User profile for user: juanviernes
juanviernes Author
User level: Level 1
8 points

Trace Rootkit?

At long last, I may have found the source of my remote control fears: chkrootkit has detected that timed is infected with a rootkit, and Rootkit Hunter gives a warning about rootkit strings and other suspicious (hidden) files.


I won't just reinstall macOS, though, as I've done that often enough without success, whether the rootkit was reinstalled after my most recent reinstallation (including seven erases) or somehow survived it. So the question is: can an expert now extract information in order to identify the source (e.g., where the signal is sent to)?

iMac Line (2012 and Later)

Posted on Sep 6, 2019 12:07 PM

Reply
Question marked as Top-ranking reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,233 points

Posted on Sep 21, 2019 2:54 AM

juanviernes wrote:

I may have found the source of my remote control fears: chkrootkit has detected that timed is infected with a rootkit

This has been a false positive detection for as long as I can remember, and that's at least a decade of running chkrootkit about once a year. timed is the unix process that keeps your computer in sync time-wise with other devices on your local network.


Others have speculated that it's because it contains the string "/bin/sh" embedded in the code (which is true) but it doesn't necessarily indicated that there is a hidden shell code therein.


If you google chkrootkit "Checking `timed'... INFECTED" you'll find discussions going back several years, but none that indicate an actual infection of timed.

View in context

Similar questions

23 replies
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
145,067 points

Sep 9, 2019 10:47 AM in response to juanviernes

To summarize the discussion so far:


  • timed isn’t altered.
  • This tool is not being maintained for macOS.


What (additional) information would be helpful?


  • The background here about this particular situation, and about these “remote control fears”.
  • What indications of compromise have been seen.
  • What sequence was used to reload macOS.
  • If there is malware here, where it might be persisting.
  • Whether there are any particular culprits suspected, and what sort of access they might have.
  • Your value as a target; what sort of financial or sensitive or classified or proprietary info access, whether directly or indirectly.


Here’s some more general reading on the general topic of Mac malware:

Effective defenses against malware and other threats - Apple Community


Reply
User profile for user: juanviernes
juanviernes Author
User level: Level 1
8 points

Sep 10, 2019 4:30 AM in response to MrHoffman

MrHoffman wrote:
• timed isn’t altered.

Is this certain? Does the identity of the hash sequences really rule that out?


MrHoffman wrote:
• The background here about this particular situation, and about these “remote control fears”.
• What indications of compromise have been seen.

I'll just combine these.


Well, there have been several indicators over several weeks that several processes were initiated even though I hadn't initiated anything: most clearly, I guess, there were huge downloads taking over half an hour with maximum speed while I was sitting in front of the computer doing nothing, bookmarks that I had saved were deleted, and several other settings that I, let's say, turned off were turned on again, most memorably and eerily the microphone input; I think it's safe to assume that a Mac that hasn't been compromised wouldn't exhibit this behavior. As I checked my router's configuration panel several times, though, I didn't ever discern any unknown connection, and the same is for every Terminal command that shows me connections in my local network. What I find most puzzling is that this also happened when I wasn't even connected to the internet—I'd always thought there needs to be some internet connection to utilize a rootkit from afar, so is this a a positive or a negative sign?


• What sequence was used to reload macOS.

I think I did everything I could without an internet connection and only plugged in the Ethernet cable when I had to download macOS High Sierra, which then happened with my router's connection.


• If there is malware here, where it might be persisting.

Again, when I boot up and perform the rootkit tests immediately without an internet connection, there are positive results. (Even if not all of them might be correct.)


• Whether there are any particular culprits suspected, and what sort of access they might have.
• Your value as a target; what sort of financial or sensitive or classified or proprietary info access, whether directly or indirectly.

I think I basically know the culprits or at least some of those who know what's going on. As for access, I never granted them physical access, but some of them know (and knew) my Apple ID and probably could have seen my Wi-Fi connection while standing before the house. My value as target for them would be rather primitive, i.e. spying on and ridiculing me.


Regarding your link, I already do pretty much everything listed there.


I appreciate your taking time for this. Any idea how to proceed? What's most important to me isn't getting rid of the malware as soon as possible, but rather trying to find evidence against those people, even if it may be hard to find.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Trace Rootkit?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up