Rex versus The Romans
Anti Hacking Team Kernel Extension
reverser@put.as - http://reverse.put.as

This is a OS X TrustedBSD module to detect Hacking Team's OS X malware
in already infected systems or to warn if system is compromised by their dropper.

It assumes that the malware is written to /Users/username/Library/Preferences.
This assumption has been true in the past but unknown in the future.

The code is very simple and needs further improvements to be future proof to any
changes they might do. I do have that secret sauce but it's implemented in a 
commercial product. 

Because there is no userland daemon to receive and process the alerts, the
deprecated KUNCUserNotificationDisplayNotice is used to display the alert.
The downside of this is that this module uses the Unsupported KPI.
It can be fixed by creating a userland daemon that receives and processes the
messages from the kernel.

You are encouraged to improve on this code! Please tell me about it if you do.

If you want to get this module loaded on startup you can use a simple trick.
Modify the kext plist and add this key:
<key>AppleSecurityExtension</key>
<true/>

The CFBundleIdentifier must also be modified and start with com.apple.XXXXX.

Now copy the kext to /System/Library/Extensions and touch that same folder.
Reboot and the kext will be automatically loaded on boot.

This method doesn't work with Yosemite because of strict codesigning requests.
You can't sign anymore com.apple with a non-Apple certificate.

Of course you need a kext codesigning certificate for this to work with Mavericks!

Enjoy,
fG!