Unplugged, asleep, in a bag, but transforming itself

You might think that when your laptop is disconnected from power, asleep, and stuffed in a bag that it wouldn’t be doing anything. You would be wrong.

This morning, I arrived at work around 8:30 am, took my laptop out of its bag, and looked at what it had been doing in the last few hours. Immediately, goobspatch, running at 6:46 am while my laptop sleeping in its bag, jumped out at me.

I am familiar with goobspatch from an old white paper I had written, "The Making of ‘The Advanced Persistent Threat You Have: Google Chrome” (pdf), so I knew it was part of Google’s automatic software update system.

DETAILS

Indeed, as can be seen in Figure 1, at 6:46 am (1), a bash shell script (2), launched goobspatch (3). Looking down at the provenance section, I could see this goobspatch execution was at the end of a long provenance chain created by GoogleUpdater (4).

Figure 1: goobspatch executing on my computer

Looking at the arguments section (see Figure 2), I could see this version of goobspatch lived inside a mounted volume (1). It also referenced a file in an unusual path (2). We will see these paths again later.

Figure 2: arguments passed to goobspatch

Knowing that goobspatch was launched by the bash script, I flipped over to the “Shells” tab and entered “goobsp” in the search field (See (1) in Figure 3). goobspatch is being called a lot... on a lot of different files. I also noticed these goobspatch calls are all being run from the same login session, 20,559 (2).

Figure 3: that is a lot of goobspatch

As shown in Figure 4, I changed the search to the session ID 20599 (1), and I can see that shell script was issuing a lot more commands than just goobspatch. In this display, the time runs from bottom (oldest) to top (2). We see the shell script changing permissions on files, touching files, creating new directories, etc.

Figure 4: that shell script was very busy

CLEANING UP

As shown in Figure 5, I switched back in the processes tab and searched for the remove command, rm, selected one instances that was launched by a bash script and see it was recursively deleting a directory (1). In fact, this is the same path, beginning with /var/folders, that was passed to the goobspatch command in the Figure 1.

We can also see in the list above, this is just one of many rm commands being run by the bash shell script (2).

GoogleUpdater is cleaning up after itself.

Figure 5: Google begins cleaning up the evidence

Finally, as shown in Figure 6, we see the GoogleUpdater program (1) calling the hdutil command (2). Looking down at the arguments passed to hdutil (3), we see that it is unmounting the volume that contained the goobspatch program shown being used back in Figure 1.

So, after replacing many files with goobspatch, GoogleUpdater’s components deleted a lot of intermediate files and finally deleted the volume it mounted that contained the files, shell scripts, and programs that it used. All the evidence of how Chome, an important application on my Mac, has been replaced has been scrubbed from my system… except I was able to review the evidence later with xTend.

Figure 6: unmounting the update package

SUMMARY

While my laptop was asleep, unplugged, and in its bag, GoogleUpdater woke up, downloaded an update package (which included programs and shell scripts to carry out the update), performed its changes, and then cleaned up after itself leaving little evidence of its actions behind.

When you pull your laptop out of its bag, it may be a very different than when you put it into its bag, transformed like an insect in its cocoon.

POSTSCRIPT

If you google 😉 goobspatch, you will find a lot of links about malware of the same name and almost nothing about it being legitimate.

Why am I not worried about a program with this name running on my computer?

In figure 7, we see the path to goobspatch (1), see it was signed (2), and it was signed by Google’s Team ID given to it by Apple (3). If bad guys have stolen Google’s signing key to sign malicious software, we (the Internet) have a lot bigger problem than my little laptop.

Finally, I have the hash of the binary (4), so if I was really concerned, I could do a little extra work to verify that this binary, even though it lived only briefly on my computer, was legitimate.

Figure 7: goobspatch was signed


All screenshot used in this article were from Ennetix xTend. xTend is available from the Mac App Store. Ennetix xTend and its supporting app, Ennetix Endpoint (downloaded from Ennetix’s web site), are free.

Mac App Store link: Ennetix xTend