Skip navigation

MALWARE access via hole in Browser Plugin Process.  Applications achieving root level authorization.  Please help.

8841 Views 35 Replies Latest reply: Jul 30, 2013 5:37 AM by Jonathan Hendry RSS Branched to a new discussion.
1 2 3 Previous Next
MAC ATTACKED Level 1 Level 1 (5 points)
Currently Being Moderated
Apr 8, 2012 2:23 AM

MACBOOK PRO.  Late 2011.  LION 10.7.3 - 2.2GHz w/4GB 1333 MHz DDR3.  Wifi for Internet at home and BlueTooth for the mouse.  No iChat, iTunes, iCalendar etc. 

 

I have recently experienced what appears to be a complete collapse of the security protocol and my system now seems to be run by foreign programs.  I will quickly describe what I have discovered and what I think could be the cause.  I will then post some of the files I found as well as some logs.  Please let me know your thoughts, what other information you need and what I can do to remedy the situation.  I don't want to debate the existance of threats.  I am willing to accept reasonable explanations but please look at everything I am asking for help with.  Thank you in advance for thoughtful replies.

 

Background


On or about March 22 I updated Quicktime/Safari to be able to view and play rich media.  I installed the Perian, Flip4Mac and DIVX plugins.  I had run into problems with homepage hijackers previouslyI did not notice anything suspicious until this weekend.  The system slowed to a halt after visiting sites like YouTube, DailyMotion etc.  The system started generating comprehensive debugging reports and failed to shut down properly.  The boot logs changed as well. Some went missing (no data reported) and the protocols for others changed dramatically.  New applications began to show up in the Activity Monitor and new components began to appear with unknown origins or authors. 


Current State - Login

 

It appears as though the security protocol has changed.  PAM framework exposes a generic set of API/functions to the applications. Applications simply call the functions de- fined in the module passing in the credentials of the user. Secure logs, crash reports and DEBUGGING logs all indicate that there is a breakdown in the system allowing something to get set up as a guest user without a urlAttribute or homeDirPath or the proper syntax and is reestablishing itself on start using exception handling protocols and cached data.  It is refusing to let go when shutting down and starts up again before any other systems are in place from its persistant state cache.

 

Current State - Files, Logs and Caches

 

The private/tmp folder have seen new locked files and folders appear at the same time.  All of which point back to Safari/Fireworks Plugin Process as its origin.  File contents posted below

 

     eka_named_mutex_KLAVA (zero bytes on disk)

     PRCustomProps

     PRObjects

     wnstat.xml

     launchd-142.RTSwZ4 (locked folder)

 

eka_named_mutex_KLAVA

 

PRCustomProps =

!! ?PR_REMOTE_MANAGER_PROP  ?cpnPRAGUE_REMOTE_API  ?cpTASK_MANAGER_TASK_ID  ?

cpTASK_MANAGER_TASK_IS_REMOTE  ?npISWIFT_MODE  ?npISWIFT_VOLUME_ID ?npISWIFT_FILE_ID

?npAVS_HTTP_REQ  ?

npAVS_HTTP_RSP  ?

npAVS_SCAN_ACTION_NAME

?npAVS_CHAINED_OBJECT  ?KTT  ?npSCAN_OBJECT_CONTEXT  ?

npENGINE_OBJECT_PARAM_ACTION_CLASS_MASK_tDWORD  ?npENGINE_VIRTUAL_OBJECT_NAME  ?npENGINE_OBJECT_DETECT_STATE  ?npENGINE_OBJECT_READONLY_tERROR  ?

npENGINE_OBJECT_READONLY_hOBJECT  ?npENGINE_OBJECT_SESSION_hOBJECT  ?

npENGINE_OBJECT_SKIP_THIS_ONE_tBOOL  ?npENGINE_OBJECT_EXECUTABLE_PARENT_IO_hOBJECT  ?npENGINE_OBJECT_SET_WRITE_ACCESS_tERROR  ?propid_reopen_user_data  ?

npENGINE_INTEGRAL_PARENT_IO  ?propid_istreams_ctx  ?npSCAN_OBJECT_BCKFLAG  ?

avp1_has_special_cure  ?cpTEMPFILE_MEMMANAGER  ?npOBJECT_STARTUP  ?DEFER_THREAD_INIT

 

 

wnstat.xml file contents =

<propertiesmap>

  <key name="WebNetStat">

  <key name="Zones">

  <key name="0000">

  <tSTRING name="Name">test</tSTRING>

  </key>

  <key name="0001">

  <tSTRING name="Name">ac</tSTRING>

  </key>

  <key name="0002">

  <tSTRING name="Name">ad</tSTRING>

  </key>

  <key name="0003">

  <tSTRING name="Name">ae</tSTRING>

  </key>

 

....all the way through to...

 

  <key name="0274">

  <tSTRING name="Name">xxx</tSTRING>

  </key>

</key>

  <tBOOL name="SkipUnknown">1</tBOOL>

  <key name="WaitTimeouts">

  <key name="0000">

  <tBYTE name="Id">2</tBYTE>

  <tDWORD name="Timeout">2000</tDWORD>

  </key>

  </key>

  </key>

</propertiesmap>

 

PRObjects =   8Lä± PRRoot  8TD± TaskManager

 

 

New Processes have appeared in the Activity Monitor that all link together to manage what happens and what gets reported.  They include

 

backgroundinstruments -

/Applications/Xcode.app/Contents/Library/LoginItems

->0xffffff800e8af648

/Applications/Xcode.app/Contents/Library

/Applications/Xcode.app/Contents

/Applications/Xcode.app

/Applications

count=0, state=0x1

count=0, state=0x1

 

imagent

/

/System/Library/PrivateFrameworks/IMCore.framework/imagent.app/Contents/MacOS/im agent

/System/Library/PrivateFrameworks/IMCore.framework/Versions/A/Frameworks/IMDaemo nCore.framework/Versions/A/IMDaemonCore

/System/Library/Frameworks/IMServicePlugIn.framework/Versions/A/IMServicePlugIn

/private/var/db/mds/messages/se_SecurityMessages

/usr/share/icu/icudt46l.dat

/usr/lib/dyld

/private/var/db/dyld/dyld_shared_cache_x86_64

/dev/null

->0xffffff800d7573f0

->0xffffff800d7573f0

count=1, state=0x2

->0xffffff800e8aea90

 

com.apple.legacymediabridge.videodecompressionserver

 

This one is the most troubling.  I understand that Quicktime can read and or write code from an embedded XML file.  I have noticed all sorts of new Components listed in System Information that relate directly to the collection, distribution and execution of code via the browser plugin process.  It wouldn't take much to inject code into a cache that can be later executed by processes that have hijacked the login protocol.  With two way conversation back and forth it could easily be tweaked based on DEBUGGING reports sent home until it has been proven effective.

 

I think my machine has been compromised before.  I reported some incidents last fall however I didn't know enough about OSX to gage the threat. My experience before and after visiting certain media sites is the same except this time they seem to be far more effective.

 

Please let me know what you think the best remedy might be.  I want to eliminate all of the errors, get the system running as it should and ultimately put up some kind of barrier that isn't so easy to foil.  I just received another error

 

"12-04-08 2:33:13.267 AM helpd: CFPropertyListCreateFromXMLData(): Old-style plist parser: missing semicolon in dictionary.

 

I am suspicious because I have seen my system compromised by code embedded in Browser Plug In processes before.  I am suspicious because what I have seen happen to my system over the last few days is consistent with how one might attack a OSX machine.  Too many odd changes inconsistent with how others have described their experience.  Let me know what else you need to help define things further.  I can provide a lot more data about the contents of files recently modified, logs, debug reports etc.  I am not sure where to start, what is important and what can be dismissed.  I appreciate your help.

MacBook Pro, Mac OS X (10.7.2)
  • nerowolfe Level 6 Level 6 (13,070 points)

    Take system offline.

    Use your backup, TM or other and restore the system to a time previous to the infection.

    Then install ClamXav or some other AV program, update Java via the Software update and I also suggest running "Little Snitch" and monitoring everything for a while.

  • HACKINT0SH Level 5 Level 5 (5,750 points)

    Unfortunately, APPLE's under estimation of the threat and the communities unwilligness to take it seriously only perpetuate the problem.

    And on the other side of the story, we have people's over-estimate of the threat and the communites over-hype taking things far more seriously which only over-exaggerates the problem.

  • nerowolfe Level 6 Level 6 (13,070 points)

    It is a serious issue. I read somewhere that one of the parts of the malware appears to be a keystroke logger, but that might be misinformation.

    Once, hackers were happy messing up people's computers, taking down servers, etc.

    Today, it is a big money thing. These trojans steal personal information, credit card numbers, all kinds of stuff that can be sold or used to steal money; even ID theft.

     

    Off the computer topic. I suggest that everyone should have some kind of personal ID theft prevention program, that monitors credit cards, SSNs, bank accounts, etc.

    ID theft today is a big business and growing.

    These trojans, to paraphrase an old expression about cars, are not your father's trojans. (No pun intended).

    We are living in a new world and very dangerous times.

  • thomas_r. Level 7 Level 7 (26,960 points)

    There is nothing called "backgroundinstruments" that is part of the current version of XCode.  Also note that the current malware that is circulating (Flashback) will self-delete at the time of infection if you have XCode installed.  Plus, it looks like you have Sophos installed, and I have personally verified that it will prevent one variant, at least, from being installed.

     

    You've said a lot, but also very little of substance.  I still have no real idea of what symptoms you are seeing that lead you to believe you have malware, or how you claim to know that keylogging is going on.  If you could start over from the beginning, explaining the behavior you are seeing in clear, simple words, that would help us assist you.

  • Terence Devlin Level 10 Level 10 (121,745 points)

    There is a part of XCode called "backgroundinstruments"

     

    /Applications/Xcode.app/Contents/Library/LoginItems/backgroundinstruments.app/Co ntents/MacOS/backgroundinstruments

     

    Much else of what you refer to in your first post is part of Kaspersky's -  another anti-virus application.

     

    While I fully accept that your Mac has been compromised I'm unclear as to how you know this? What are the actual symptoms? Everything you've posted refer to perfectly normal applications.

  • thomas_r. Level 7 Level 7 (26,960 points)

    There is a part of XCode called "backgroundinstruments"

     

    Not here.  I have the current version of XCode (4.2), and there is no such file.  Not only did I open up the XCode application package manually and fail to find a LoginItems folder at the indicated location, but I searched the entire Developer folder (which is where my copy of XCode resides) using EasyFind and found no matches.

     

    But even if an older version of XCode includes that, it's a huge stretch to consider it, or any of the rest of XCode, malicious.

  • Terence Devlin Level 10 Level 10 (121,745 points)

    I agree with you. I'm just pointing out that it's quite likely that most everything mentioned in these posts are part of perfectly legitimate applications.

     

    Regards

     

     

    TD

  • thomas_r. Level 7 Level 7 (26,960 points)

    Yeah, I agree, I haven't understood what the problem is and why so many different components of XCode and other legit apps are being blamed for stuff.

  • thomas_r. Level 7 Level 7 (26,960 points)

    Each time someone tries to explain away the situation because they don't want to accept that OSX is vulnerable.

     

    Few people try to deny that there is malware that affects Macs.  Those who do are not well informed.

     

    However, nothing you have said makes much sense, or sounds remotely like any of the currently known Mac malware.  If you aren't willing to explain more clearly, people expressing skepticism about your claims will simply be your way of life.

1 2 3 Previous Next

Actions

More Like This

  • Retrieving data ...

Incoming Links

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.