Previous 1 2 3 4 5 6 7 Next 100 Replies Latest reply: Jun 26, 2013 4:29 PM by MadMacs0 Go to original post Branched to a new discussion.
  • Rayced Level 1 Level 1 (15 points)

    R C-R probably thou should read what other people write. I was using the example of that wordpress malware to explain the concept behind a good written malware and a poor one. The good one has more than one layer, so if you erase the most prominent layer, the one underlaying will take care of it.

     

    In my country we say that there's no worst blind than the one whom doesn't want so see, I don't know if in Texas that makes sense too. Have a good day.

  • ds store Level 7 Level 7 (30,315 points)

    R C-R wrote:

     

    Yes, I do. But do you know it is meant for hacking generic BIOS-based PC hardware so it can start up running OS X? Do you have any idea what it would do if applied to a real Apple Mac's hardware?

     

    I'm asking you what the Firmware.scap file is, what does it contains and where is it located.

     

    I already know part of my answer, I want to see what you know about it.

     

    If it makes you feel any better & you actually do get infected, take your Mac down to as close to factory-new condition as you can manage, check every user & system setting file with whatever you like before reintroducing it into your shiny new system, & do whatever else you think is necessary to remove all real & theoretical traces of the malware.

     

    Yes I will thank you. Malware is like bed bugs.

     

    Ever have to eradicate bed bugs? How about mold? Ever eradicate a mold infested house?

     

    You do either of these two things wrong, your house gets reinfected and all the money spend the first times are wasted.

     

    So experts have gotten together and collaborated their experience as to make sure certain steps are performed so the eradication process is done right the first time.

     

    Malware is a like that, right now I don't know if the Firmware.scap file or the keyboard firmware or any other location on a Mac is throughly eradicated the first time.

     

    All I know is the Zero Erase and Install works on the hard drive, but it's not sufficient.

     

    Apple hasn't had to deal with malware, I don't think they have any security level material in place to make sure a compromised machine is fully restored.

  • R C-R Level 6 Level 6 (14,930 points)

    ds store wrote:

    I'm asking you what the Firmware.scap file is, what does it contains and where is it located.

     

    I already know part of my answer, I want to see what you know about it.

    If you want my help, start by sharing the part of the answer that you think you know. But please be careful about mentioning anything that would violate the Terms of Use, especially section 2.8.

     

    But anyway, here is a hint: the file isn't located anywhere on a Mac.

  • R C-R Level 6 Level 6 (14,930 points)

    Rayced wrote:

     

    I was using the example of that wordpress malware to explain the concept behind a good written malware and a poor one.

    That example is no more relevant to OS X than are Windows viruses.

  • Rayced Level 1 Level 1 (15 points)

    @R C-R: sure.

  • MadMacs0 Level 5 Level 5 (4,470 points)

    R C-R wrote:

     

    here is a hint: the file isn't located anywhere on a Mac.

    Hmmm, it's on my Mac.

  • R C-R Level 6 Level 6 (14,930 points)

    MadMacs0 wrote:

    R C-R wrote:

    here is a hint: the file isn't located anywhere on a Mac.

    Hmmm, it's on my Mac.

    In what directory of what partition did you find this?

  • WZZZ Level 6 Level 6 (12,640 points)

    All this coy cat and mouse! Anyway, this is what I'm coming up with. It's right in there with the boot.efi

     

    /usr/standalone/i386/Firmware.scap

     

    /System/Library/Caches/com.apple.bootstamps/27F1A20D-21F4-356C-9177-8442B3128375 /:usr:standalone:i386:Firmware.scap

  • R C-R Level 6 Level 6 (14,930 points)

    Admittedly, I was playing a bit of a game, but it was to make a point:

     

    Try to figure out a way to execute it once a mac has booted up, or make an altered version persist after reinstalling the OS.

  • ds store Level 7 Level 7 (30,315 points)

    WZZZ wrote:

     

    All this coy cat and mouse! Anyway, this is what I'm coming up with. It's right in there with the boot.efi

     

    /usr/standalone/i386/Firmware.scap

     

    /System/Library/Caches/com.apple.bootstamps/27F1A20D-21F4-356C-9177-8442B3128375 /:usr:standalone:i386:Firmware.scap

     

    Yep:

     

     

    ΩÜf;v

    0@∑ µQû/≈†Pp PŸTìzh JDÅŒ ˆ ÿêfl_FVHˇéˇˇH”J      m„√îÇóK®W’(è„>(p| @f¯N $IBIOSI$ ROMEXT1.88Z.0002.B00.0710231738ˇˇ¯≠Ú2 ìfHûß!\è§6´Ä  @™»‹¯í»‹ Ü»‹∏1c  PÖfiΩ⁄‰õìA˚ΩÔ{fi¸}

    S

    J÷4äc #«

    aHC

     

     

    and....you forgot the "other" place, you know in disk0s1

     

     

    guess that "bootstamp" is something for Mandatory Access Control feature of OS X.

     

     

    Anyway here's a OS X Security PDF some might find interesting

     

    http://images.apple.com/macosx/security/docs/MacOSX_Security_TB.pdf

  • Rayced Level 1 Level 1 (15 points)

    Admittedly: you are provoking on purpose people to get a flame on the board. That is what a TROLL does. Good Bye, adieu!

  • R C-R Level 6 Level 6 (14,930 points)

    ds store wrote:

    and....you forgot the "other" place, you know in disk0s1

    As already mentioned, the EFI partition is not used when booting the system into OS X.

    Anyway here's a OS X Security PDF some might find interesting

    Did you read the part about the root account being disabled by default, OS X using less privileged system accounts for some system services and for software that requires specialized access to certain system components, sandboxing restricting access to system level services even for processes running as root, & so on?

     

    You seem to have the impression that once this trojan is installed, it can do anything it wants. That is not true.

  • Rayced Level 1 Level 1 (15 points)

    I give you just an example, probably this is not the case but it could be a possible scenario: the sudoers file modified during the installation process of the malware. You can read that on a security book written by the founders of the shamoo group (I'm not mentioning directly the title cause it would be an indirect advertisement).

    Not to mention a possible rootkit install which will work at a kernel level.

    That is why I personally think that the study shown on this board of this malware isn't complete, and in absence of an official Apple document it would be wiser to assume that the infected system is compromised not only at the level of the files installed by it. This, to me, means that people having this issue should at least re-install the latest Mac Os X Combo update at this stage of the incident.

     

    As last reply to accuses moved to me like "why don't you do the tests, though?" I would just say that: we don't need to be chefs to understand the difference between a pasta with pesto sauce and pasta with tomato sauce.

  • a Mac user Level 3 Level 3 (715 points)

    I honestly wish you would stop all this fear-mongering. It is pointless and is only making you look like more of a hypochondriac. malware does not want to do it in for the users, it is not profitable to destroy system, it is more profitable to skim data off the user without detection. I don't really care for how long you have been using a mac OS, you obviously know next to nothing about how security and exploitation works, yet you act like you do.

     

     

  • thomas_r. Level 7 Level 7 (29,795 points)

    people having this issue should at least re-install the latest Mac Os X Combo update at this stage of the incident.

     

    That's a laugh.  I may disagree with ds store regarding his advice, but at least it would work.  His advice is good for any unknown malware that might make it onto your system.  Reinstalling a combo update would do absolutely nothing to eliminate malware.  Please stop pretending to be an expert about something that you are not an expert about.