Security research and developer Patrick Wardle has released a tool to reveal executables that automatically boot in Mac OS X. The Knock Knock tool was open source and built on an extensible framework to encourage the community to evolve the platform. You can download the Knock Knock tool from Github here. Synack’s Patrick, who has released this tool, said he designed the tool because he was concerned about the lack of insight into the potential for persistent malware to load on his OS X machine. He said that his worries were justified given that Apple is giving very “feeble” anti-virus protection and that a further 33 OS X malware families were discovered last year. He stated that his studies showed that even a fully patched PC running on Mac OS X was “not that secure” and that the built-in anti-malware mechanisms were “pretty lame” to be trusted for security. “[Knock Knock] should show me everything that is set to automatically execute when my Mac is rebooted. “I’ve run it on some friends’ computers and actually found a bunch of OS X malware.” One of the first things the newly released Knock Knock Tool did was to detect the “clipboardd” persistent malware when it listed all binaries unsigned by Apple meaning users needed to have knowledge of OS X malware. Clipboardd copies Mach-O from its current location to HOME/Library/LaunchAgents/clipboardd and creates a plist file in the same directory with the name com.apple.service.clipboardd.plist. Wardle said since Knock Knock Tool is open source, Plugins could be added to scan for new persistence techniques to keep it abreast of threats. He also stated that writing the plugins was simple and noted the beta-phase command line tool was stable and usable. You can watch the video below to know more about Knock Knock Tool
