.ellelle
Level 1 (0 points)

Q: System Integrity Protection

Months later and I'm still dealing with this. Apple Care, Genius Bar local service providers et. al have all worked on 3 of 4 machines(4th is under a month old).

 

Short story: MacBook Pro, two MacBook Airs and iMac all compromised. All have been clean installed, securely wiped and no data transferred.

The first "attack" I observed on December 10, 2015 as Bluetooth File transfer opened and files from my library were moved. Next 

Automator opened and crashed my machine. I disconnected wifi the moment I realized what was happening.

After weeks of bad advice, no help and a small fortune I found a hidden partition on the starup disk containing the malicious files. They are similar to normal OS X recovery files.

I attempted a reset in terminal but I am not the administrator of my machine. No wifi turned on yet the machine is connected to a local network.

Is there anyway to restore SIP and regain control of my system?

--most of the disk-utility menu for starup disk are gryed out. If I search for image, there are several connected devices that appear,

 

Apole suggested the yellow pages, My area has one service provider who "fixed" the problem. They recommended selling them.

For Clarification:

YES I tried a clean install via Apples instructions; new usb, made from a different machine away from my network.

My network is currently secure with non-default passwords, new modem, access point, and an enterprise level external  firewall.

I was originally using java script/ chrome a requirement for school.

No dark web, pornographic shady websites were visited.

All software was purchased via the App Store minus 3 professional programs that were installed via usb.

 

weeks of absolute ****!

MacBook Pro

Posted on Jan 29, 2016 8:28 PM

Close
.ellelle

Q: System Integrity Protection

  • All replies
  • Helpful answers

Previous Page 2

  • by notcloudy,

    notcloudy notcloudy Jan 30, 2016 2:49 PM in response to .ellelle
    Level 4 (1,190 points)
    Desktops
    Jan 30, 2016 2:49 PM in response to .ellelle

    You may have an issue with your wireless network - it may not be properly secured.

     

    Another area I would look at -- if you are using Safari -- clean up TOP-Sites.   Also look at email RSS feeds and any RSS feeds  you may have book marked.  Same goes for any open this page when I connect setups -- Both RSS sites and Tops sites refresh.

     

    If you are using other web browsers with fast load options - check that those pages are valid.

     

    The App Store did pull a few apps because they had malware in them (heard on the News) don't know which ones but guess it was 3rd party approved.

  • by Leopardus,

    Leopardus Leopardus Jan 31, 2016 1:07 AM in response to MrHoffman
    Level 4 (1,122 points)
    Desktops
    Jan 31, 2016 1:07 AM in response to MrHoffman

    MrHoffman wrote:

     

    it's possible to disable system integrity protection dynamically, if you have kernel access.

     

    But again — if SIP has been disabled via the recovery boot or otherwise — none of what is installed can be trusted.

    Which implies installation of something which changed the kernel (addons). That occurs when allowing installation from doubtful sources, which means changing the security preferences by the Admin or Remote Admin. But, I concur.

     

    Leo

  • by EcoGreg,

    EcoGreg EcoGreg Jan 31, 2016 6:09 AM in response to .ellelle
    Level 3 (537 points)
    Mac OS X
    Jan 31, 2016 6:09 AM in response to .ellelle

    Hi Ellelle

    Wow what a nightmare! What I suspect may make it even worse, but there is absolutely no way for me know for sure other than some high-level snooping.

    First "Who is the Administrator" on your computers? You have 4 computers, someone has to have admin privileges. It it remotely done?

     

    Given all you have tried, OS erase re-installs, Apple support etc… I fear your computers maybe victims of a new breed of Malware that is rare, but unfortunately now in the wild.(Since at least 2014) While it could be one of several, I suspect you may have been infected by "BadUSB" a malware that rewrites the USB firmware. It is largely undetectable, survives OS wipes/reinstalls and almost everything. It can affect Macs, Linux, Windows, and any device that has USB controllers.

     

    USB is ubiquitous. use mostly Intel chips, and the chips contain enough space to allow malicious code to raise major Hxxx on your computers. This code can also be set to replicate itself to any USB device that comes installed in your computer or any device that attaches to your USB port.

    You say you have found unknown "files for detachable drives" and this could also be an indicator.

     

    About the only way to know for sure would be examine the USB firmware code to known original code. This is something Apple could do and would be in their best interests to do so.

    Not sure if there is any security software that will detect BADUSB, but there is some for other Malware.

     

    There are now other versions of Malware that are exploiting hardware/firmware files. These are very vicious. They are "low level" exploits and SIP may not be able to protect you from them.

     

    Sorry dear Mac users, the days of Macs not being vulnerable are unfortunately over. We just need to be glad they are still rare.

     

    See these articles or search for "badusb+mac" "thunderstrike+mac" "mac+malware"

    http://arstechnica.com/security/2015/06/new-remote-exploit-leaves-most-macs-vuln erable-to-permanent-backdooring/

    http://www.imore.com/usb-c-and-badusb-attacks-what-you-need-know

    http://www.wired.com/2014/07/usb-security/

    https://tidbits.com/article/15505

     

    Sorry,

    Hope this helps, Greg

Previous Page 2