KnockKnock
"Who's there?" See what's persistently installed on your Mac.
Malware installs itself persistently, to ensure it is automatically executed each time a computer is restarted. KnockKnock uncovers persistently installed software in order to generically reveal such malware.
current version: 1.9.0 (change log)
zip's sha-1: 86701b501fa9e37ad1b119df3c48dbbc132c81ed
zip's sha-1: 86701b501fa9e37ad1b119df3c48dbbc132c81ed
KnockKnock is a complete rewrite of a my open-sourced python project that lists persistently installed software. The benefits of KnockKnock over the command-line python version include:
- Deployability
written in Apple's native Objective-C, it is deployable as a self-contained, native OS X application - Usablilty
a user-friendly graphical interface readily provides more contextual information - Speed
native executable code allows much faster scanning - VirusTotal Integration
provides invaluable information about persistent files and can automatically detect known malware
To use KnockKnock, first download the zip archive containing the application. Depending on your browser, you may need to manually unzip the application by double-clicking on the zipped archive:
To run the application and begin a scan, simply double click on 'KnockKnock.app' and press the 'Start Scan' button. KnockKnock will scan known locations where persistent software or malware may be installed. By design, it simply lists persistently installed software. Although signed-Apple binaries are filtered out, legitimate 3rd-party software will likely be displayed.
The left-handle table contains the categories of persistent software that KnockKnock scans. Each row contains the name and brief description of the category, and the number of detected items. Clicking on any of the categories will display the items for that category in the right-hand items' table.
Each row in this table contains the name of the detected item, an icon indicating whether it belongs to Apple,
, or a 3rd-party (but still signed) 
, or is unsigned 
, its full path, and then various informational and actionable buttons. These buttons provide information about item's VirusTotal (anti-virus) scan results, general information about the file, and the ability to view the item in Finder.
If the item is an executable binary, KnockKnock automatically queries VirusTotal with a hash of the binary in order to retrieve any information. While VirusTotal is being queried, this button displays '■ ■ ■'. Once the query is complete, the title of the button is automatically updated with either the detection ratio, or a '?' if the binary is not known to VirusTotal.
With the query complete, the button can be clicked to reveal a popup containing VirusTotal-specific information about the file. If the file is unknown, clicking the 'submit?' button will submit the file for analysis. Known files contain a link to the full analysis report and a 'rescan?' button that will rescan the file.
If known malware is detected, the item's name and VirusTotal button will be highlighted in red. Moreover, the name of the category will be similarly highlighted:
The 'info' button will display detailed information about the item, including its hash, size, plist (if applicable), and signed status:
Clicking on the final button ('show') in the item's row, will show the item in a Finder window.
To control or influence the execution of KnockKnock, click the 'gear' (preferences) icon found at the bottom left of the window. Selecting 'show os/known items' button will cause KnockKnock to display everything it finds (by default it filters out signed Apple and white-listed items). The 'disable virustotal integration' button prevents KnockKnock from querying VirusTotal. Finally selecting 'save results' will generate a popup (either immediately or at the end of a scan), that allows one to specify where to save KnockKnock's findings, as JSON.
KnockKnock is still fairly 'young'. Future versions will search more locations for persistently installed software, and contain more features (search? delete?, etc.). If you have any feedback or feature requests, shoot me an email.
note: for details about persistence & OS X malware, see my paper: Methods of Malware Persistence on OS X
FAQs
Q: KnockKnock found many applications, should I be worried?
A: No. KnockKnock simply enumerates items that are automatically started; either during startup, during login, or during another application's launch (e.g. browser extensions). Although signed-Apple items are filtered out by default, many legitimate 3rd-party items will likely be shown. Of course, the goal is that KnockKnock will also display any persistently installed malware.
Q: Ok, so how do I determine if something is malware?
A: By design KnockKnock itself doesn't try to determine if something is malware or not. However, since VirusTotal is fully integrated into KnockKnock, known malware will be detected (and highlighted in red). The remaining items that are not flagged can be manually examined. Perhaps google the hash of the file, run strings on it, or if you are really concerned about a specific item, email me at patrick@objective-see.com and attach the file :)
Q: When I run KnockKnock, why does it ask to access the keychain?
A: Recent versions of Safari store their list of installed extensions in the keychain (specifically in an item named 'Safari Extensions List'). To enumerate installed Safari extensions, KnockKnock queries this (and only this) item in the keychain. Clicking 'Allow' or 'Always Allow' will allow KnockKnock to list installed extensions. Clicking the 'Deny' button will block KnockKnock from accessing the keychain, and thus prevent it from listing the installed Safari extensions.
Q: Why does KnockKnock try to access the network?
A: In order to detect known malware, KnockKnock is integrated with the online malware detection service VirusTotal. Specifically, hashes of items that are found by KnockKnock, are automatically and securely sent to VirusTotal to determine if they are associated with known malware. A user can also manually resubmit or rescan a file, which will generate outgoing connections to VirusTotal as well. VirusTotal is the only network endpoint that KnockKnock talks to; it has no other networking logic. If you prefer, you can disable VirusTotal integration (via the Preferences popup). Once disabled (until re-enabled), KnockKnock will not attempt any network connections or generate any network traffic.
A: No. KnockKnock simply enumerates items that are automatically started; either during startup, during login, or during another application's launch (e.g. browser extensions). Although signed-Apple items are filtered out by default, many legitimate 3rd-party items will likely be shown. Of course, the goal is that KnockKnock will also display any persistently installed malware.
Q: Ok, so how do I determine if something is malware?
A: By design KnockKnock itself doesn't try to determine if something is malware or not. However, since VirusTotal is fully integrated into KnockKnock, known malware will be detected (and highlighted in red). The remaining items that are not flagged can be manually examined. Perhaps google the hash of the file, run strings on it, or if you are really concerned about a specific item, email me at patrick@objective-see.com and attach the file :)
Q: When I run KnockKnock, why does it ask to access the keychain?
A: Recent versions of Safari store their list of installed extensions in the keychain (specifically in an item named 'Safari Extensions List'). To enumerate installed Safari extensions, KnockKnock queries this (and only this) item in the keychain. Clicking 'Allow' or 'Always Allow' will allow KnockKnock to list installed extensions. Clicking the 'Deny' button will block KnockKnock from accessing the keychain, and thus prevent it from listing the installed Safari extensions.
Q: Why does KnockKnock try to access the network?
A: In order to detect known malware, KnockKnock is integrated with the online malware detection service VirusTotal. Specifically, hashes of items that are found by KnockKnock, are automatically and securely sent to VirusTotal to determine if they are associated with known malware. A user can also manually resubmit or rescan a file, which will generate outgoing connections to VirusTotal as well. VirusTotal is the only network endpoint that KnockKnock talks to; it has no other networking logic. If you prefer, you can disable VirusTotal integration (via the Preferences popup). Once disabled (until re-enabled), KnockKnock will not attempt any network connections or generate any network traffic.