Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: MAC ATTACKED
MAC ATTACKED Author
User level: Level 1
5 points

MALWARE access via hole in Browser Plugin Process. Applications achieving root level authorization. Please help.

MACBOOK PRO. Late 2011. LION 10.7.3 - 2.2GHz w/4GB 1333 MHz DDR3. Wifi for Internet at home and BlueTooth for the mouse. No iChat, iTunes, iCalendar etc.


I have recently experienced what appears to be a complete collapse of the security protocol and my system now seems to be run by foreign programs. I will quickly describe what I have discovered and what I think could be the cause. I will then post some of the files I found as well as some logs. Please let me know your thoughts, what other information you need and what I can do to remedy the situation. I don't want to debate the existance of threats. I am willing to accept reasonable explanations but please look at everything I am asking for help with. Thank you in advance for thoughtful replies.


Background

On or about March 22 I updated Quicktime/Safari to be able to view and play rich media. I installed the Perian, Flip4Mac and DIVX plugins. I had run into problems with homepage hijackers previouslyI did not notice anything suspicious until this weekend. The system slowed to a halt after visiting sites like YouTube, DailyMotion etc. The system started generating comprehensive debugging reports and failed to shut down properly. The boot logs changed as well. Some went missing (no data reported) and the protocols for others changed dramatically. New applications began to show up in the Activity Monitor and new components began to appear with unknown origins or authors.

Current State - Login


It appears as though the security protocol has changed. PAM framework exposes a generic set of API/functions to the applications. Applications simply call the functions de- fined in the module passing in the credentials of the user. Secure logs, crash reports and DEBUGGING logs all indicate that there is a breakdown in the system allowing something to get set up as a guest user without a urlAttribute or homeDirPath or the proper syntax and is reestablishing itself on start using exception handling protocols and cached data. It is refusing to let go when shutting down and starts up again before any other systems are in place from its persistant state cache.


Current State - Files, Logs and Caches


The private/tmp folder have seen new locked files and folders appear at the same time. All of which point back to Safari/Fireworks Plugin Process as its origin. File contents posted below


eka_named_mutex_KLAVA (zero bytes on disk)

PRCustomProps

PRObjects

wnstat.xml

launchd-142.RTSwZ4 (locked folder)


eka_named_mutex_KLAVA


PRCustomProps =

!! ?PR_REMOTE_MANAGER_PROP ?cpnPRAGUE_REMOTE_API ?cpTASK_MANAGER_TASK_ID ?

cpTASK_MANAGER_TASK_IS_REMOTE ?npISWIFT_MODE ?npISWIFT_VOLUME_ID ?npISWIFT_FILE_ID

?npAVS_HTTP_REQ ?

npAVS_HTTP_RSP ?

npAVS_SCAN_ACTION_NAME

?npAVS_CHAINED_OBJECT ?KTT ?npSCAN_OBJECT_CONTEXT ?

npENGINE_OBJECT_PARAM_ACTION_CLASS_MASK_tDWORD ?npENGINE_VIRTUAL_OBJECT_NAME ?npENGINE_OBJECT_DETECT_STATE ?npENGINE_OBJECT_READONLY_tERROR ?

npENGINE_OBJECT_READONLY_hOBJECT ?npENGINE_OBJECT_SESSION_hOBJECT ?

npENGINE_OBJECT_SKIP_THIS_ONE_tBOOL ?npENGINE_OBJECT_EXECUTABLE_PARENT_IO_hOBJECT ?npENGINE_OBJECT_SET_WRITE_ACCESS_tERROR ?propid_reopen_user_data ?

npENGINE_INTEGRAL_PARENT_IO ?propid_istreams_ctx ?npSCAN_OBJECT_BCKFLAG ?

avp1_has_special_cure ?cpTEMPFILE_MEMMANAGER ?npOBJECT_STARTUP ?DEFER_THREAD_INIT



wnstat.xml file contents =

<propertiesmap>


<key name="WebNetStat">


<key name="Zones">


<key name="0000">


<tSTRING name="Name">test</tSTRING>


</key>


<key name="0001">


<tSTRING name="Name">ac</tSTRING>


</key>


<key name="0002">


<tSTRING name="Name">ad</tSTRING>


</key>


<key name="0003">


<tSTRING name="Name">ae</tSTRING>


</key>


....all the way through to...



<key name="0274">


<tSTRING name="Name">xxx</tSTRING>


</key>

</key>


<tBOOL name="SkipUnknown">1</tBOOL>


<key name="WaitTimeouts">


<key name="0000">


<tBYTE name="Id">2</tBYTE>


<tDWORD name="Timeout">2000</tDWORD>


</key>


</key>


</key>

</propertiesmap>


PRObjects = 8Lä± PRRoot 8TD± TaskManager



New Processes have appeared in the Activity Monitor that all link together to manage what happens and what gets reported. They include


backgroundinstruments -

/Applications/Xcode.app/Contents/Library/LoginItems

->0xffffff800e8af648

/Applications/Xcode.app/Contents/Library

/Applications/Xcode.app/Contents

/Applications/Xcode.app

/Applications

count=0, state=0x1

count=0, state=0x1


imagent

/

/System/Library/PrivateFrameworks/IMCore.framework/imagent.app/Contents/MacOS/im agent

/System/Library/PrivateFrameworks/IMCore.framework/Versions/A/Frameworks/IMDaemo nCore.framework/Versions/A/IMDaemonCore

/System/Library/Frameworks/IMServicePlugIn.framework/Versions/A/IMServicePlugIn

/private/var/db/mds/messages/se_SecurityMessages

/usr/share/icu/icudt46l.dat

/usr/lib/dyld

/private/var/db/dyld/dyld_shared_cache_x86_64

/dev/null

->0xffffff800d7573f0

->0xffffff800d7573f0

count=1, state=0x2

->0xffffff800e8aea90


com.apple.legacymediabridge.videodecompressionserver


This one is the most troubling. I understand that Quicktime can read and or write code from an embedded XML file. I have noticed all sorts of new Components listed in System Information that relate directly to the collection, distribution and execution of code via the browser plugin process. It wouldn't take much to inject code into a cache that can be later executed by processes that have hijacked the login protocol. With two way conversation back and forth it could easily be tweaked based on DEBUGGING reports sent home until it has been proven effective.


I think my machine has been compromised before. I reported some incidents last fall however I didn't know enough about OSX to gage the threat. My experience before and after visiting certain media sites is the same except this time they seem to be far more effective.


Please let me know what you think the best remedy might be. I want to eliminate all of the errors, get the system running as it should and ultimately put up some kind of barrier that isn't so easy to foil. I just received another error


"12-04-08 2:33:13.267 AM helpd: CFPropertyListCreateFromXMLData(): Old-style plist parser: missing semicolon in dictionary.


I am suspicious because I have seen my system compromised by code embedded in Browser Plug In processes before. I am suspicious because what I have seen happen to my system over the last few days is consistent with how one might attack a OSX machine. Too many odd changes inconsistent with how others have described their experience. Let me know what else you need to help define things further. I can provide a lot more data about the contents of files recently modified, logs, debug reports etc. I am not sure where to start, what is important and what can be dismissed. I appreciate your help.

MacBook Pro, Mac OS X (10.7.2)

Posted on Apr 8, 2012 2:23 AM

Reply
35 replies
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Apr 10, 2012 6:14 PM in response to MAC ATTACKED

Nobody here has told you Macs are invulnerable. Quite the opposite. But just because malware exists for Macs does not mean that your particular problem is caused by malware. But, I believe such information is not going to be welcomed, as you are bound and determined to have malware, whether that is the truth of the situation or not. I don't believe anyone here can be of any assistance to you until you are willing to discuss it civilly.

Reply
User profile for user: MAC ATTACKED
MAC ATTACKED Author
User level: Level 1
5 points

Apr 10, 2012 9:09 PM in response to thomas_r.

I would suggest that what I am describing has nothing to do with currently known Malware which is why so many people were affected by it.


I do not think everyone has a debug log generated by their log in. I am sure most don't have system processes making changes during startup.


backgroundinstruments is an active process. I tied directly back to XCODE Instruments applications running DTRACE. You tell me this is all wrong.


I haven't seen these types of logs before. You haven't told me what you expect me to report.


It really doesn't matter. I have seen what is out there. I reported that code can be executed via web browsers without the knowlege or consent of the user 6 months ago and was told this was impossible.


XCODE isn't malicious in and of itself but it can be used to create applications to track etc. Hackers use these applicatioins and debugging to figure out how to overcome the system and deploy applications. How do IU kmow? Because that is what they talk about on their sites.


I have seen reports of many ways to compromise a Mac. And most of the new Malware does not require interaction by the user. Simply watching a video is enough or sometimesd running a program like word etc.


I'm really sorry I brought it up. I'm trying to sound the alarm that you will see more and more of these attacks and Mac are especially vulnerable because there is a lot of complacency, no real experience with threats and no real security.


Best of luck. It will get worse before it gets better. They are just starting, they have lots of experience getting around security. Apple hasn't faced many threats before and hasn't had to contend with this kind of focused, deliberate, experienced attacks.


I warned of this in my first post. Just saying be careful out there....its worse than you think.

Reply
User profile for user: billcole
billcole
User level: Level 1
44 points

Apr 11, 2012 12:37 AM in response to MAC ATTACKED

I think you would get a better response if you were a bit more calm and careful in what you post. Specifically:


  1. Which log files or asl command gave you those log listings? Why do you think they are unsusual, aside from the verbosity? As a hint: I have unusually verbose logging configured on my machines, and your "boot log" (actually containing no boot info) looks very similar to a subset of the log entries a normal login drops in my logs. Noisier than a normal system, yes, but the content of the noise is not unusual. It does not seem to support your description of terrible things going on with PAM and keychains and guest users.
  2. No one has said that Mac's are immune to malware. However, you have offered no evidence of malware. You have offered evidence and testimony of installing suspect software (DIVX: completely pointless) and a program (Sophos AV) that hooks into the system deeply. You have also complained about performance when visting sites ("like YouTube, DailyMotion etc.") that use the dependably performance-sapping Flash. Unless you consider Flash to be malware per se (there's a case there...) that isn't a sign of anything unusual.
  3. You make claims about "keylogging" but don't explain a basis for that claim.
  4. What exactly are you trying to say about disks? It does not match normal MacOS disk naming and slicing, but it is vaguely similar. The default in Lion is for the boot disk to be /dev/disk0, which is sliced into 3 partitions. You can see this using the 'diskutil' command line utility:
    $ diskutil list disk0/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *250.1 GB   disk0
   1:                        EFI                         209.7 MB   disk0s1
   2:                  Apple_HFS MacBook_Internal        245.6 GB   disk0s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3

If I am mapping your sloppy naming correctly:

  • disk0s1 seems to be a nusiance to you. It should not be. It is the "EFI System Partition" which is mandatory for any boot device on a machine using EFI. I assure you: it is not a waste or a problem. If that isn't enough for you to accept its existence and necessity, try Google and Wikipedia for more detailed answers, but don't believe everything you read.
  • disk0s2 is the slice where everything normally accessible in MacOS X exists, in a HFS+ filesystem.
  • disk0s3 is the slice where Lion keeps a minimal HFS+ (ish) filesystem that can be booted with a .dmg holding a known-good system image adequate to support recovery. You can mount it if you want to, but you really should just let it sit there.

    • Finally, on Xcode. I hate it being in the AppStore because the AppStore is horrid but your argument about it posing a risk by being freely available is beneath silly. Development tools being freely available is a normal and necessary part of a useful platform. MacOS X development tools have been freely available for over a decade, with some releases including them on the distribution disks and latest versions being available online for the price of giving Apple an email address. This is not a MacOS X oddity, it is the norm for operating systems and has been for a long time.


    I don't know what's wrong with your system, but I'd start with looking at the output of 'ps auxwww', installing Little Snitch, and creating a new clean user with admin status and no user-friendly tweaks. The known malware for MacOS mostly only knowns about the account it came in through, so you may be able to find it more easily when logged in on a fresh undamaged account. I would also want to look at /etc/syslog.conf and /etc/asl.conf for changes from the default installs of those files and when the changes happened, since you seem to have some logging modifications that are the most suspect changes.


    Message was edited by: billcole

    Reply
    User profile for user: thomas_r.
    thomas_r.
    User level: Level 7
    31,989 points

    Apr 11, 2012 4:00 AM in response to MAC ATTACKED

    I do not think everyone has a debug log generated by their log in. I am sure most don't have system processes making changes during startup.


    What does that mean? Yes, you've got logs... big deal, everyone has logs being generated constantly. I've seen people report stuff like what's in your logs, and it has generally involved some kind of corruption in the system. I saw a report from one person who found that deleting the keychain and re-creating it solved the problem.


    You have really said very little about how your system is behaving. You have posted fairly meaningless logs, and it seems you are extrapolating a lot (inaccurately, from the sounds of it) from those logs and from seeing some benign processes running in Activity Monitor.


    You insisted that you have a keylogger going, but won't say how you know that. What keylogger? How did you find it? etc. What is your Mac doing, besides generating logs that you are interpreting improperly, that leads you to believe you have malware?


    I have seen reports of many ways to compromise a Mac. And most of the new Malware does not require interaction by the user. Simply watching a video is enough or sometimesd running a program like word etc.


    That is absolutely, 100% false. Flashback is the only malware in existence that can execute third-party code without the user's assistance, and it can only do so on very outdated machines or machines that have not had security updates properly applied at this point.


    I am never one to discount possibilities of a new avenue of attack. But it's difficult to accept when someone comes crying that the sky is falling without any evidence whatsoever, much less a coherent story. If you think you have found something in advance of all my contacts in the security industry and all the anti-virus companies and Apple, you need to be able to provide solid evidence to be taken seriously.

    Reply
    User profile for user: MAC ATTACKED
    MAC ATTACKED Author
    User level: Level 1
    5 points

    Apr 11, 2012 9:46 AM in response to billcole

    I'm not experienced enough to describe what is happening without being mocked. I didn't initiate a DTRACE. I didn't launch background instruments.


    I'm done. I asked for thoughtfull responses and what information you require. Instead I got into a debate over whether backgroundinstruments are part of XCODE instruments or not.


    I appreciate your tips and instructions on where to look. When I get my machine back from APPLE I will make a note of those for future reference.


    I do appreciate your help.


    <Edited by Host>

    Reply
    User profile for user: thomas_r.
    thomas_r.
    User level: Level 7
    31,989 points

    May 3, 2012 7:21 AM in response to UNOwenNYC

    I totally agree with you, Mac Attacked. I couldn't understand if Thos. A. R. was mocking you,or not.


    I was not remotely mocking, I was trying to figure out what he was talking about. It was extraordinarily unclear, didn't make much sense and he never would give us details that we requested. Nobody suggested "resting on one's laurels," but at the same time, there is little sense in blaming malware for poorly-described behavior that doesn't sound remotely like any known malware. That only interferes with finding a solution.


    If he ever returns and provides additional information, as requested by more than just myself, then I'm sure someone will help him. Not me, though, not after the immature name-calling in his last post (deleted by the hosts).

    Reply
    User profile for user: Topher Kessler
    Topher Kessler
    User level: Level 6
    9,905 points

    May 3, 2012 9:08 AM in response to MAC ATTACKED

    In looking at this, it does not appear your system has been compromised, but if you suspect it has then by all means deal with it according to what will put your mind at ease.


    The programs you mention which are running in the background are legitimate components of Apple's frameworks and XCode environment. This is also the case with the "com.apple.legacymediabridge.videodecompressionserver" process that you are concerned about, which likely has been triggered by the various video codec and quicktime add-ons that you installed.


    The biggest reason for my skepticism is that your story has been discussed here for about a month, and this is the only instance of these symptoms that I have ever seen, either by end-users or by security companies. As with others here I'm not sure what the PRObjects, PRCustomProps, and other temporary files are, but this folder is used by MANY programs to store temporary items, so it will undoubtedly contain some odd files here and there.


    It sounds like to an extent you are thinking up too many possibilities for what all of these items mean, and are putting too much interpretation on them. Yes keyloggers are possible, and yes malware is possible, and yes they sometimes use the /tmp folder as a launch point, but the fact that the behavior seen here is not anywhere else and the fact that much of it is explainable by standard OS X processes suggests it is likely not an issue.


    My recommendation would be to install Little Snitch and monitor outgoing traffic, to see if any processes associated with these files are trying to "call home" or perform any other suspicious communications.

    Reply

    MALWARE access via hole in Browser Plugin Process. Applications achieving root level authorization. Please help.

    Welcome to Apple Support Community
    A forum where Apple customers help each other with their products. Get started with your Apple ID.
    Learn more Sign up