11 Replies Latest reply: Mar 20, 2012 3:28 PM by rccharles
mmulqueen Level 1 Level 1 (0 points)

I'll try to keep this brief.  It looks like one of my boss' personal Mac devices, iPad/iMac/iPhone, is infected with something.  He receives tons of delivery failure notifications every day for e-mail that he did not send.  I've verified that these e-mails are not being relayed through our Exchange server but the reply to address is his company address.  I've used wireshark to verify that the e-mails are coming from his home network.  I took a laptop with a fresh Fedora install and a switch to his house.  His network topology was iMac/iPad/iPhone -> Wireless router -> Cable Modem.  Now it is, iMac/iPad/iPhone -> Wireless router -> Cisco switch -> Cable modem.  On the switch, I mirrored the port connected to the wireless router through another port to the laptop's NIC.  Then, I started Wireshark and left.  The next day, I picked up the laptop and switch and took them to work, where I had a look at the Wireshark log file.  Even while everyone in the house was asleep, there was SMTP traffic.  It was nonstop, all night.  One or all of these devices seem to be participating in a mass mailing botnet.  Also, every morning, when he wakes up, the username and password that both his iMac and iPad pass to the Exchange server have been changed.  This results in his Active Directory account being locked every morning until he changes the password back.  I find failed logon attempts on the Exchange server's security log that are coming his home IP address.  Please note that the credentials on his Apple devices are the only ones that change.  His password does not get changed on the server and, as long as his account is not locked, his Windows machine at work continues to authenticate and retrieve mail without issue.  So, I am just about 1000% sure that the problem is the Apple products but my posts elsewhere have been met with answers like "iOS/OS X can't be hacked", "Macs don't get viruses", and the best yet "It's your Windows servers".  I don't quite understand responses like this as the testing I've done points to only my CEO's personal Apple devices.  I'm new to dealing with anything made by Apple.  My ex-wife had iPods and a Macbook but I pretty much stayed away from those.  I'd just like to know what can be done.  He tells me that he reset his iPad through iTunes and that he reset his iMac but I don't know what this reset actually does and I already have my hands full working on company owned software/hardware.  It seems that the resets he's performed did not remove the infection so I'm wondering what my next step is.  Does the hard drive need to be formated and the OS reinstalled?  Is this something that I should do myself or would I risk voiding his warranty?  Should I advise him to take his Apple products to an Apple store or maybe mail them to Apple?


iPad, iOS 4.3.3
  • 1. Re: The boss' iPad, iMac, and iPhone
    Texas Mac Man Level 8 Level 8 (45,805 points)

    There are no Mac OS or iDevice iOS viruses.

     

    The reason his email address was being used is because a Windows PC had a virus and his email address is on the PC. His email address was "harvested" from the PC and is being used to send out spam emails. There's nothing he can do, except change his email address.

     

     Cheers, Tom

  • 2. Re: The boss' iPad, iMac, and iPhone
    mmulqueen Level 1 Level 1 (0 points)

    Sorry Tom but I'm going to have to disagree.  There are viruses for Apple OSes (http://infosecisland.com/blogview/15744--Myth-Apple-Products-Dont-Get-Viruses.ht ml) but I never suggested that this was a virus.  I think it's probably a botnet.  OSX was more insecure than it's Windows/Linux/Unix counterparts.  Apple users have enjoyed virus free products for many years because Apple devices made up a small percentage of devices on the internet.  Hackers writing malicious software want to affect as many users/businesses as they can.  Until the surge in Apple's sales over the past few years, that meant writing viruses, malware, botnets, trojans, etc for Windows.  Now that more people are using Apple devices, hackers are writing engineering malicious software for them.  I've already explained how I proved that the problem is one of his Apple devices by running wireshark on his Windows free home network and intercepting outgoing SMTP traffic all night while everyone in the house slept. 

     

    Here is an article from 2009 about the first botnet written for OSX.  http://www.cnn.com/2009/TECH/04/22/first.mac.botnet/index.html

     

    If I was planning on making Apple devices part of my inventory, I would learn about them.  I made this post because I have no interest in learning about them.  I'd just like advice about how to completely wipe and reload the OS without the possibility of leaving any trace of the infection.  The factory reset didn't work.  How can I format the disk erasing all data on it and reload the OS.  He does not have a CD/DVD for the OS.  Will Apple provide that?

  • 3. Re: The boss' iPad, iMac, and iPhone
    Michael Morgan1 Level 7 Level 7 (23,825 points)

    I have no corresponding interest to teach you about them. Have your boss take his problem to someone who knows what he is talking about and who is able and willing to help him.

  • 4. Re: The boss' iPad, iMac, and iPhone
    Wedge Gangly Level 1 Level 1 (25 points)

    Neither of the articles cited have to do with viruses. There are no viruses in the wild for any current Apple OS  Any computer can be infected with malware as this requires some action on the part of the device operator (scareware, ect.). The malware mentioned in the linked articles are not viruses. This is what folks mean when they say there are no viruses for Apple products. Unless you have a jailbroke device or are running Windows on your Mac. If you receive an infected email to your Mac, it will do nothing to the OS but if the document is forwarded to another Windows recipient, they may be infected if not running current AV software.

     

    There is no chance that a iPad/iPhone/iAnything has malware unless jailbroken. If you are concerned about a Mac, download ClamXav (it is free) and scan the Mac.

  • 5. Re: The boss' iPad, iMac, and iPhone
    First Magus Level 6 Level 6 (15,850 points)

    I agree with Michael,  your boss needs to talk to an Apple expert. As you say you have no experience and are too willing to blaim it on the Macs.  We don't need to be lectured to when all we want to do is help someone that really wants it. 

     

    My question would be how would you fix it on a PC since you try to come accross a a PC expert.  The technology and fixes aren't that different.  Links to everything your trying to prove means nothing.  I can find all kind of links to prove anything I want to assert as the truth cause everything on the web is the truth;>.

     

    He can get a replacement disk for his Mac by asking Apple.  They usually have a charge to replace them.  Tell him to make an appointment with a Mac Store to go in and have them help him.

     

    Mort

  • 6. Re: The boss' iPad, iMac, and iPhone
    James Ward4 Level 7 Level 7 (24,040 points)

    There would be no problem in reformatting any or all of the OS or iOS devices, but would also look into the router. The cable modem and his ISP account.

     

    I agree that the pat answer that no viruses or malware exist or can exist for OS/iOS devices is incorrect. It is possible. At the same time the thinking that no such intrusions exist because of the "small percentage of devices" is also baloney. iOS makes up a HUGE share of the Internet. Infections don't occur because it is hard as **** to infect an Apple device. If one of these devices is indeed the source of this issue, it is more likely to be the iMac via the user's home network.

     

    The iOS devices would almost certainly have to be jail broken to be the source, and resetting to factory setting would likely solve it.

     

    I also agree with the recommendation to consult someone with Virus protection expertise and some knowledge of OS and iOS.

  • 7. Re: The boss' iPad, iMac, and iPhone
    MadMacs0 Level 4 Level 4 (3,735 points)

    > I've already explained how I proved that the problem is one of his Apple devices by running wireshark on his Windows free home network and intercepting outgoing SMTP traffic all night while everyone in the house slept.

     

    Why are you unable to identify the device? Could it be a neighbor hacked into his home network?

  • 8. Re: The boss' iPad, iMac, and iPhone
    mmulqueen Level 1 Level 1 (0 points)

    Then your response is useless and not welcome.

  • 9. Re: The boss' iPad, iMac, and iPhone
    mmulqueen Level 1 Level 1 (0 points)

    Could be a neighbor.  Thanks for the helpful response

  • 10. Re: The boss' iPad, iMac, and iPhone
    James Ward4 Level 7 Level 7 (24,040 points)

    Certainly worth taking a look at.

  • 11. Re: The boss' iPad, iMac, and iPhone
    rccharles Level 5 Level 5 (5,370 points)

    All the machines you list are Unix based.

     

    Your dealing with computers.  Diagnostics is all the same.  The details are the different. 

     

    Now it is, iMac/iPad/iPhone -> Wireless router -> Cisco switch -> Cable modem.

    Have you checked out the router to make sure it's secure?  What did the Cisco switch provide?

     

    My quick fixes would be change passwords everywhere, make sure router is using a secure protocol.  Power machines off at night & see if the problem persists.

     

    You have identified problem traffic on the home network. 

     

    The next step is to identify the problem machine.

     

    Log onto the review how the ip address were dished out.  You might want to assign fixed ip address.  You can configure the route to accept known MAC addresses.

     

    The next step isn't to start a blame game.

     

     

    for the mac,

    Apple may still supply the original restore CDs/DVDs for a nominal fee.  Have your serial number and model information available when you call them. You do not have to be the original owner.

     

    AppleCare Support Phone Number: 1-800-275-2273

    open 6am to 6pm Pacific Time

     

    Apple Phone Sales 1-800-692-7753

     

    International Technical Support Numbers

    http://www.apple.com/support/contact/phone_contacts.html

     

    it Unix:

    Macintosh-HD -> Applications -> Utilities -> Terminal

    top

    ifconfig

     

     

    Use the application disk utility to format the drive.

    -------------------

     

    Format a disk using the installation DVD

    To format  the startup drive, you will need to run disk utility from your installation DVD.

     

    This article  will tell you how to get to disk utility.  Once in a disk utility, you can go and format the disk.

    http://support.apple.com/kb/TS1417


    To format your startup drive, you will need to run disk utility from your startup DVD.
    Mac OS X 10.4: About the utilities available on the Mac OS X 10.4 Install DVD

    http://support.apple.com/kb/HT2055

     

    How to run disk utility from your startup DVD.

    1. Insert your  startup DVD  into your reader.  Power down your machine.  Hold down to the c key.  Power on your machine.  This will bootup your startup DVD. ( Alternatively, you may hold down the control key, this brings up the startup manager. Click on the desired volume. Click on the right arrow. )
    2. This will bring you to a panel asking you for your language.  Pick your language.
    3. /___sbsstatic___/migration-images/179/17911523-1.jpg

    4. You you come to the Install Mac OS panel.  Do not install.
    5. Click on Utilities menu item.  This will give you a pulldown list of utilities. /___sbsstatic___/migration-images/179/17911523-2.jpg

    6. Click on the disk utility.
    7. Start up disk utility.
      On the left pane view, you will see a list of all your disks.  Click on the external  disk.
      Click on the partition tab.


      http://farm4.static.flickr.com/3244/3134133820_27b82ea95f.jpg?v=0



    8. You will now see how your external disk is currently set up.  Fill in the information as appropriate. You should pick Mac OS Extended (Journaled).

     

     

     

    More details on formatting.
    http://www.kenstone.net/fcp_homepage/partitioning_tiger.html