Trace Rootkit?

juanviernes wrote:

I may have found the source of my remote control fears: chkrootkit has detected that timed is infected with a rootkit

This has been a false positive detection for as long as I can remember, and that's at least a decade of running chkrootkit about once a year. timed is the unix process that keeps your computer in sync time-wise with other devices on your local network.

Others have speculated that it's because it contains the string "/bin/sh" embedded in the code (which is true) but it doesn't necessarily indicated that there is a hidden shell code therein.

If you google chkrootkit "Checking `timed'... INFECTED" you'll find discussions going back several years, but none that indicate an actual infection of timed.

Run a SHA-256 on a known-good timed on another system running 10.13.6, and compare the hash values generated.

/usr/bin/shasum -a 256 /usr/libexec/timed

I’m a little skeptical that timed is evidence here and not a false detection or a secondary or a rkhunter bug of some sort, as the reported persistence implies that the problem is arising elsewhere; not from within macOS itself. Not if you’ve wiped macOS and reloaded from a known-good distribution. Anything you’d find within macOS with rkhunter would be secondary.

The timed tool is new in 10.13, too. Which might mean a stale hash from the canonical source, if the hash database has not been updated.

Another place to learn about and discuss rkhunter is in the rkhunter docs and mailing list, too.

Background; Apps can have bugs. And apps can be stale. And apps can be coded to lie, snitch, and steal. Computers are as trustworthy and trustable as the humans that wrote the code and variously arguably less than that due to bugs and latent vulnerabilities.

The methods this rkhunter tool are using have been known to generate false positives. That’s fairly common with anti-malware more generally too, and every so often some anti-malware tool will prevent a legitimate software update, or will prevent a system from booting, or crash or corrupt an environment. Some anti-malware is nearly indistinguishable from malware, with the way it ties into a system.

Verifying checksums? Download the High Sierra distro, and install it on a scratch storage device, and compare. Roll in a copy of the file from just after the macOS 10.13.6 update, and check that. (I’ll have a look at a local macOS High Sierra 10.13.6 install in a few hours, and will post up the checksum. Unless somebody posts the checksum here sooner.)

Try Malware Bytes, if you want to scan for malware.

Why that shasum diagnostic? Because the anti-malware tool you’re testing with is portable. Here, macOS apparently does things notably differently than other distros. I’ve not booted and looked at shasum in Kali Linux or another distro. The tool has not been updated to conditionalize this detection on macOS.

The degree of persistence you’re describing is not going to be addressed by rkhunter nor other OS-level detection tools, too. Not unless tose tools peek into the firmware and the hardware, and that’s not common;

Allowing root login access is something an increasing number of folks consider poor practice, and seek to discourage. Apple disables this login access by default, which is what this tool is reporting.

None of the above has bearing on the reported persistence here, either. Surviving a wipe-and-reload requires a different implementation approach from what this rkhunter tool can even detect.

Where is this all headed? Contact the folks maintaining this tool, or pay for somebody to reverse-engineer this tool and its assumptions and how this aligns with macOS and the findings of the tool, or hope that somebody will do a fair amount of detailed research into this app and into your installation and into the reported malware persistence—for free.

If you’re a likely target or on the path to a target, please get some direct and personalized help with your security. That probably won't involve rkhunter, but will probably involve current macOS Mojave, deep(er) backups, two-factor authentication, a password manager, and a variety of other and on-going details. Various resources are available. And presuming the degree of persistence being described in your postings here—surviving a wipe-and-reinstall—holds throughout, potentially with replacing or reloading or resetting everything. But I’d not start that replacement based solely on what rkhunter is reporting here.

Your root kit tests here are NOT producing valid results.

Big downloads happen, such as with staging macOS updates. And I’ve had iCloud glitch and lose things.

As for the mike, what happened there?

Knowing an Apple ID for somebody means you can chat with them.

Knowing the Apple ID password (or having access to the answers to the recovery questions, or access to the recovery email, or recovery telephone, or unfettered access to one or more trusted devices, each of which are effectively also passwords) for somebody else can be disastrous for them.

As for the re-installation for a compromised Mac, I’d expect building a bootable installer kit on a known-good Mac, shutting down the problem Mac, booting the installer, wiping the internal and the external storage and installing High Sierra or (preferably) Mojave, and migrating in just documents and not any apps from your backups. And I’d be skeptical around restoring any Microsoft Office documents with embedded macros.

Here is all I could find on what Rkroot does:

"Rootkit Hunter, security monitoring and analyzing tool for POSIX compliant systems."

I'd think you would get better answers asking on this mailing list. rkhunter-users: Subscribe | Archive | Search — General questions about Rootkit Hunter

Subscribe |

Archive |

Search

I'm guessing this tool looks in your system files and notices what is changing. It warns you of changes in system files. You could use this in macOS. It would involve a lot of DIY. It would be a worthwhile project to use the tool on macOS and build a website explaining how the tool works on macOS and what you need to do to get it to work on macOS. This seems to me another way to implement SIP like protection macOS provides in the latest release of macOS.

So--

-- mega doc on how to install, but no doc explain what it does.

-- doesn't say it supports macOS.

-- what is the world does "POSIX compliant systems" mean. I know what POSIX compliant means. It all about APIs, if I'm not mistaken.

-- how did you decide this tool was meant to run on macOS?

People are doing social engineering these days.

Simple put,  Apple attempts to provide all the malware detection and removal you need in Mac OS X.

"Effective defenses against malware and other threats" by John Galt

Effective defenses against malware and ot… - Apple Community

"Avoid phishing emails, fake 'virus' alerts, phony support calls, and other scams"

Avoid phishing emails, fake 'virus' alerts, phony support calls, and other scams - Apple Support

"MalwareBytes Anti-Malware for Mac Removes adware and malware Revives your Mac."  MalwareBytes has a more restrictive filter for adware than Apple. MalwareBytes has come to be accepted as the only malware detector you should consider.  For those pestered by browser attacks consider MalwareBytes.

Malwarebytes for Mac — Mac Antivirus Replacement | Malwarebytes

etrecheck

Run etrecheck.   The first five runs are free. Provided a report on your machines hardware and software.  Great for diagnosing your system.  Click on the download link at the bottom of the screen.

EtreCheck

Apple on Security:

https://www.apple.com/business/resources/docs/macOS_Security_Overview.pdf

FWIW, IEEE POSIX provides standards for the C programming language and various of its calling interfaces, as well as for a command shell and its related parts and utilities. Most of this portabiliy is now probably best approached as compliance with parts of the Single Unix Specification.

As for the scanning? I’d definitely want to look at the non-POSIX parts of macOS for malware in great depth, too. Cross-platform POSIX-based malware is still rare, though I have seen a few malware scripts that’ll work against platforms other than Linux. That cross-platform stuff was mostly written in Perl, though I’m usually also working with “weird” systems.

As for these current root kit scans, if somebody’s using POSIX malware here, sure. But again, the persistence described here certainly implies this is not POSIX-compliant malware.

I did a search on macOS in the RKHUNTER mailing list. Here is what I found.

https://sourceforge.net/p/rkhunter/mailman/message/35446018/

Do you have a Time Machine backup from before the infection?

Hopefully, everything comes out not infected, but if you do see any infection, then your machine has been compromised. The developer of the program writes in the README file that you should basically reinstall the OS in order to get rid of the rootkit, which is basically what I also suggest.

POSIX is a family of standards, specified by the IEEE, to clarify and make uniform the application programming interfaces (and ancillary issues, such as commandline shell utilities) provided by Unix-y operating systems. When you write your programs to rely on POSIX standards, you can be pretty sure to be able to port them easily among a large family of Unix derivatives (including Linux, but not limited to it!); if and when you use some Linux API that's not standardized as part of Posix, you will have a harder time if and when you want to port that program or library to other Unix-y systems (e.g., MacOSX) in the future.

What did/does sudo cat rkhunter.log say?



Well, I'm no expert, but I don't see any problems.