Mac Malware/poisoned images

Regarding where a user is from, providing that info is very useful in a forum like this for a variety of reasons.

For example, it helps other users understand that what seems to them odd grammar or awkward sentence structure may be due to a language barrier or that colloquialisms may mean something other than they seem.

It is very useful info when a solution or useful suggestion might depend on where the user is located, for example when recommending who to contact for support or service, or how some menu item or other term might be labeled.

It is purely optional but it is in every user's best interests to add at least a minimal amount of location info to their user profiles.

I agree completely. Plus, most people have at least some pride of country and are not afraid of saying where they're from. But Rayced seems very sensitive about the fact that I said he's from Italy. It's not like I posted his e-mail address here or sent him abusive messages privately (or any kind of private messages at all, for that matter).

Cool, and I'm the one who speculate!

I really needed a laugh. And you were trying to lever this point since you've first wrote about me being italian ("a small country or stuff like that").

But surprisingly this thread is becoming what? A social or anthropological study about me? That's the way you "help people"?

Why don't you just answer to the "meat" of my questions I've posted earlier?

Curiously you are answering the only personal one which is also the least important of them. It is called manipulation what you are doing, and beside what you think it sounds the same in any language.

Bye.

I agree you should not have to reinstall the OS.

There are good removal instructions on Bleeping.com - key words remove mac malware

VIrus Barrier at the Apple Store is a good free product that should help with this issue...

CNET had a good article on 19 May 11 " How bad is Mac Malware Scare?"

"So long and thank for all the fish!"

You really want to know how bad is all the malware scare? I'm here to tell you it's REALLY TRUE AND REALLY BAD. Do not expect any assistance from personnel at the Apple Store, or from technicians: junior, senior or otherwise, at Apple Care and no discrimination as to the type of computer, the length of time owned or whether you've purchased any type of extra-added "Care" plan. Regardless of how much proof you have, the number of times you contact them, the curve and escalation of your anger, nothing will change and nobody will resolve this distressing and illegal issue.

YOU'VE BEEN HACKED BY ROOTKIT MALWARE.

It's true, real, painful and almost impossible to get rid of yourself.

I know.

I've dealt with this issue for almost a year now.

I'm on my second IMac....

I've contacted a White Hat Hacker who was helpful and the one person who has actually done extensive research on this subject as it affects Macs and has written articles on the subject. He lives in Holland and he has been very helpful also.

The only way you, yourself can eradicate the problem is to do a complete 32-pass erase of your system and reload everything NEW AND FRESH after the erasure. You cannot back stuff up and reload it; you'll only be regenerating the same problem. And, best to reload all your programs from disks.

At this stage, I trust nobody and nothing.

Do I know who did this to me?

Not for sure. Is there any means by which to catch him or her?

Not really. Does anybody care? Unless they've stolen more than $10,000 in money or goods or they've engaged in some kind of kiddie ****, no, nobody cares. The FBI will be more than happy to take a report on how I was "spied" on via the webcam, listened to via the microphone, how my Itunes were stolen and they will be extremely patient and empathic. However, they'll do nothing.

They are more interested in catching those kids who hacked SONY. There's actual big money at stake there, with me, not so much.

So should you be "paranoid" -- no. Should you believe you're at RISK?

Unless you're Pinocchio the little wooden puppet waltzing down the road picking flowers, I'd believe you're at risk.

Do you believe everything the government tells you?

Well, then don't believe everything Mac says either.

I know I don't.

What on Earth are you ranting about? That's an awfully long complaint to not even have bothered mentioning what malware you're talking about. You didn't even describe any actual symptoms! I suspect that you've misidentified some other problem as malware.

Sounds like the seat to keyboard interface to me.

You guys in reply to that other dude is right on

I agree. What the heck was that all about?

I don't know enough to know ...ha,ha,ha,

Well let's see...if you read the ORIGINAL POST (which actually refers to rootkit malware) blah blah blah, we then get to Mr. Reed's response which is, and he might wish to go back and check (as did I), "to erase by zeroing out."

Right?

And what I'm telling you is that will not do the trick.

You need to do a FULL 32-pass erase if you want to get rid of what both you and I are referring to.

Just writing 00000 over your files won't do jack to remove it.

As for actual symptoms, I could show you an IO Reg log which mentions profiles for a "Mac Book Pro" numerous times...I've never owned one in my life and what the profiles for various versions of Mac Book have to do with Imac 10.6.8 make no sense. Just another way to i.d. how Rootkit Malware makes an invasion. In this case, shuts down the Airport and "removes" your airport card from your computer. Not really, but really.

Google it.

As for all that extraneous stuff about Italians and stuff, no worries. I'm an equal opportunity rootkit malware remover person, and, unlike you guys, I don't judge anybody or what they've got to say. I had no idea about any of this stuff and when I asked for help I felt like the people I'd been buying computers from since the 1970s (that'd be Apple/Mac) just hung me out to dry. I would not like to see this happen to anybody.

So, instead of standing around and feeling bad and helpless, I did everything I could to get other people to help me help myself.

Plenty more is wrong with Mac/Apple since the advent of dual core processing and nobody at the Apple is going to admit it or assist customers who are currently calling and growing number who will be.

I was just trying to be helpful.

I didn't know this was a forum for insulting people you don't know. I thought it was to try to inform people about things they might not be aware of because Apple really isn't forthcoming.

As for "the seat to keyboard interface" being the problem...are you always so cavalier in the crappy glib comments you think it's okay to make to people you've never met, or is Saturday night when you take your stupid pills?

Comments like that ain't okay.

In another life, I'd have no problem using your raggedy *** for a footstool and charging you for the privilege.

OK, I'll give you the benefit of the doubt here and ask that you give us all some information so we can try and get a handle on this. In the twenty odd years I've been a Mac user and malware troubleshooter, I have never heard of a Mac OS X RootKit. With the Darwin underpinnings, anything is possible, so did you run the latest versions of rkhunter or chkrootkit and did they find anything? What AV software did you try and were they successful at finding anything. Can you identify the names of any of the rootkit files involved? Do you have any idea how they got there?

I'm an active participant in the rkhunter, clamav and ClamXav user forums and would be more than happy to turn these communities loose on something like this, but without details we won't be able to help anybody else.

And I'm sorry, the requirement to run a 32 pass erase to get it off your hard drive is way beyond anything I experienced as a Government IT security guy, back in the day.

Well let's see...if you read the ORIGINAL POST (which actually refers to rootkit malware)

Actually, I just searched the post you are talking about, and it does not say anything about a rootkit. Someone else mentioned it, but I've done quite a bit of testing with the malware in question (MacDefender and its variants) and that idea doesn't hold water.

we then get to Mr. Reed's response which is, and he might wish to go back and check (as did I), "to erase by zeroing out."

I recommended no such thing, since it's ridiculous. What I actually said was "even if reinstallation of the system was required, zeroing out the entire drive would serve no purpose whatsoever."

Zeroing or even 32-pass secure erasing is pointless. Malware cannot simply come back from an erased hard drive. You're making claims that are not based in reality without any evidence whatsoever.

As for actual symptoms, I could show you an IO Reg log which mentions profiles for a "Mac Book Pro" numerous times

Do you know what ioreg is for? Do you know what the information it provides means? It is NORMAL to see references to other hardware in your output from "ioreg -l", if that's what you're looking at.

None of the claims you're making are based in reality.

MadMacs0 wrote:

And I'm sorry, the requirement to run a 32 pass erase to get it off your hard drive is way beyond anything I experienced as a Government IT security guy, back in the day.

It is way beyond the security recommendations of any competent security person, period.

In fact, Disk Utility provides a 35, not 32, pass erase that complies with the Gutmann secure erase standard. But Gutmann himself says this will have no more effect on modern drives than a simple scrubbing with random data, & that it is most often treated "as a kind of voodoo incantation to banish evil spirits" by those lacking in technical expertise.

Sadly, the parallels to what this latest contributor has posted are too obvious to ignore. There is no evidence whatsoever to support the idea that a multi-pass erase is any more effective against a malware infection than the usual techniques. Even a rootkit infection that subverts the OS can be removed by reinstalling the OS while booted from an uninfected source. You don't even need to erase the drive when doing this since the newly installed OS will simply ignore any remnants of the rootkit that remain on the drive.

For something as weak as the MacDefender trojan variants, which simply try to trick users into sending credit card info to criminals, it is only necessary to remove the files it installs. For this malware erasing the drive or reinstalling the OS is the equivalent of a voodoo incantation, suggested by people that don't have the technical expertise to analyse how it works or what it does.

You need to do a FULL 32-pass erase if you want to get rid of what both you and I are referring to.

You can't believe how little that says you know about computers.

If you want to get rid of everything on a drive or partition, a simple quick erase will do it. Doing so rewrites the file table. And unless you're trying to prevent someone from recovering data from a disk you're selling or throwing away, that's all you need to do.

The file table tells the OS where every active file or folder is on the hard drive, according to it's starting sector, file name, and folder path. Without that information, it can't even know where to look for a single thing. Each file and folder has header information that tells the OS how many bytes the item is supposed to occupy. Each sector tells the OS where the next sector is for the next piece of information in the file. Which eventually leads to an EOF (End Of File) marker to tell the OS it's reached the end of the expected file data.

If that marker is reached before the number of expected bytes recorded in the file header is read, the OS will tell you EOF before EOD (End of File before End Of Data). If it still hasn't found an EOF marker when it has already read in as many bytes as the file header says the file size is, it will tell you the expected data has been exceeded before EOF.

Either way, the OS will refuse to do anything with the data since it will be considered damaged.

So while a simple erase does leave all of the previous data on the drive, as far as the OS is concerned, it doesn't exist since it doesn't know where any of the files start, or even what their names were.