How to remove Boot Sector Malware of a Mac Book Air

I know everyone thinks I am a complete looney, but I have ascertained that there is indeed a boot sector virus on my Mac Book Air, and it survives disk formats. My machines were infected by a combination of this and a rootkit, it seems it was by a World of Warcraft game player / hacker, why I say this I will come to a bit later.

Here's how it works, when the system is infected, it changes the blessed boot loader to be one of it's own making. It uses a custom boot.efi as well as a file called OpenFirmware.scap. The open firmware file does only it knows what, but one of the things it ends up doing is creating a ramdisk with all of it's malware in it. This ramdisk is union mounted over strategic portions of the existing file system on the hard disk. This is how it survives the reformatting. I have tried using hdiutil to unmount all the ramdisks, (specifically it seems to hog /dev/disk1) but to no avail, when I try to unmount it I get told "permission denied". How DOES one change to root in a Mac OS X Install Terminal windows ? What is even more perplexing is that it even managed to survive a brutal hack of the hard disk, I did the following

dd if=/dev/zero of=/dev/rdisk0, where rdisk0 was the raw device for my hard disk.

What did in the end work with my Mac Pro was to boot off a Linux boot disk and repartition and format the disk as a Linux disk and install Linux on it. After that I repartitioned it as a GUID and then installed Mac OS X. This seems to have worked on the Mac Pro, but I have yet to try it on the Mac Book Air. I have purchased the superdrive for the Air, and I hope that will help.

Now why do I know I have a boot sector virus from a World of Warcraft hacker. If one has a look in /Library/Preferences, specifically at com.apple.alf.plist, it has several sections in it, the 2 to look at are, exceptions and explicitauths, exceptions should have about 6 or 7 items in it if I remember correctly and they should be similar to nmblookup, gdb, etc (you can look them up), however in a compromised system they are changed to just 3, which are, "configd","mDNSResponder","racoon" of course the mDNSResponder is a hacked version that passes out more than just UDP DNS info. Additionally the explicitauths, have been changed to things such as com.blizzard.Diablo, com.blizzard.downloader, com.blizzard.WarcraftIII,com.blizzard.Starcraft. In other words, all the gaming junk has been loaded in there. I have just found out now, when looking at my preferences, that my Pro is re-infected. I am at my wits end.

Here's a copy of my infected com.apple.alf.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>applications</key>
<array/>
<key>exceptions</key>
<array>
<dict>
<key>path</key>
<string>/usr/sbin/configd</string>
<key>state</key>
<integer>3</integer>
</dict>
<dict>
<key>path</key>
<string>/usr/sbin/mDNSResponder</string>
<key>state</key>
<integer>3</integer>
</dict>
<dict>
<key>path</key>
<string>/usr/sbin/racoon</string>
<key>state</key>
<integer>3</integer>
</dict>
</array>
<key>explicitauths</key>
<array>
<dict>
<key>path</key>
<string>/System/Library/Frameworks/Python.framework/Versions/Current/Resources/ Python.app</string>
</dict>
<dict>
<key>path</key>
<string>/usr/bin/ruby</string>
</dict>
<dict>
<key>path</key>
<string>/usr/bin/perl</string>
</dict>
<dict>
<key>path</key>
<string>/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Command s/java</string>
</dict>
<dict>
<key>path</key>
<string>/usr/bin/php</string>
</dict>
<dict>
<key>path</key>
<string>/usr/bin/nc</string>
</dict>
<dict>
<key>path</key>
<string>/bin/ksh</string>
</dict>
</array>
<key>firewall</key>
<dict>
<key>Apple Remote Desktop</key>
<dict>
<key>proc</key>
<string>AppleVNCServer</string>
<key>state</key>
<integer>0</integer>
</dict>
<key>FTP Access</key>
<dict>
<key>proc</key>
<string>ftpd</string>
<key>state</key>
<integer>0</integer>
</dict>
<key>Personal File Sharing</key>
<dict>
<key>proc</key>
<string>AppleFileServer</string>
<key>state</key>
<integer>0</integer>
</dict>
<key>Personal Web Sharing</key>
<dict>
<key>proc</key>
<string>httpd</string>
<key>state</key>
<integer>0</integer>
</dict>
<key>Printer Sharing</key>
<dict>
<key>proc</key>
<string>cupsd</string>
<key>state</key>
<integer>0</integer>
</dict>
<key>Remote Apple Events</key>
<dict>
<key>proc</key>
<string>AEServer</string>
<key>state</key>
<integer>0</integer>
</dict>
<key>Remote Login - SSH</key>
<dict>
<key>proc</key>
<string>sshd-keygen-wrapper</string>
<key>state</key>
<integer>0</integer>
</dict>
<key>Samba Sharing</key>
<dict>
<key>proc</key>
<string>smbd</string>
<key>state</key>
<integer>0</integer>
</dict>
</dict>
<key>firewallunload</key>
<integer>0</integer>
<key>globalstate</key>
<integer>0</integer>
<key>loggingenabled</key>
<integer>1</integer>
<key>signexceptions</key>
<array>
<dict>
<key>bundleid</key>
<string>com.skype.skype</string>
<key>procname</key>
<string>Skype</string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.launcher</string>
<key>procname</key>
<string>World of Warcraft</string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.downloader</string>
<key>procname</key>
<string>World of Warcraft</string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.worldofwarcraft</string>
<key>procname</key>
<string>World of Warcraft</string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.Installer</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.starcraft2</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.errorreporter</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.BNUpdate</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.Patcher</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.Starcraft</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.WarcraftIII</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.Diablo2</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>bundleid</key>
<string>com.armygame.operations</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>creator</key>
<string>BNUp</string>
<key>procname</key>
<string>BNUpdate (Carbon)</string>
</dict>
<dict>
<key>creator</key>
<string>BNu2</string>
<key>procname</key>
<string>BNUpdate (Carbon)</string>
</dict>
<dict>
<key>creator</key>
<string>SWar</string>
<key>procname</key>
<string>Starcraft (Carbon)</string>
</dict>
<dict>
<key>creator</key>
<string>StCm</string>
<key>procname</key>
<string>StarCraft Map Editor</string>
</dict>
<dict>
<key>creator</key>
<string>Dbl2</string>
<key>procname</key>
<string>Diablo II</string>
</dict>
<dict>
<key>creator</key>
<string>PJ03</string>
<key>procname</key>
<string>Director MX</string>
</dict>
<dict>
<key>creator</key>
<string>PJ07</string>
<key>procname</key>
<string>Director</string>
</dict>
<dict>
<key>creator</key>
<string>FP98</string>
<key>procname</key>
<string>Flash</string>
</dict>
</array>
<key>stealthenabled</key>
<integer>0</integer>
<key>version</key>
<string>1.0a17</string>
</dict>
</plist>

Buy the MacBook Air SuperDrive

http://store.apple.com/us/product/MB397G/A?fnode=MTY1NDA0Nw&mco=MjE0NzQzMQ

Take the MBA completely OFF the network - physically disconnected from all other potentially infected computers.

Booting from the MBA SuperDrive, use the original MBA install disks, repartition and erase, the internal MBA hard disk drive and reinstall the OS.

Do NOT connect to your local network or any other computer on the LAN. Once you have installed a clean copy of the OS using the SuperDrive, take the MBA to a nearby internet cafe and download the updates - Download the 10.5.5 Combo updater and run it at the internet cafe.

Now turn off Bluetooth and IPVx or whatever else you think is allowing your MBA to be infected. You now have a clean MBA.

Then, get some IT malware experts to clean off the other machines on the LAN.

I am not familiar with any malware programs that can create the infection you are describing, but the process I outlined above will give you one absolutely clean machine for comparison with potentially infected machines on the LAN.

I hope that helps. 😉

Glorfindeal wrote:
I don't know about malware, since officially, none exist on the mac

I think you're confusing yourself with viruses here. Malware is a slightly different form of disruptive software code and can be a little broader in definition, but it has been encountered with OS X, though generally isn't defined as self-propagating (that's a virus to most folks).

Macs don't have as much malware as PCs so there aren't any malware removal utilities I can think of beyond possibly trying the anti-virus packages for Mac (I don't know how reliable these are myself and to what extent they check for malware, they seem to me aimed at removing the many Windows viruses that might be inadvertently present on your computer system).

However, ultimately, and assuming that problem isn't simply some form of hardware failure (can try AHT, butneed to check out some form of Apple, or apple authorized, service for that if fails), then I'd have thought erase and install would sort it out for you, if nothing else, and here's the how-to:

http://support.apple.com/kb/HT3263

If you could provide some facts that tell us why you believe this is happening, it might help us in assisting you.

You can boot the MacBook Air from a disk if you use Apple's external [MacBook Air SuperDrive|http://store.apple.com/us/product/MB397G/A?mco=MTIxODk3Mw].

I don't know about malware, since officially, none exist on the mac, but how about changing the format type. Rather than format as an apple drive (hfs +), format it as a fat32 drive. They use completely different partition schemes and boot sectors. Afterwared reformat it as an apple drive (guid partition).

Glor

What are you installing that this issue first occured on your iMac, and then on your MBA?

Just curious - is it software from Torrent sites or something like that?

Or is it an 'official' program and you just think the company is spying on you and everyone else that install their software?

i'm not sure i understand your problem completely, but what i've been using to run disk maintenance is a bootable flash drive with a full install of mac os x.

I'm sure you could build the same with mac or linux tools and boot from that.

It seems there is a malware or virus on the OP's LAN that is immediately infecting the MBA even when he attempts a clean install. That is why I suggested using an Apple SuperDrive to completely separate the reinstall from the LAN.

Your approach - which I do use - would require building the bootable flash drive on the assumed infected LAN.

but if there was a virus that affects a mac, don't you think it would be big news right now?

I agree Glor. But the OP is convinced that he has malware in the boot sector. If he follows my suggestion for a totally clean completely off-the-LAN reformat and reinstall from the original disks, he (and we) will know "for sure".

If the MBA comes up clean with an off-the-LAN reinstall, he will know he needs to find the culprit on the LAN. If he gets the same "suspected malware" completely off-the-LAN, then we will all know that he is misinterpreting something that is a normal and proper part of the OS and, hopefully, one of us will be smart enough to identify and explain the OS component that he is misinterpreting.

Either way, new-to-us-malware or misinterpreted OS component, an off-the-LAN clean install will answer the question definitively. Yep, more work, but an absolute answer. 😉

i think i get your problem. Try this strategy. Create a bootcamp partition via bootcamp wizard. Insert a win xp sp2+ into your external superdrive and boot from disk. Use the disk utility/format/partition tool in the beginning of the win installation to identify and neutralize rogue partitions and format everything.

Tada.

there are viruses and malware etc for macs just not so much as for windows, i know of many viruses etc. I use iAntiVirus it has worked good for me (i know name *****) but well its free but in fact there exist virus for mac

Message was edited by: adrianrr

Well, I don't even play warcraft or any game like that. My preference file has this same Blizzard stuff you mention. So, is my computer also infected? Curious what this preference file is and how and why mine shows this same stuff as yours? tj