Q: Traveling Rootkit

Ok, clearly you got hacked.

No, he didn't.

scissortail76 wrote:

 

Lately I've unearthed a ".MobileBackups" folder that seems to be created as a mtmfs disk by Time Machine. Every day something new shows up. Please keep me posted on your progress and I'll do the same. 

The .MobileBackups folder is also normal, it is used on laptops to allow backups to happen when a Time Machine disk is unavailable. It is automatically emptied as free space becomes an issue.

You can read the manual and disable the local backups if you don't want them…

https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/ man8/tmutil.8.html

sudo tmutil disablelocal

Those backups will be removed whenever Time Machine decides to clear them out.

As ever Pondini explains how Time Machine works…

http://www.pondini.org/OSX/DiskSpace.html

Frankly you appear to be digging for a problem where non exist or you are failing to explain the problem succinctly enough to get real help. The major problem here is that there are parts of the OS you do not understand & you assume they are attacks, hacks, spies or evidence of something equally malicious.  If you want help here explain the actual problem, not what you think might cause it.

Dust off & nuke your computer(s) from orbit if you want to rid yourself of the problem, it is the only way to be sure…

Thank you Drew for clearing that up. Now please explain everything else I already mentioned as well before telling me I don't know what I'm talking about.

The saddest thing to me in every single post like this is all the responses like yours telling people that there are parts of the OS they have no business messing with. Telling people to just shut up and keep it hidden and don't question it. I'm not running a nuclear power plant here... It's a personal computer. I can break it if I want to and then learn how it works by fixing it. You basically tell me not to mess with technology I don't understand, but that's exactly what I'm doing by using a computer that hides everything from me.

My AppleID stopped working... can't reset the password, AppleCare initially told me to contact law enforcement after they couldn't fix it, and now they won't answer my emails. So yeah, you're probably right. It's all in my head. Silly me.

The saddest thing to me in every single post like this is all the responses like yours telling people that there are parts of the OS they have no business messing with.

That's because, so far, that has been the correct answer. Drew's response was about as non-confrontational as a person can be. He did no more than describe that the folder in question was normal, and direct you to a supporting document. If his last paragraph was what you have a bit of umbrage with, he isn't the first person to suggest the same thoughts.

I can break it if I want to and then learn how it works by fixing it. You basically tell me not to mess with technology I don't understand, but that's exactly what I'm doing by using a computer that hides everything from me.

So you at least admit (in a sense) that the problems you're having are of your own doing. I'd love to help, but these continual trips down the rabbit hole of self-inflicted damage are getting old. Windows hides thousands of files, too. But I don't go rooting into the system folders and start deleting .dll and other files that sound "suspicious" to me.

AppleCare initially told me to contact law enforcement after they couldn't fix it, and now they won't answer my emails.

So did you contact law enforcement? Apple can only do so much to try and fix a user account. If the account was hacked and the password changed, privacy rules don't allow Apple to see what your original password was, or what it was changed to. Even it they look with your permission, it's encrypted. It's all for the user's safety that a company cannot enter anyone's account at will. Apple is far from the only company that does this. It's up to you to a) remember what your password is, and b) use a password that can't be easily guessed or cracked.

Did you contact law enforcement as advised by Apple?

If an iCloud account compromised it can lead to the Mac been controlled but it only has the same features as are available in the Find my Mac service. Back To my Mac can allow remote access if it was enabled (erasing the OS should stop that).

The Mac may contain evidence if it is actually compromised. Reinstalling OS's will obliterate that if it is stored on the disk, think about how you want to proceed.

scissortail76b wrote:

Thank you Drew for clearing that up. Now please explain everything else I already mentioned as well before telling me I don't know what I'm talking about.

Many of the points you raise can be explained by means that do not need you to be hacked. Here are just a few reposts to your posts, I've tried to keep it in order…

Gatekeeper is part of OS X. Asian language support is too, having them listed in install logs is normal. Webooks is unusual but it could be from a third party app, I really don't know at what state the OS was when that appeared.

The packages contained in the OS X installer can show the files to be installed if you really want to see how much is installed by default. I have a clean 10.10 install with over 350,000 files, it's more than I could keep track of.

Here is how OS X tells you what package installed one of those Automator actions, in Terminal…

pkgutil --file-info /System/Library/Automator/Activate\ Fonts.action/

volume: /

path: /System/Library/Automator/Activate Fonts.action/

pkgid: com.apple.pkg.Essentials

pkg-version: 10.9.0.1.1.1306847324

install-time: 1399430468

uid: 0

gid: 0

mode: 755

pkgid: com.apple.pkg.update.os.10.9.3.13D65.delta

pkg-version: 1.0.0.0.1.1306847324

install-time: 1400212681

uid: 0

gid: 0

mode: 755

It is installed via the 'Essentials' package & updated via the 10.9.3 delta update (yes this is a 10.9 Mac). It is part of a legitimate installer, you can go back & verify the install package certificate too if you still have the OS installer, it should be signed by Apple nowadays.

Certificates can vary across Macs if they are not using the same OS X version (& minor updates). It is also likely that a migrated Mac will have some legacy certificates in addition to the default ones. Apple have this list for verification…

List of available trusted root certificates in OS X Yosemite - Apple Support

The OS X installer includes Python by default, so avoiding Xcode does nothing to protect you from that or many of the other scripting environments, finding it is not a bad sign in itself.

Linux (and OS X) creates many devices, character devices & tty's in /dev. That is just how it operates. Have you ever heard the saying 'everything is a file in Linux or Unix'? 

/dev is where hardware devices are turned into 'files' that can include files just for the status LED's of attached hardware etc, it is normal to see many entries, unless you have built the OS yourself & know how it all operates it can be difficult to unpick.

You found TAILS OS was slow. That is what happens when you run an OS that avoids writing to permanent storage. Also running from an external disk is slower than internal disks - did you full install it or USB boot it? TAILS tries to use TOR for all internet traffic, so it makes the internet many times slower, but you view it as a sign that the Mac is hacked. 

You found a tftpboot folder in OS X, I assume you mean /private/tftpboot ?

That is normal even when networking is off. It is for OS X to host a server with a tftp share for other devices - it is nothing to do with how the OS is booting. OS X has many servers built in, most are disabled by default. Config files are installed for non-Apple services (such as the Apache web server), supporting files & folders are also created.

You installed Kali & then found the "Cheeky b@$t@rd$" had hacked your machine again & 'revealed' all the 'hacker tools' like netcat. Unfortunately Kali linux is a 'penetration testing & security' distribution. That is how it is designed. It is normal for those tools to appear in menus - it is a selling point of that OS. It is intended for security professionals.

Sorry but this isn't a sign of an elaborate EFI hack - it is a user jumping to conclusions because they don't understand the OS.

You tell us your DNS is hacked. If that is the case you can try to work out where the hack is & avoid it (it is either on your network or external to it). Start by using another network. Reset your router if you think it is compromised (or replace it). There is some good starting info at …

http://www.thesafemac.com/how-to-manage-a-hacked-wireless-router/

Have you contacted your ISP? They may explain why you are assigned the IP. A 'class A' range does not have to be a public address, the 10.x.x.x range is a class A, but is only available as a private network. If you don't trust the ISP change the supplier.

Get the OS X installer via a connection that you do not think is 'hacked' & it should create a clean, secure installation. Ask at an Applestore if they will download it for you if you trust them.

Reduced numbers of processors may show up if you have failing hardware. Have you run Apple hardware test?

Using Apple Hardware Test - Apple Support

Your 500GB hard disk showing around 450G is normal if it is using Gibibytes instead of Gigabytes - it really depends on the method used to view it, linux distros show it using different units, 465GiB seems about right …

http://www.wolframalpha.com/input/?i=500+gigabytes+in+gibibytes

You found EFI & SMC payloads in the OS X installer - once again normal. OS X can require firmware updates so it bundles them to make the upgrade process easier.

netstat shows many internal connections - even when the Mac is not networking. OS X opens sockets to itself, again I see this on a clean Mac with no networking enabled.

/home & /net are normal hidden folders on OS X, those Automator actions are also in a standard install.

On a clean 10.10.3 here is a count of the System launchd jobs…

ls -l /System Library/LaunchAgents | wc -l

211

ls -l /System Library/LaunchDaemons | wc -l

261

I do think that tearing into a system is a good way to learn, but you are not tweaking & learning, you are hunting for things that look scary & assuming they are bad. Many many of the things you find look scary to untrained eyes, which is why Apple told you to seek help from law enforcement. They are trained to forensically break down compromised machines whilst preserving evidence. Dig into the OS, break it, reinstall it, break it again, it is a fun way to learn, but that is different to hunting for signs of a compromise.

I don't doubt that it is possible for Thunderstrike or any of the other historically known 'DMA attacks' to cause some of what you claim (the potential has been known since before Firewire was invented). It just seems unlikely, I haven't seen reports of these attacks used 'in the wild' & these complex persistent attacks seem to have been the reserve of nation states who don't generally target just anyone. You don't say if you work for a government or related agency so I doubt you are a target and if you are their target they have failed since you have discovered so much!

Many of your claims here are not signs of an attack, they are just mistakes you made. It makes it practically impossible to distinguish what is fact & what is you misunderstanding the internals of these OS's. Your descriptions of 'it' jumping around from Mac to Mac & to iOS devices also make it sound beyond what we have seen, not impossible, but very implausible.  You haven't defined what 'it' is either beyond a fuzzy feeling that something is wrong.

It sounds drastic, but if you have the rootkit that you think you have then it would be a permanent fixture of these devices - unremovable. Apple patched Thunderstrike in newer OS's so your only option would be to stop using the devices (hand them all to the police) & acquire new ones. If you have any Apple warranty, return them.

P.S.

I'm not trying to discredit everything you said, I'm just suggesting that you are missing many nuances & features of several complex systems.

You asked for a breakdown that explained why you are misunderstanding these OS's, I did that but you still choose to ignore it. Apple told you to seek legal help, yet you keep ignoring our requests for the status of your legal assistance. There is no point in trying to help you.

Good luck explaining your feelings to the Police or to Apple. Your devices need forensic investigation to prove or remove any of the spurious things you claim to have found.

Feelings have no place in technical examinations of electronics.

I have no need to 'step back' for an overview, I have looked at all your posts here already, there is only evidence of your repeated mistakes & assumptions related to how all of these OS's work. The one constant factor here is you are making assumptions that are provably wrong.

I wish you luck, I hoped you would see sense, but you are clearly being deluded by your feelings.

For goodness sake, STOP FEEDING THE TROLL!

C.

Scissortail76, I believe you. I sincerely apologize for the conduct of some of the members of this community. I gather from your original comments that you have been struggling with this issue for over half a year now and have made numerous attempts seeking assistance to no avail. I'm going to go out on a limb here and also assume you've suffered the same sort of undue slights and dismissive skepticism on display in this thread at every turn for help, right?

The good news is you're (probably) not crazy. At the very least I believe you deserve the benefit of the doubt until all the facts are on the table. Good for you for respecting your own intuition and not being swayed by those unqualified to render an accurate verdict on your situation short of all the necessary facts. I admire your perseverance.

Unfortunately, this thread went down a predictable, almost formulaic path which has not only done you a disservice but the Mac and security minded community as a whole. The brightest, most active members of a forum community such as this occasionally succumb to their own knee-jerk biases and institutional fatigue with answering the same monotonous questions from the same drive by users who, most of the time, fail to grasp the nuance and complexities of their systems.  An echo chamber of conventional wisdom combined with an almost impenetrable wall of skepticism and disinterest results in situations like yours having a high chance of getting shouted down. Then, trolls like Kurt forget they are responding to another human being that deserves respect and common decency, and inevitably they pile on.

The same thing happens when a user spots a legitimate, undocumented bug in a product or service for the first time. If you've ever tried to route a real bug up the chain as a normal consumer you'll know what I mean. If I was a betting man, I would admittedly place my bet against you being right about this improbable scenario of yours.

As a thought experiment, let's say you're wrong but your initial premise (that you've been using Macs for years and know enough to know when one of your systems is behaving in an extreme fashion, out of the ordinary) is true. Judged on how you've been treated, I don't see much incentive on your part to persist this long if you were making it all up. I think the experts on this forum would likely have been more attentive and inevitably flushed out whatever was actually going on if everyone had kept an open mind and remained civil. Worst case scenario is you're wrong, you finally get resolution to your issue and a healthy learning opportunity is shared by all. Instead, the onus was placed on you to demonstrate overwhelming proof, as well as demonstrate a flawless understanding of the inner workings of your operating system, networking technologies, programming, security etc. I must point out that this is not a prerequisite for you being right or wrong.

If I wasn't going through the same exact thing myself I might have been quick to judge as well. You aren't alone, however. What you are describing is rare, but real. I encourage you to reach out to me directly and I will do my best to put you in touch with those that can hopefully help. At the very least we can share notes.

The OP has yet to post anything that hasn't been proven to be a normal part of OS X. Until we see something, anything, to prove otherwise, there's nothing to go by that supports anything Scissortail76 has said.

For what it is worth I don't disagree with most of what you have posted nerdy nick. My problem is the same as Kurt Lang's (and others here) – very little evidence of anything has been posted here…

scissortail76, if you think it is a custom boot loader try booting whilst holding alt & photograph the things you see. Boot from each of the possible options & photograph any screens that have text or appear unusual. Please post the images here. If the screens flash up too fast try video recording & use Dropbox or some other online video hosting to upload the files.

I have used many different boot loaders, perhaps if one is evident it will give you a real place to start looking.

I have the exact same problem. I just can't prove it to apple. But just about every symptom you have described is happening to both of my macs, and its possible my iPhone has been cursed with this also. I don't have time at the moment, but I will write a full description of exactly whats been happening to me. It's been ruining my life, soaking up every bit of free time I have, and disabling me from getting anything done as I am afraid I will wake up with every account that I ever accessed from my computer, completely gone one day. So I can't check emails, bank accounts, software I own (for updates), or even log into the app store to get my purchases as that account has all of my info on it. I am using a new apple ID right now just incase it gets compromised. But yes, I will write more on this. Apple store has reformatted my drive 8 times now, and thats all they do. Then they just tell me that it's a "logic board problem". Well, guess what, it's not. They already replaced every chip in my macbook pro except the hard drive after the technician told me "I've NEVER seen anything like this before". Then he went into the back room, talked to the manager, and came back telling me they are going to replace everything for free even though I don't have apple care. That was at the end of July 2015. The computer worked for a week before it went nuts again, and then it infected my iMac, router, and possibly iPhone. I don't know what to do anymore, but it's pretty obvious that Apple is being very quiet about this unreported "rootlet" vulnerability, as If any had real evidence of it, i'm sure it would be grounds for one of the biggest class actions Apple has ever seen.  I will report more soon and give you the full story. Maybe you can help me identify the problem or find evidence of this the way you did, and we can compare our results? One thing is for certain though, about 90% of the things you listed are happening to me, and more! It's a scary time, and my life seems to be getting worse every day as I spend all of my time on blogs, forums, and in the apple store begging them to look deeper into the problem.  Talk soon!

I don't know what you're doing to totally screw up each computer in your possession, but the problem would have to be you.

Do you have and routinely install illegally obtained software?

Do you have and routinely install software that isn't illegal, but is obtained from garbage sites like C|NET's www.downloads.com, or www.softonic.com ?

After each instance of having the drive erased, and now with a completely new Mac, are you restoring old data each time from a Time Machine backup? If so, you're just dragging the problem back in every time you do that.

A rootkit cannot appear out of nowhere. It absolutely can't "jump" from the Mac the Apple Store took from you to the new device. Like anything else, a rootkit is software. You have to install it in some way. It also absolutely cannot infect your iPhone. Completely different and 100% incompatible CPU and OS. iOS and OS X have not one thing in common code wise, other than Apple wrote both of them.

More than anything, it sounds like you keep installing, or dragging malware from a backup back onto your Mac. Such as a keylogger (a great way for a crook to watch every single change you try to make).

Boot to Internet Recovery Mode - Command+Option+R. Use Disk Utility to completely repartition and reformat the drive, then reinstall OS X. DO NOT for any reason, restore a Time Machine backup. Reinstall LEGAL third party software ONLY obtained from the vendor. Meaning, if you picked up software from Softonic, do not reinstall that copy. Go to the web site of the vendor who actually writes the software and get it from them. While even that is not a 100% guarantee of clean software, it's a billion times better than anything obtained from Softonic or www.downloads.com .

Please oh please let me know who I can contact about this. I have the same problem. Have you found any solution? Apple blows me off everytime. Its been 4 months of trying to clean install the **** out of my computer and my life feels like its going down the tubes as both my macs are infected. I have to use a public computer for anything private. It's aweful. I have tons of screenshots, and a a decent amount of videos of this abnormally odd behavior. It has been so difficult to "catch this rootkit in action" so to speak, but I do have some video evidence. It is such an unpredictable virus, It's almost impossible to catch or prove. Please please help me. Contact info, or some direction as to who may be interested in looking into the depths of my macs would be greatly appreciated.