scissortail76

Q: Traveling Rootkit

II've been dealing with a Rootkit issue for almost six months now. The Apple Store even said nothing was wrong but did a "clean install" just in case while I waited. I'm not sure they touched the EFI partition or Recovery Drive though. Booting from the Recovery Drive gives a very subtley altered version of the real thing and functions in a way that seems normal, but reading the install logs shows webooks and additional packages in tow including Asian Language Support and an update for Gatekeeper. I also called a friend on an uninflected Mac and compared fingerprints for Apples root certificate and they didn't match.

 

Reading dmesg shows ACPI turning over half of my processors to use elsewhere, Bluetooth daemons run even though Bluetooth is disabled, Postfix is always installed along with other components and config files that are clearly not from Apple, and if I poke around too much I suddenly get removed from the admin group and lose connection control of my system. Sometimes it just shuts down and the entire /sys folder is gone meaning I have to reinstall from scratch.

 

iI've got a MacBook Pro 10,2 but the firmware shown doesn't match the one Apple says is the most recent. It's a higher version that doesn't exist and I somewhere found a config file or polish file that denies downgrading firmware. Same with the SMC file. Since there's no CD drive and no printed media for Yosemite or even Maverick, I have to use internet recovery which is worthless since my DNS is hijacked. And anything installed or downloaded is injected with self-protecting and/or self perpetuating code. Image files and text files have executable tags on them. Even icons and color profiles. So just loading the desktop opens who knows what code just by displaying the background image, folder icons, and colorsync settings.

 

I had to start using terminal commands for everything because the gui interface apps were altered to remove important settings, but then I realized aliases and symlinks were being used to alter everything I do. I even wiped the drive completely including EFI partition and Recovery Drive but it still comes back even if I'm offline and unplugged. I've seen some rogue code ,entitling handoff and like I said before Bluetooth is running without  being activated. I have a screenshot of the setting saying my Bluetooth interface is active next to the window showing it being turned off. And only half of my processors are being used. The other half are remapped during the boot process. By the way, resetting NVRAM and SMC did nothing.

 

It uses Migration Assistant to prevent a clean install. I can see the packages listed in the list file and they include EFI and SMC payloads. I just don't know how to edit the scripts without breaking the authentication. And installing XCode or Homebrew or anything that installs compilers and Python is like opening Pandoras Box. Not an option Since I'm not fast enough to keep up with the mess of new code files spewed forth that results.

 

Booting a Linux install CD from a USB drive will get me to a whole separate mess basically the same. i did manage to get into TAILS which slowed things down and downloaded SystemRescueCD and was able to zero out my drive. And Midnight Commander was able to parse some of the previously illegible code. But I still see a tftpboot folder that shows up on Mac or Linux even when the network is unplugged and offline. And no matter what there are always at least 60 entries in the /den folder for tty devices from tty1 all the way to ttyz89. And sometimes a list of pty devices too along with several loop devices, vcsa, vhost-net, etc. again this is on an offline computer. However, if I try to install Linux from the SystemRescueCD the initrd and kernel instructions point the installer to corrupted versions and APCI still runs even using the apci=off command in Grub. It then makes a copy of the CD somewhere so it can alter it and future boots are pointed there instead of to the actual disk. I verified this by unplugging the drive and it continued to function with new commands in directories I hadn't accessed..and it was not booted into RAM.

 

My favorite was when I tried to download Kali Linux and installed it. It had been modified to show every single app in every single category as ncat.  Cheeky b@$t@rd$. I managed to download some files at the library but as soon as I copy them over they get altered.. Which reminds me... I need to try mounting as read only and run from the drive directly. But another weird thing.... Even on other networks it will rear its ugly head if my phone is around. I downloaded. Apps at a friends house and got one spurned to disk but by the second one I saw the same language encoding files and a css file with the same evil code getting burned to the disk.

 

IM pretty sure Subversion is being used to keep the whole apparatus up and complete. Deleting files does nothing because on reboot everything is back in place. I just can't figure out where the source is that's deploying these files is. Assuming there's an option ROM installed that is making it possible to repurpose my PCI devices to run the installers and other processes, could a host drive with the master disk image be hosted in a device too? Like someone else mentioned elsewhere, the Apple folks are useless. The "Genius Bar" guy cut me off when I tried to show him blatant entries in the logs and said they aren't trained to read code. Only engineers can do that. And I've been through three senior AppleCare techs. The first two basically laughed and called me paranoid, and the third keeps getting disconnected when I try to call. Which reminds me of another point, my phone data usage has more than doubled since this all started and there are all sorts of scripts involving VT100 commands. But even with all phones off and batteries removed It finds a way. I'm about to turn my closet into a Faraday cage but then I can't download software from Apples "Secure" Server.

 

ONe thing that would be useful... Oooooohhhhhh so useful... Is a repository of the files that make up the OS so I can see what is right and wrong. There's the open source stuff on the developers site but it's not easy to figure out what's what and it's not the latest version. ive been trying to use the Linux From Scratch site for a Linux version but since my certificates are forged I don't know if anything I read online is accurate. For all I know this post may never see the light of day. But the bottom line is this thing is big and sneaky and if we don't figure out how to kill it easily it's going to bring this entire world to its knees. I know several people who have it and don't even realize it. It only gets nasty and fights back when you start poking it.

MacBook Pro with Retina display, OS X Yosemite (10.10.2)

Posted on Jun 23, 2015 5:27 PM

Close

Q: Traveling Rootkit

  • All replies
  • Helpful answers

first Previous Page 4 of 4
  • by italwaysbreaks,

    italwaysbreaks italwaysbreaks Nov 6, 2015 7:10 AM in response to Kurt Lang
    Level 1 (0 points)
    Nov 6, 2015 7:10 AM in response to Kurt Lang

    Hey Kurt, I do appreciate the answer and time you took to respond. I know you don't have to help me.


    However,

    this sounds like a very typical apple technician answer and series of questions. I appreciate your response, but it's not getting me anywhere, as all of these things have been considered long ago. You sound like you do know macs, but I think I'm looking more for a cyber-security, or computer forensics expert, expert software engineer, or all above at this point. Anyway, here are the answers to your questions...


    
 

    "Do you have and routinely install illegally obtained software?
"

    
 

    ---No, all legal from trusted developers.

     

    "Do you have and routinely install software that isn't illegal, but is obtained from garbage sites like C|NET's www.downloads.com, or www.softonic.com ?"

     

    — Thats n00b talk. I wouldn’t touch those sites with a ten foot pole for a million bucks. once again, no illegal software.


    “After each instance of having the drive erased, and now with a completely new Mac, are you restoring old data each time from a Time Machine backup? If so, you're just dragging the problem back in every time you do that.”

    
 

    ---No, Time machine is garbage with very limited functionality, and I NEVER use it. If I wanted to back up i would use super duper or carbon copy cloner.

    
 

    “A rootkit cannot appear out of nowhere. It absolutely can't "jump" from the Mac the Apple Store took from you to the new device. Like anything else, a rootkit is software. You have to install it in some way. It also absolutely cannot infect your iPhone. Completely different and 100% incompatible CPU and OS. iOS and OS X have not one thing in common code wise, other than Apple wrote both of them.”


     

    -—A rootkit infectin can happen to anyone. I’m learning the hard way, that Mac’s aren’t as obscure as they once were, and since they compute things with other things that compute things, they can be hacked just as easily as anything else that computes things. Here are some links:

     

    http://securityaffairs.co/wordpress/37394/hacking/mac-zero-day-rootkit-infection .html

    http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-m alware-that-jumps-airgaps/

    http://www.securityweek.com/efi-zero-day-exposes-macs-rootkit-attacks-researcher

    http://www.intego.com/mac-security-blog/rootkit-sleep/

    http://www.washingtonexaminer.com/fbi-reminds-us-that-everything-can-be-hacked/a rticle/2572021

    http://www.newsweek.com/china-hackers-fbi-346667?piano_d=1

    http://www.cnn.com/2015/06/22/politics/opm-hack-18-milliion/

    http://www.theguardian.com/commentisfree/2014/oct/29/fbi-hacking-press-internet- users

    and for our supposed antihackable iPhone…….

    http://www.intego.com/mac-security-blog/ingenious-attack-shows-how-siri-could-be -hijacked-silently-from-16-feet-away-but-dont-lose-any-sleep/

     

    “More than anything, it sounds like you keep installing, or dragging malware from a backup back onto your Mac. Such as a keylogger (a great way for a crook to watch every single change you try to make).”

     

    
—I re-download all of my owned and lisenced software without connecting any backup or perepherials, directly from the developers page or the app store. And at that, the problem still arises before I even do that. Fresh after a clean install. I NEVER post on forums, as I’m stubborn and usually can figure everything out myself. But the fact that I’m here kind of says something to me. I’ve got something serious enough to actually reach out for non-apple store help.

     

    “Boot to Internet Recovery Mode - Command+Option+R. Use Disk Utility to completely repartition and reformat the drive, then reinstall OS X. DO NOT for any reason, restore a Time Machine backup. Reinstall LEGAL third party software ONLY obtained from the vendor. Meaning, if you picked up software from Softonic, do not reinstall that copy. Go to the web site of the vendor who actually writes the software and get it from them. While even that is not a 100% guarantee of clean software, it's a billion times better than anything obtained from Softonic or www.downloads.com.”

     

    —Once again, been there, done all of these things. Nothing an apple genius wouldn’t have told me in their primitive tongue after my 7th store visit. A firmware virus manages to infect and control the 1st instruction possible in your computer,So yeah, check and check.  Problems still come back. I suspect when I boot to recovery mode, I am somehow being redirected to download a modified clone coming from china or something.

     

    Sorry for the mild attitude. I’ve been up all night trying to reinstall everything again (such has been my daily routine for four months now) so naturally, I’m a little ******, and pretty tired of hearing n00bsauce apple fanboys (even though I used to be one) or techs tell me the same typical and standard apple solutions, while completely ignoring the reality that the problem needs to be looked at thoroughly from a top notch expert. Software engineers, programmers, cybersecurity experts would be ideal at the moment. This kind of stuff isn’t a typical fix. Also, apologies for grouping all genius’s together in a catagory. I suppose there was one apple genius who I have respect for as his words to me after doing 45 minutes of diagnostics and tests was “Officially, I have to tell you that a clean wipe will make it work just fine. But unnofficially, I will say, I have NEVER seen anything like this before. I would throw that thing away if I were you.” Thanks anonymous apple genius who actually is capable of thinking for himself.

     

    Anyway, if you have any more advice or any resources that may be a bit more knowledgeable in dealing with this monster, it would be greatly appreciated.

  • by Kurt Lang,

    Kurt Lang Kurt Lang Nov 6, 2015 8:10 AM in response to italwaysbreaks
    Level 8 (37,892 points)
    Mac OS X
    Nov 6, 2015 8:10 AM in response to italwaysbreaks

    However, this sounds like a very typical apple technician answer and series of questions. I appreciate your response, but it's not getting me anywhere, as all of these things have been considered long ago.

    Just typical troubleshooting steps. Not knowing what you have and haven't tried, it's the easiest place to start.

    Thats n00b talk. I wouldn’t touch those sites with a ten foot pole for a million bucks. once again, no illegal software.


    I wouldn't call it that. Folks anywhere between novice and experienced use such sites to download software. It's kind of the same thing as very intelligent and high up business people admitting that they still managed to fall for the Nigerian type scams. You have to wonder what in the world they're thinking. But anyway, such sites don't normally host illegal software, but are known to be loaded with adware.

    A rootkit infectin can happen to anyone.

    Never said it couldn't. I noted it can't possibly move from the Mac Apple took from you to the new one they gave you in return. Not possible. As far as the two known firmware infections, that also cannot happen on the 2015 Mac you now have, or most 2014 models that Apple updated with new firmware that came along with software updates. The new firmware specifically was updated to block such hardware infections.

     

    So, the only way a rootkit can keep re-occuring on your Mac is either you keep reinstalling it somehow, or someone else is. But the main point is, it can't keep reinstalling itself from a deep rooted firmware infection since that avenue has been blocked.

    I re-download all of my owned and lisenced software without connecting any backup or perepherials, directly from the developers page or the app store.

    Excellent. I wish more people would be that careful. Sites like Softonic should be shut down. However, it's also how they make money to stay in business. The advertisers pay them quite a bit of money to include those adware installers with the downloads. At least adware (so far) is only greatly annoying. Not dangerous.

    Once again, been there, done all of these things. … Sorry for the mild attitude.

    No problem. I can't be anything but frustrating.

     

    Sounds like you've already looked into most possibilities, but here are a few more anyway:

     

    1) Make sure your router has a secure password. Both the admin login for the router itself, and the wireless access password. The first is much more important than most people seem to realize. Older routers (like three or more years old in particular) still come with moronic setups like the admin name being "admin", and a blank password field. That means literally anyone can drive through a neighborhood with a laptop and look for an open network. They just type 192.168.0.1 into their browser and see what router with it's wireless signal enabled responds. Then they try the most common default admin/password settings and see if they can get in to your network.

     

    2) Does anyone else, at any time, have access to your Mac when you aren't around? If so, put a firmware password on it to keep them out. Make sure you remember the password so you don't lock yourself out. It would require proof of ownership and a trip to an Apple Store to get the firmware password removed.

     

    3) A simple one, but should still be checked. Make sure all Sharing items are off in the System Preferences.

  • by Kurt Lang,

    Kurt Lang Kurt Lang Nov 6, 2015 10:50 AM in response to Kurt Lang
    Level 8 (37,892 points)
    Mac OS X
    Nov 6, 2015 10:50 AM in response to Kurt Lang

    I wrote:

    No problem. I can't be anything but frustrating.

     

     

    There's a Freudian slip if there every was one! Should have been:

     

    No problem. It can't be anything but frustrating.

  • by Drew Reece,

    Drew Reece Drew Reece Nov 6, 2015 2:08 PM in response to italwaysbreaks
    Level 5 (7,559 points)
    Notebooks
    Nov 6, 2015 2:08 PM in response to italwaysbreaks

    You have arrived at this forum with your own 'diagnosis' that you appear to be unwilling to alter or even discuss that it could be incorrect, it is not how you should try to use this forum. If you want to use the regular process here you really need to explain the issue(s) & set aside your own diagnosis for now. You may be right in your diagnosis, but it can alter the process of troubleshooting if too much is assumed from the get-go.


    The first steps are to describe what your issue actually is - what exact issues have you seen for this problem. We know you have done multiple wipes & reinstalls, but what exactly gives this 'rootkit' away? Images & videos may help. Also how do you know that other devices are being affected, could they all simply be suffering from the same issue (like an unreliable/ hacked/ malicious internet connection).

     

    You could be better off creating your own topic to avoid contaminating your issue you see with the ideas & 'speculation' posted in this thread. Link to it if you want others to follow along from here. Good documentation will help if this does become a widespread occurrence on OS X.

     

    I understand that rookits do exist & some of them may actually work on OS X, but I am unable to believe that you & scissortail76 have the same one simply from what you have both posted. We haven't heard of their widespread use on OS X yet, which is part of why you both face the scepticism.

     

    italwaysbreaks, you have posted so little evidence - the list of links is worthless, we all know that vulnerabilities exist, big deal. Vulnerabilities have always existed in all software, simply reading about them does not mean you have them on your system. I'm reminded of 'Medical students disease' https://en.wikipedia.org/wiki/Medical_students%27_disease in this regard, reading about a possible attack can help you convince yourself you have it installed. Bugs have existed in all software, how are you sure that part of your issues are not just a bug (or several)?

     

    Neither of you have posted any conclusive evidence & frankly it may be impossible for you to convince us here via this discussion board. To see a rook kit in action requires access to a system beyond what can be done easily via this forum, but known attacks or modifications may be detectable. Many hardware issues can manifest themselves as strange behaviours that can easily be misread too, add to that the potential for modification of local network traffic or even ISP's to be part of the issue it gets complex, fast.

     

    If you are so certain that you have this rootkit or persistant hack you should follow your own common sense & that of the genius bar technician – return, sell it, throw it away, pass it on to security researchers (for a large fee) or consult your local law enforcement. Consider all the other devices on the network too & consider switching your ISP if it seems network related (or use another network when testing). If the Mac was repaired & is still 'not functioning' you should contact Apple again - they may be required to replace it or offer some recompense if it is unable to work as designed and it failed under the additional warranty that a repair may have given you (consult the terms & conditions of the repair), it really depends on the case history & your local consumer laws. Legal advice may be a reasonable course of action, but just be aware that Apple cannot be held to the words of one genius bar staff member who appears to have offered their opinion on your Mac.

     

    To remove such a persistent piece of software that you seem to describe could take thousands of dollars & years of experience to unpick.

  • by Res_Q,

    Res_Q Res_Q Nov 16, 2015 2:29 AM in response to scissortail76
    Level 1 (0 points)
    Nov 16, 2015 2:29 AM in response to scissortail76

    Scissortail 76, this has happened to me as well.  It boggles my mind that serious Mac users could remain in denial.  All anyone has to do is read current journals.  And yes, the "geniuses" told me they are not trained to read system messages.  No solution for you (or me), I'm afraid...but tame quasi-comfort in knowing others not only believe you,  but are in your boat.

  • by Res_Q,

    Res_Q Res_Q Nov 16, 2015 2:35 AM in response to italwaysbreaks
    Level 1 (0 points)
    Nov 16, 2015 2:35 AM in response to italwaysbreaks

    Italwaysbreaks: Malware can't jump? Read up on malware and airgapped machines.  Start, if you like, here: http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-m alware-that-jumps-airgaps/

  • by Kurt Lang,

    Kurt Lang Kurt Lang Nov 16, 2015 6:36 AM in response to Res_Q
    Level 8 (37,892 points)
    Mac OS X
    Nov 16, 2015 6:36 AM in response to Res_Q

    Ah, yes. The ol', "I have absolutely no proof of anything, but I'm right and everyone else is wrong."

     

    What a load of crock in that link. The first two paragraphs only prove that someone had remote access to his Mac. It didn't say anything to you that wiping the drive fixed the problem? So what did this researcher install that allowed the open door? As a security researcher, they intentionally load rogue software daily to see how it works and then how to defend against it. This person either didn't then restore a clean backup before the next day's work, or they didn't completely uninstall malware they were working with.

     

    Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.

     

    Absolutely, 100% impossible! No means to transmit anything, not even any power. Try explaining that. I suppose you also believe that if you disconnect the antenna or cable from your TV and unplug it, you'll somehow still be able to watch your shows.

  • by Kurt Lang,

    Kurt Lang Kurt Lang Nov 16, 2015 6:57 AM in response to Kurt Lang
    Level 8 (37,892 points)
    Mac OS X
    Nov 16, 2015 6:57 AM in response to Kurt Lang

    And of course, if you bothered to read down far enough, the answer is right in the same article:

     

    A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it.

     

    So at some point, the researcher put a USB drive into a computer, where it picked up a rootkit virus from an already infected machine, and that rootkit was then able to somehow transfer over to any computer when that USB drive was plugged in. Nothing mysterious here. Such viruses that transfer from media to a computer, and then from an infected computer back to clean removable media go all the way back to DOS.

  • by jbrdee1,

    jbrdee1 jbrdee1 Mar 14, 2016 8:50 AM in response to Kurt Lang
    Level 1 (0 points)
    Mar 14, 2016 8:50 AM in response to Kurt Lang

    Everything this man is claiming is truth and its **** not to mention frustrating in probably gonna set my 2013 3000 dollar hacktop today everything will be compromised even if u think its off. Seen a clear channel radio station completely covered and compromised in a matter of 2 weeks. Thank the feds and white trash cia

  • by Kurt Lang,

    Kurt Lang Kurt Lang Mar 14, 2016 8:59 AM in response to jbrdee1
    Level 8 (37,892 points)
    Mac OS X
    Mar 14, 2016 8:59 AM in response to jbrdee1

    Yeah. Right. Sure. Whatever you say.

first Previous Page 4 of 4