Objective-See: KnockKnock

KnockKnock

"Who's there?", See what's persistently installed on your Mac!
Malware often installs itself persistently, to ensure it is automatically (re)executed each time a computer is restarted. KnockKnock uncovers persistently installed software in order to generically reveal such malware.
Supported OS: macOS 10.15+
Current version: 3.1.0 (change log)
Zip's SHA-1: 5A42C2E3FD686CD569A0CCD597B6CF378F2764CB
Source Code: KnockKnock



To learn all about persistent malware on macOS, read:

(The Art of Mac Malware) "Chapter 2: Persistence"


Note:
Frequently Asked Questions, and their answers, can be found here.


KnockKnock

To use KnockKnock, first download the zip archive containing the application. Depending on your browser, you may need to manually unzip the application by double-clicking on the zipped archive.

There is no need to install anything, and KnockKnock can be run from anywhere. (This also means there is nothing to uninstall, simple delete the application).

To run the application and begin a scan, simply double-click KnockKnock.app.
Launch KnockKnock by double-clicking

Note:
KnockKnock may prompt you to grant it "Full Disk Access".
This is optional, but will allow KnockKnock scan your entire computer.

You can grant KnockKnock this access, via the System Settings app. In the Privacy & Security pane, click on Full Disk Access, then scroll down until you see KnockKnock. Then simply toggle the button, to grant it access:
Granting KnockKnock full disk access
If you don't see KnockKnock in this list, you can click the '+' sign and add it by browsing to its location on disk.

Press the 'Start Scan' button begin a scan. During the scan, KnockKnock will enumerate known locations where persistent software or malware may be installed.

Note:
By design, KnockKnock simply lists persistently installed software. Although by default signed-Apple binaries are filtered out, legitimate 3rd-party software will be displayed!

Thus just because something display in KnockKnock, does not mean it is malware!

The left-handle table contains the categories of persistent software that KnockKnock scans. Each row contains the name and brief description of the category, and the number of detected items.

On the left, you'll find categories of persistent items

Clicking on any of the categories will display the items for that category in the right-hand items' table. Each row in this table contains the name of the detected item, an icon indicating whether it belongs to Apple , or a 3rd-party (but still signed) , or is unsigned , its full path, and then various informational and actionable buttons. These buttons provide information about item's VirusTotal (anti-virus) scan results, general information about the file, and the ability to view the item in Finder:

A benign persistent item (LuLu, signed by Objective-See)

A malicious persistent item (DazzleSpy, unsigned)

Note:
Though this is covered in more details in the FAQs, generally speaking items that are signed by Apple proper () are safe to ignore.

One exception is that malware may persists scripts via Apple interpreter's (such as bash or Python). Any interpreter that is persisted should be closely examined.

If the item is an executable binary, KnockKnock automatically queries VirusTotal with a hash of the binary in order to retrieve any information. While VirusTotal is being queried, this button displays 'â–  â–  â– '. Once the query is complete, the title of the button is automatically updated with either the detection ratio, or a '?' if the binary is not known to VirusTotal.
Interpreting VirusTotal results


Note:
In the UI, a '?' is shown for items that are unrecognized or unknown to VirusTotal. This most often happens for new items that simply have not yet been submitted to VirusTotal ...though, yes it could also be (new) malware.

If you click on the '?', you can submit the item to VirusTotal. Moreover, at the end of the scan KnockKnock will display the total number of unknown items, as well as provide the option to view and submit them all to VirusTotal for analysis:
Upon scan completion, all unknown items can be submitted to VirusTotal

In the list of unrecognized items, select the ones you wish to submit, then click 'Submit' to send them to VirusTotal. Once submitted, a 'View' button will appear in the 'Results' column, allowing you to open the VirusTotal report in your browser.
Unknown items, now submitted

With the query complete, the button can be clicked to reveal a popup containing VirusTotal-specific information about the file. If the file is unknown, clicking the 'Submit?' button will submit the file for analysis. Known files contain a link to the full analysis report and a 'Rescan?' button that will rescan the file:
Clicking on the 'Virus Total' button, information from VirusTotal
If known malware is detected, the item's name and VirusTotal button will be highlighted in red. Moreover, the name of the category will be similarly highlighted:

The 'info' button will display detailed information about the item, including its hash, size, property list (if applicable), and signed status:
Clicking on the 'info' button, reveals more details about the item
If the item is persisted via a property list, one can click on this to view it's contents:
View the content's of a persistent item's property list
Back to the main window, clicking on the final button ('show') in the item's row, will reveal the item in a Finder window.

Configuring KnockKnock

To control or influence the execution of KnockKnock, click the 'Settings' icon found at the bottom left of the window:
KnockKnock's settings can be opened by clicking on the "Settings" button

This will display KnockKnock's setting's window (note, this Window is also displayed via the 'Settings' menu item):

KnockKnock's settings
  • 'Include macOS/known items':
    Display everything it finds (by default it filters out signed Apple &amP; white-listed items).

  • 'Disable automatic update check':
    When KnockKnock is launched, disable the automatic check for new versions.

  • 'Disable VirusTotal integration':
    Do not query VirusTotal with the hashes of persistent items.


Next to the settings icon, is the save icon. Click this to save KnockKnock's findings (as JSON):

Saving Scan Results
Next to the save icon, is a the compare scan icon. Click this to compare a previous scan, with the current scan.

Comparing two scans. Note the addition of (benign) browser extension, and the removal of a (benign) login item.
Note:
The option to compare a scan, is only available about a current scan has been completed.

Currently, the compare logic only detects added, or removed items. Not items that have been modified in place.

KnockKnock's Commandline Interface

KnockKnock can be run via the commandline. There are various benefits to this, including the ability to programmatically deploy and execute KnockKnock (perhaps on a regularly scheduled interval). Via the CLI, KnockKnock can also be executed with elevated privileges (i.e. sudo), which will ensure that KnockKnock will perform a more comprehensive scan of items for all users!

Note:
To run KnockKnock via the commandline, first open a terminal (e.g. /System/Applications/Utilities/Terminal.app).

Then, execute KnockKnock, making sure to specify the full path to the KnockKnock binary within its application bundle!

Pass the -h or -help to display information about the self-explanatory commandline options:
$ ./KnockKnock.app/Contents/MacOS/KnockKnock -h

KNOCKNOCK USAGE:
 -h or -help  display this usage info
 -whosthere   perform command line scan
 -verbose     display detailed output
 -pretty      final output is 'pretty-printed'
 -apple       include apple/system items
 -skipVT      do not query VirusTotal with item hashes

Here's an example, where we perform scan making use of the -verbose flag:
$ ./KnockKnock.app/Contents/MacOS/KnockKnock -whosthere -verbose

Starting scan...

AUTHORIZATION PLUGINS
 now scanning...
 found 12 Authorization Plugins
 scanning via VirusTotal

BROWSER EXTENSIONS
 now scanning...
 found 3 Browser Extensions
 scanning via VirusTotal

...

Scan completed in 00 minutes, 27 seconds

RESULTS:
 87 persistent items
 0 flagged items


Note:
To capture the output, simply pipe it to a file out of your choice:

$ ./KnockKnock.app/Contents/MacOS/KnockKnock -whosthere > /path/to/some/file.json


Understanding KnockKnock's Results

KnockKnock simply enumerates items that are automatically started; either during startup, during login, or during another application's launch (e.g. browser extensions). Although signed-Apple items are filtered out by default, many legitimate 3rd-party items will likely be shown.

If your system is infected with persistent malware, KnockKnock should detect and display it.

Though KnockKnock can (via its integration with VirusTotal) flag known malware, it takes no other steps to classify the persistent items it detects as malicious or benign.

So how can you determine if something may be malware? Though there is no foolproof way, the following is a good approach:
  1. First, examine the code signing information of the item. As discussed above, one can click on the info button for an item of interest, which will show details including an item's signer. The signer identifies the creator of the item, and ensures that the item has not been tampered with since its creation.

    For example, here can see an item named "Google Updater" is in fact signed by Google (and notarized by Apple), and thus is benign:
    Code signing information can identify the creator.

    You can also use our "What's Your Sign" tool, to extract additional code-signing information about the item, as well as its hashes.

    Items that are notarized, have be scanned for malware by Apple. Though, yes, Apple has on occasional notarized something that is malicious this is exceedingly rare.

  2. If the item's code signing information is not helpful (perhaps the creator is individual that you don't recognize), as described above you can also submit the item to VirusTotal. This will cause it to be scanned by 50+ anti-virus engines! And yes, while brand new malware may not be flagged as malicious by this scanners, some will be.

    You can also search online for the information about the item (based on its name, path, or hashes). There generally should be some information, as it is unlikely that you are the first/only person to ever encounter the item in question!
And what about the categories of items that KnockKnock enumerations? Read on to learn about each type!

The common thread between all these categories is that they could be abused by malware to persist. However, not all have been abused by malware, yet? Moreover, some are deprecated on recent versions of macOS.

  • Authorization Plugins:
    These are libraries that can be used to customize or extend the login experience. You can read more about them in Apple's "Extending authorization services with plug-ins" document.

  • Browser Extensions:
    These are programs or add-ons designed to extend the functionality of web browsers. Generally they are hosted by the browser. You're probably familiar with ad blockers, which run as browser extensions.

  • Background Managed Tasks:
    Recently Apple has begun to organize disparate persistence items into a central database. Items in this database include login items, launch agents, launch daemons, and more. Collectively they are referred to as "Background Managed Tasks". You can learn all about Background Managed Task in Demystifying macOS's Background Task Management".

  • Cron Jobs:
    Cron jobs are scheduled tasks executed automatically at specified intervals. They are commonly used for automating repetitive tasks, such as backups, updates, or running scripts, based on time-based schedules defined in a crontab file.

  • Directory Service Plugins:
    These plugins, used by the Directory Services framework enable macOS to interact with various directory services or authentication systems. These plugins facilitate communication between macOS and external directory servers, such as Active Directory, LDAP, or local authentication systems, providing functionalities like user authentication, group management, and centralized directory lookups. By using plugins, macOS supports a wide range of directory service protocols, enabling seamless integration with diverse network environments.

  • Dock Tile Plugins:
    Dock tile plugins allow applications to enhance their Dock tile with dynamic content or custom interactions. They provide a way to display additional information or controls directly on the app's Dock icon, such as live status updates, progress indicators, or interactive elements.

  • Event Rules:
    Event rules in macOS, managed by the Event Monitor Daemon (emond), are a mechanism for responding to specific system events based on predefined rules. The emond daemon watches for events, such as file system changes, system log messages, or other system activity, and executes corresponding actions when those events match the criteria defined in rule files.

  • Extensions and Widgets:
    Extensions and Widgets are modular components packaged as *.appex bundles within an app. They provide additional functionality or user-facing features that integrate seamlessly into the macOS environment (for example, as "Finder Syncs"), enhancing system-wide or app-specific capabilities.

  • Kernel Extensions:
    Known as KEXTs, these run in the kernel space to extend or modify the core functionality of the macOS kernel (XNU). They allow developers to interact directly with hardware or system resources, providing features such as device drivers, file systems, or security tools. On recent versions of macOS, 3rd-party KEXTs have largely been deprecated.

  • Launch Items:
    Launch Items are programs that can be started automatically at boot, login, or based on specific conditions. They include Launch Agents and Launch Daemons, which are managed by the macOS launchd system. Launch items are one of the most popular ways that legitimate software (and malware!) persists.

  • Library Inserts:
    In order to inject code into unprotected applications, the DYLD_INSERT_LIBRARIES environmental variable can be (ab)used. This approach can also be abused to gain persistence (assuming the targeted program is either automatically or often launched). Rarely are inserted libraries legitimate.

  • Library Proxies:
    To subvert applications and to gain persistence (assuming the targeted item is either automatically or often launched), libraries can be planted that forward their exports to a legitimate library. You can learn more about this approach in "Dylib hijacking on OS X"

  • Login Items:
    Login Items on macOS are applications or scripts configured to automatically launch when a user logs in. In the context of persistence, they are often used by legitimate apps and malware alike to ensure they run every time the user logs in.

  • Login/Logout Hooks:
    Via a login or logout hook, a scripts can be set to execute automatically when a user logs in or out. They were traditionally used for system management tasks like setting up environments or cleaning temporary files. They have been deprecated in modern macOS versions due to security concerns and are largely replaced by Launch Agents and Launch Daemons.

  • Periodic Scripts:
    These are legacy Unix-style scripts that can be specified to run regular intervals (daily, weekly, or monthly) using the periodic subsystem. They are executed automatically by the system at the specified intervals, typically for maintenance tasks like cleaning logs or rotating files. While still supported, Launch Daemons and launchd have largely replaced periodic scripts for more flexible and precise scheduling.

  • Quicklook Plugins:
    Quicklook Plugins are extensions that enable Finder and other macOS applications to generate previews for specific file types without opening them. These plugins allow users to see a quick preview of a file's content by pressing the spacebar or using the Quick Look feature in Finder. Though largely used by legitimate software, they could be (ab)used by malware as a means to gain persistence.

  • Spotlight Importers:
    Spotlight Importers are plugins (.mdimporter files) that enable the Spotlight 'search engine' to index and search the contents of specific file types. They extract metadata from non-standard or proprietary file formats, making them searchable through Spotlight and accessible via Finder's search functionality. Though largely used by legitimate software, they could be used and abused by malware as a means to gain persistence.

  • Startup Scripts:
    Several rc.* script files located in /etc are automatically executed by macOS when the system starts. Malware could potentially add extra commands to these scripts to maintain persistence.

  • System Extensions:
    System Extensions are the replacements for legacy kernel extensions (KEXTs), running in user space for improved security and stability. They enable developers to extend system functionality, such as network filtering or endpoint security, without requiring direct access to the kernel. Though unlikely, malware may be able to install a malicious System Extension that is automatically started, thus gaining persistence.

You can learn about these methods of persistence, and examples of malware that use and abuse many of them in:

(The Art of Mac Malware) "Chapter 2: Persistence"



Frequently Asked Questions
Q: KnockKnock found many applications, should I be worried?
A: No. KnockKnock simply enumerates items that are automatically started; either during startup, during login, or during another application's launch (e.g. browser extensions). Although signed-Apple items are filtered out by default, many legitimate 3rd-party items will likely be shown. Of course, the goal is that KnockKnock will also display any persistently installed malware.

Q: Ok, so how do I determine if something is malware?
A: By design KnockKnock itself doesn't try to determine if something is malware or not. However, since VirusTotal is fully integrated into KnockKnock, known malware will be detected (and highlighted in red). The remaining items that are not flagged can be manually examined. You can read more about how to classify and item in the 'Understanding KnockKnock's Results' section above! And, if you are still then concerned about a specific item, email me at contact@objective-see.com and attach the file.

Q: When I run KnockKnock, why does it ask to access my downloads/desktop/calendar folder, etc?
A: As part of its enumerations, KnockKnock scans running processes and their dependencies. If a process has an item loaded from these locations, when KnockKnock scans it, it may generate an OS alert.

Q: Why does KnockKnock try to access the network?
A: When KnockKnock is started, it connects to objective-see.org to check if there is a new version of the product. Specifically, it reads the file products.json, which contains the latest version number of KnockKnock. No user nor product information is ever collected nor transmitted!

KnockKnock may generate network traffic related to its integration with VirusTotal. As described above, when a user clicks on 'Virus Total' in the alert window, this will send a request which contains the file's path, name, and hash. Note that the automated version checking can be disabled via the 'Disable update checks' option in KnockKnock's settings.