How to remove Boot Sector Malware of a Mac Book Air

I know everyone thinks I am a complete looney, but I have ascertained that there is indeed a boot sector virus on my Mac Book Air, and it survives disk formats. My machines were infected by a combination of this and a rootkit, it seems it was by a World of Warcraft game player / hacker, why I say this I will come to a bit later.

Here's how it works, when the system is infected, it changes the blessed boot loader to be one of it's own making. It uses a custom boot.efi as well as a file called OpenFirmware.scap. The open firmware file does only it knows what, but one of the things it ends up doing is creating a ramdisk with all of it's malware in it. This ramdisk is union mounted over strategic portions of the existing file system on the hard disk. This is how it survives the reformatting. I have tried using hdiutil to unmount all the ramdisks, (specifically it seems to hog /dev/disk1) but to no avail, when I try to unmount it I get told "permission denied". How DOES one change to root in a Mac OS X Install Terminal windows ? What is even more perplexing is that it even managed to survive a brutal hack of the hard disk, I did the following

dd if=/dev/zero of=/dev/rdisk0, where rdisk0 was the raw device for my hard disk.

What did in the end work with my Mac Pro was to boot off a Linux boot disk and repartition and format the disk as a Linux disk and install Linux on it. After that I repartitioned it as a GUID and then installed Mac OS X. This seems to have worked on the Mac Pro, but I have yet to try it on the Mac Book Air. I have purchased the superdrive for the Air, and I hope that will help.

Now why do I know I have a boot sector virus from a World of Warcraft hacker. If one has a look in /Library/Preferences, specifically at com.apple.alf.plist, it has several sections in it, the 2 to look at are, exceptions and explicitauths, exceptions should have about 6 or 7 items in it if I remember correctly and they should be similar to nmblookup, gdb, etc (you can look them up), however in a compromised system they are changed to just 3, which are, "configd","mDNSResponder","racoon" of course the mDNSResponder is a hacked version that passes out more than just UDP DNS info. Additionally the explicitauths, have been changed to things such as com.blizzard.Diablo, com.blizzard.downloader, com.blizzard.WarcraftIII,com.blizzard.Starcraft. In other words, all the gaming junk has been loaded in there. I have just found out now, when looking at my preferences, that my Pro is re-infected. I am at my wits end.

If you could provide some facts that tell us why you believe this is happening, it might help us in assisting you.

You can boot the MacBook Air from a disk if you use Apple's external [MacBook Air SuperDrive|http://store.apple.com/us/product/MB397G/A?mco=MTIxODk3Mw].

I don't know about malware, since officially, none exist on the mac, but how about changing the format type. Rather than format as an apple drive (hfs +), format it as a fat32 drive. They use completely different partition schemes and boot sectors. Afterwared reformat it as an apple drive (guid partition).

Glor

What are you installing that this issue first occured on your iMac, and then on your MBA?

Just curious - is it software from Torrent sites or something like that?

Or is it an 'official' program and you just think the company is spying on you and everyone else that install their software?

Buy the MacBook Air SuperDrive

http://store.apple.com/us/product/MB397G/A?fnode=MTY1NDA0Nw&mco=MjE0NzQzMQ

Take the MBA completely OFF the network - physically disconnected from all other potentially infected computers.

Booting from the MBA SuperDrive, use the original MBA install disks, repartition and erase, the internal MBA hard disk drive and reinstall the OS.

Do NOT connect to your local network or any other computer on the LAN. Once you have installed a clean copy of the OS using the SuperDrive, take the MBA to a nearby internet cafe and download the updates - Download the 10.5.5 Combo updater and run it at the internet cafe.

Now turn off Bluetooth and IPVx or whatever else you think is allowing your MBA to be infected. You now have a clean MBA.

Then, get some IT malware experts to clean off the other machines on the LAN.

I am not familiar with any malware programs that can create the infection you are describing, but the process I outlined above will give you one absolutely clean machine for comparison with potentially infected machines on the LAN.

I hope that helps. 😉

i'm not sure i understand your problem completely, but what i've been using to run disk maintenance is a bootable flash drive with a full install of mac os x.

I'm sure you could build the same with mac or linux tools and boot from that.

It seems there is a malware or virus on the OP's LAN that is immediately infecting the MBA even when he attempts a clean install. That is why I suggested using an Apple SuperDrive to completely separate the reinstall from the LAN.

Your approach - which I do use - would require building the bootable flash drive on the assumed infected LAN.

but if there was a virus that affects a mac, don't you think it would be big news right now? I have not heard anything about it except in this thread.

Glor

but if there was a virus that affects a mac, don't you think it would be big news right now?

I agree Glor. But the OP is convinced that he has malware in the boot sector. If he follows my suggestion for a totally clean completely off-the-LAN reformat and reinstall from the original disks, he (and we) will know "for sure".

If the MBA comes up clean with an off-the-LAN reinstall, he will know he needs to find the culprit on the LAN. If he gets the same "suspected malware" completely off-the-LAN, then we will all know that he is misinterpreting something that is a normal and proper part of the OS and, hopefully, one of us will be smart enough to identify and explain the OS component that he is misinterpreting.

Either way, new-to-us-malware or misinterpreted OS component, an off-the-LAN clean install will answer the question definitively. Yep, more work, but an absolute answer. 😉

i think i get your problem. Try this strategy. Create a bootcamp partition via bootcamp wizard. Insert a win xp sp2+ into your external superdrive and boot from disk. Use the disk utility/format/partition tool in the beginning of the win installation to identify and neutralize rogue partitions and format everything.

Tada.

Here's a copy of my infected com.apple.alf.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>applications</key>
<array/>
<key>exceptions</key>
<array>
<dict>
<key>path</key>
<string>/usr/sbin/configd</string>
<key>state</key>
<integer>3</integer>
</dict>
<dict>
<key>path</key>
<string>/usr/sbin/mDNSResponder</string>
<key>state</key>
<integer>3</integer>
</dict>
<dict>
<key>path</key>
<string>/usr/sbin/racoon</string>
<key>state</key>
<integer>3</integer>
</dict>
</array>
<key>explicitauths</key>
<array>
<dict>
<key>path</key>
<string>/System/Library/Frameworks/Python.framework/Versions/Current/Resources/ Python.app</string>
</dict>
<dict>
<key>path</key>
<string>/usr/bin/ruby</string>
</dict>
<dict>
<key>path</key>
<string>/usr/bin/perl</string>
</dict>
<dict>
<key>path</key>
<string>/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Command s/java</string>
</dict>
<dict>
<key>path</key>
<string>/usr/bin/php</string>
</dict>
<dict>
<key>path</key>
<string>/usr/bin/nc</string>
</dict>
<dict>
<key>path</key>
<string>/bin/ksh</string>
</dict>
</array>
<key>firewall</key>
<dict>
<key>Apple Remote Desktop</key>
<dict>
<key>proc</key>
<string>AppleVNCServer</string>
<key>state</key>
<integer>0</integer>
</dict>
<key>FTP Access</key>
<dict>
<key>proc</key>
<string>ftpd</string>
<key>state</key>
<integer>0</integer>
</dict>
<key>Personal File Sharing</key>
<dict>
<key>proc</key>
<string>AppleFileServer</string>
<key>state</key>
<integer>0</integer>
</dict>
<key>Personal Web Sharing</key>
<dict>
<key>proc</key>
<string>httpd</string>
<key>state</key>
<integer>0</integer>
</dict>
<key>Printer Sharing</key>
<dict>
<key>proc</key>
<string>cupsd</string>
<key>state</key>
<integer>0</integer>
</dict>
<key>Remote Apple Events</key>
<dict>
<key>proc</key>
<string>AEServer</string>
<key>state</key>
<integer>0</integer>
</dict>
<key>Remote Login - SSH</key>
<dict>
<key>proc</key>
<string>sshd-keygen-wrapper</string>
<key>state</key>
<integer>0</integer>
</dict>
<key>Samba Sharing</key>
<dict>
<key>proc</key>
<string>smbd</string>
<key>state</key>
<integer>0</integer>
</dict>
</dict>
<key>firewallunload</key>
<integer>0</integer>
<key>globalstate</key>
<integer>0</integer>
<key>loggingenabled</key>
<integer>1</integer>
<key>signexceptions</key>
<array>
<dict>
<key>bundleid</key>
<string>com.skype.skype</string>
<key>procname</key>
<string>Skype</string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.launcher</string>
<key>procname</key>
<string>World of Warcraft</string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.downloader</string>
<key>procname</key>
<string>World of Warcraft</string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.worldofwarcraft</string>
<key>procname</key>
<string>World of Warcraft</string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.Installer</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.starcraft2</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.errorreporter</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.BNUpdate</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.Patcher</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.Starcraft</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.WarcraftIII</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>bundleid</key>
<string>com.blizzard.Diablo2</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>bundleid</key>
<string>com.armygame.operations</string>
<key>procname</key>
<string></string>
</dict>
<dict>
<key>creator</key>
<string>BNUp</string>
<key>procname</key>
<string>BNUpdate (Carbon)</string>
</dict>
<dict>
<key>creator</key>
<string>BNu2</string>
<key>procname</key>
<string>BNUpdate (Carbon)</string>
</dict>
<dict>
<key>creator</key>
<string>SWar</string>
<key>procname</key>
<string>Starcraft (Carbon)</string>
</dict>
<dict>
<key>creator</key>
<string>StCm</string>
<key>procname</key>
<string>StarCraft Map Editor</string>
</dict>
<dict>
<key>creator</key>
<string>Dbl2</string>
<key>procname</key>
<string>Diablo II</string>
</dict>
<dict>
<key>creator</key>
<string>PJ03</string>
<key>procname</key>
<string>Director MX</string>
</dict>
<dict>
<key>creator</key>
<string>PJ07</string>
<key>procname</key>
<string>Director</string>
</dict>
<dict>
<key>creator</key>
<string>FP98</string>
<key>procname</key>
<string>Flash</string>
</dict>
</array>
<key>stealthenabled</key>
<integer>0</integer>
<key>version</key>
<string>1.0a17</string>
</dict>
</plist>

there are viruses and malware etc for macs just not so much as for windows, i know of many viruses etc. I use iAntiVirus it has worked good for me (i know name *****) but well its free but in fact there exist virus for mac

Message was edited by: adrianrr

i dont know what all that is but well it has to do something with WoW if you have an account i would recommend changing pass :\