Investigating Virus/PUA Alerts for mounted dmg

This is a Copy & Paste from our internal ticketing system I made a few months ago re: Virus alerts. Which can sometimes just show you something like /Volumes/some/bad/path. Hoping someone else finds it useful.

Ryan Manly added a private note 9 months ago (Tue, May 3, 2016 at 10:53 AM)

When I remotely controlled the computer the dmg was still mounted on the desktop with the generic dmg icon.

Heading to the terminal I executed the command hdiutil info. This command will tell you path to the dmg file that is attached. This is shown below as image-path.

Once we know the location of the source dmg file we can list the metadata for the file. We do this by executing mdls /path/to/file.dmg. OS X will tag downloads with a kMDItemWhereFroms attribute this will show us where the malware came from. If needed further analysis can be performed using osxcollector or similar to see which browser was used etc.

This info can also be used to block bad domains… set2updatenow.preparedupdate.xyz in this case.