Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

How to remove Boot Sector Malware of a Mac Book Air

Dear List,

I am at my wits end. I believe that my MacBook Air is infected with malware that attempts to send data out over either my bluetooth port or my airport. I believe that there are certain files that when written to a hard disk cause a Mac OS X installer to use files from the hard disk rather that those from the install disk. I have tried everything I can think of to remove these files from my Mac Book Air hard disk without success (repartitioning and reformatting). The only way I managed to remove them from my desktop mac was by booting from a linux disk and then using the linux tools to repartition and reformat the hard disk, I was then able to install an un-compromised version of Mac OS X onto the hard disk. I have no clue as to how to do this on a Mac Book Air, and at this point my Mac Book Air is unusable since I can not remove the boot sector malware. I have tried all of the usual things (i.e. clearing NV-ram, clearing Pram,doing a safe boot etc etc) nothing works, when the OS X installation is finished the malware is still there and running.

Please any suggestions would be appreciated as I have run out of ideas ?

Thanks

Vincent Coetzee

Mac Book Air, Mac OS X (10.5)

Posted on Nov 12, 2008 7:13 AM

Best reply

ThirdWorldAppleVictim

Level 1

0 points

Posted on Nov 23, 2008 7:55 AM

I know everyone thinks I am a complete looney, but I have ascertained that there is indeed a boot sector virus on my Mac Book Air, and it survives disk formats. My machines were infected by a combination of this and a rootkit, it seems it was by a World of Warcraft game player / hacker, why I say this I will come to a bit later.

Here's how it works, when the system is infected, it changes the blessed boot loader to be one of it's own making. It uses a custom boot.efi as well as a file called OpenFirmware.scap. The open firmware file does only it knows what, but one of the things it ends up doing is creating a ramdisk with all of it's malware in it. This ramdisk is union mounted over strategic portions of the existing file system on the hard disk. This is how it survives the reformatting. I have tried using hdiutil to unmount all the ramdisks, (specifically it seems to hog /dev/disk1) but to no avail, when I try to unmount it I get told "permission denied". How DOES one change to root in a Mac OS X Install Terminal windows ? What is even more perplexing is that it even managed to survive a brutal hack of the hard disk, I did the following

dd if=/dev/zero of=/dev/rdisk0, where rdisk0 was the raw device for my hard disk.

What did in the end work with my Mac Pro was to boot off a Linux boot disk and repartition and format the disk as a Linux disk and install Linux on it. After that I repartitioned it as a GUID and then installed Mac OS X. This seems to have worked on the Mac Pro, but I have yet to try it on the Mac Book Air. I have purchased the superdrive for the Air, and I hope that will help.

Now why do I know I have a boot sector virus from a World of Warcraft hacker. If one has a look in /Library/Preferences, specifically at com.apple.alf.plist, it has several sections in it, the 2 to look at are, exceptions and explicitauths, exceptions should have about 6 or 7 items in it if I remember correctly and they should be similar to nmblookup, gdb, etc (you can look them up), however in a compromised system they are changed to just 3, which are, "configd","mDNSResponder","racoon" of course the mDNSResponder is a hacked version that passes out more than just UDP DNS info. Additionally the explicitauths, have been changed to things such as com.blizzard.Diablo, com.blizzard.downloader, com.blizzard.WarcraftIII,com.blizzard.Starcraft. In other words, all the gaming junk has been loaded in there. I have just found out now, when looking at my preferences, that my Pro is re-infected. I am at my wits end.

View in context

18 replies

Nov 23, 2008 8:50 PM in response to ThirdWorldAppleVictim

Well, I don't even play warcraft or any game like that. My preference file has this same Blizzard stuff you mention. So, is my computer also infected? Curious what this preference file is and how and why mine shows this same stuff as yours? tj

Ewen

Level 6

11,805 points

Nov 24, 2008 8:16 AM in response to Glorfindeal

Glorfindeal wrote:
I don't know about malware, since officially, none exist on the mac

I think you're confusing yourself with viruses here. Malware is a slightly different form of disruptive software code and can be a little broader in definition, but it has been encountered with OS X, though generally isn't defined as self-propagating (that's a virus to most folks).

Macs don't have as much malware as PCs so there aren't any malware removal utilities I can think of beyond possibly trying the anti-virus packages for Mac (I don't know how reliable these are myself and to what extent they check for malware, they seem to me aimed at removing the many Windows viruses that might be inadvertently present on your computer system).

However, ultimately, and assuming that problem isn't simply some form of hardware failure (can try AHT, butneed to check out some form of Apple, or apple authorized, service for that if fails), then I'd have thought erase and install would sort it out for you, if nothing else, and here's the how-to:

http://support.apple.com/kb/HT3263

varjak paw

Level 10

170,206 points

Nov 24, 2008 9:09 AM in response to ThirdWorldAppleVictim

com.apple.alf.plist is the firewall preference and the inclusion of the items from Blizzard and Skype in the preference is normal; that's the way the default plist is on the Mac OS X installation disks. I would guess that Apple is including data for those sites by default since those services are so popular. So those entries are not in and of themselves any indication that your system has contracted any malware.

How to remove Boot Sector Malware of a Mac Book Air