At this year’s Virus Bulletin conference held last month in Seattle, security researcher Patrick Wardle spoke about methods of malware persistence on Mac OS X.
The video of his very interesting presentation can be viewed here, and his paper has also been made available.
In the last few minutes of his talk, he presented a tool he made himself, and which shows users all the different persistent items (scripts, commands, binaries, etc.), that are set to execute automatically on their OS X machine.
It’s called Knock Knock, and it’s open source.
“Knock Knock is command line python script that displays persistent OS X binaries that are set to execute automatically at each boot. Since Knock Knock takes an unbiased approach it can generically detect persist OS X malware, both today, and in the future,” he noted on the project’s GitHub page.
“It should be noted though, this approach will also list legitimate binaries. However, as Knock Knock by default, will filter out unmodified Apple-signed binaries, the output is greatly reduced, leaving a handful of binaries that quickly can be examined and manually verified.”
You should know a bit about OS X in general in order to actually sift through the results. You also need to know how to do things via the command line, as it’s currently the only way to use the tool.
Even though the tool is still in beta, it’s still worth a try if you believe that the AV solution of your choice is not good enough. Knock Knock was designed for OS X Mavericks, but it should work on older versions of the OS.