XcodeGhost

OSquery

Xcode Ghost dropped files (http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/):

Query

select * from ( \\
        select apps.bundle_short_version as xcode_version, \\
          apps.path as xcode_path, \\
          file.path, \\
          file.type as file_type \\
        from apps, file \\
        where apps.bundle_name='Xcode' and \\
          file.path like (apps.path || '/Contents/Developer/Platforms/%/Developer/SDKs/Library/%%') \\
      ) join hash using (path) where file_type = 'regular';

Additional Query Info

Version: 1.4.5
Interval: 3600

JSON

{
  "queries": {
    "XcodeGhost": {
      "query": "select * from ( \\
        select apps.bundle_short_version as xcode_version, \\
          apps.path as xcode_path, \\
          file.path, \\
          file.type as file_type \\
        from apps, file \\
        where apps.bundle_name='Xcode' and \\
          file.path like (apps.path || '/Contents/Developer/Platforms/%/Developer/SDKs/Library/%%') \\
      ) join hash using (path) where file_type = 'regular';",
      "interval": "3600",
      "platform": "",
      "version": "1.4.5",
      "description": "Xcode Ghost dropped files (http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/)",
      "value": ""
    }
  }
}