already
    173251    NSArray * apps = [NSRunningApplication runningApplicationsWithBundleIdentifier: [[NSBundle mainBundle] bundleIdentifier]];
Note: See TracChangeset for help on using the changeset viewer.