You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

MAC ATTACKED Author

Level 1

5 points

MALWARE access via hole in Browser Plugin Process. Applications achieving root level authorization. Please help.

MACBOOK PRO. Late 2011. LION 10.7.3 - 2.2GHz w/4GB 1333 MHz DDR3. Wifi for Internet at home and BlueTooth for the mouse. No iChat, iTunes, iCalendar etc.

I have recently experienced what appears to be a complete collapse of the security protocol and my system now seems to be run by foreign programs. I will quickly describe what I have discovered and what I think could be the cause. I will then post some of the files I found as well as some logs. Please let me know your thoughts, what other information you need and what I can do to remedy the situation. I don't want to debate the existance of threats. I am willing to accept reasonable explanations but please look at everything I am asking for help with. Thank you in advance for thoughtful replies.

Background

On or about March 22 I updated Quicktime/Safari to be able to view and play rich media. I installed the Perian, Flip4Mac and DIVX plugins. I had run into problems with homepage hijackers previouslyI did not notice anything suspicious until this weekend. The system slowed to a halt after visiting sites like YouTube, DailyMotion etc. The system started generating comprehensive debugging reports and failed to shut down properly. The boot logs changed as well. Some went missing (no data reported) and the protocols for others changed dramatically. New applications began to show up in the Activity Monitor and new components began to appear with unknown origins or authors.

Current State - Login

It appears as though the security protocol has changed. PAM framework exposes a generic set of API/functions to the applications. Applications simply call the functions de- fined in the module passing in the credentials of the user. Secure logs, crash reports and DEBUGGING logs all indicate that there is a breakdown in the system allowing something to get set up as a guest user without a urlAttribute or homeDirPath or the proper syntax and is reestablishing itself on start using exception handling protocols and cached data. It is refusing to let go when shutting down and starts up again before any other systems are in place from its persistant state cache.

Current State - Files, Logs and Caches

The private/tmp folder have seen new locked files and folders appear at the same time. All of which point back to Safari/Fireworks Plugin Process as its origin. File contents posted below

eka_named_mutex_KLAVA (zero bytes on disk)

PRCustomProps

PRObjects

wnstat.xml

launchd-142.RTSwZ4 (locked folder)

eka_named_mutex_KLAVA

PRCustomProps =

!! ?PR_REMOTE_MANAGER_PROP ?cpnPRAGUE_REMOTE_API ?cpTASK_MANAGER_TASK_ID ?

cpTASK_MANAGER_TASK_IS_REMOTE ?npISWIFT_MODE ?npISWIFT_VOLUME_ID

?npISWIFT_FILE_ID

?npAVS_HTTP_REQ ?

npAVS_HTTP_RSP ?

npAVS_SCAN_ACTION_NAME

?npAVS_CHAINED_OBJECT ?KTT ?npSCAN_OBJECT_CONTEXT ?

npENGINE_OBJECT_PARAM_ACTION_CLASS_MASK_tDWORD ?npENGINE_VIRTUAL_OBJECT_NAME ?npENGINE_OBJECT_DETECT_STATE ?npENGINE_OBJECT_READONLY_tERROR ?

npENGINE_OBJECT_READONLY_hOBJECT ?npENGINE_OBJECT_SESSION_hOBJECT ?

npENGINE_OBJECT_SKIP_THIS_ONE_tBOOL ?npENGINE_OBJECT_EXECUTABLE_PARENT_IO_hOBJECT ?npENGINE_OBJECT_SET_WRITE_ACCESS_tERROR ?propid_reopen_user_data ?

npENGINE_INTEGRAL_PARENT_IO ?propid_istreams_ctx ?npSCAN_OBJECT_BCKFLAG ?

avp1_has_special_cure ?cpTEMPFILE_MEMMANAGER ?npOBJECT_STARTUP ?DEFER_THREAD_INIT

wnstat.xml file contents =

</key>

</key>

</key>

</key>

....all the way through to...

</key>

</key>

</propertiesmap>

PRObjects = 8Lä± PRRoot 8TD± TaskManager

New Processes have appeared in the Activity Monitor that all link together to manage what happens and what gets reported. They include

backgroundinstruments -

/Applications/Xcode.app/Contents/Library/LoginItems

->0xffffff800e8af648

/Applications/Xcode.app/Contents/Library

/Applications/Xcode.app/Contents

/Applications/Xcode.app

/Applications

count=0, state=0x1

imagent

/System/Library/PrivateFrameworks/IMCore.framework/imagent.app/Contents/MacOS/im agent

/System/Library/PrivateFrameworks/IMCore.framework/Versions/A/Frameworks/IMDaemo nCore.framework/Versions/A/IMDaemonCore

/System/Library/Frameworks/IMServicePlugIn.framework/Versions/A/IMServicePlugIn

/private/var/db/mds/messages/se_SecurityMessages

/usr/share/icu/icudt46l.dat

/usr/lib/dyld

/private/var/db/dyld/dyld_shared_cache_x86_64

/dev/null

->0xffffff800d7573f0

count=1, state=0x2

->0xffffff800e8aea90

com.apple.legacymediabridge.videodecompressionserver

This one is the most troubling. I understand that Quicktime can read and or write code from an embedded XML file. I have noticed all sorts of new Components listed in System Information that relate directly to the collection, distribution and execution of code via the browser plugin process. It wouldn't take much to inject code into a cache that can be later executed by processes that have hijacked the login protocol. With two way conversation back and forth it could easily be tweaked based on DEBUGGING reports sent home until it has been proven effective.

I think my machine has been compromised before. I reported some incidents last fall however I didn't know enough about OSX to gage the threat. My experience before and after visiting certain media sites is the same except this time they seem to be far more effective.

Please let me know what you think the best remedy might be. I want to eliminate all of the errors, get the system running as it should and ultimately put up some kind of barrier that isn't so easy to foil. I just received another error

"12-04-08 2:33:13.267 AM helpd: CFPropertyListCreateFromXMLData(): Old-style plist parser: missing semicolon in dictionary.

I am suspicious because I have seen my system compromised by code embedded in Browser Plug In processes before. I am suspicious because what I have seen happen to my system over the last few days is consistent with how one might attack a OSX machine. Too many odd changes inconsistent with how others have described their experience. Let me know what else you need to help define things further. I can provide a lot more data about the contents of files recently modified, logs, debug reports etc. I am not sure where to start, what is important and what can be dismissed. I appreciate your help.

MacBook Pro, Mac OS X (10.7.2)

Posted on Apr 8, 2012 2:23 AM

35 replies

MAC ATTACKED Author

Level 1

5 points

May 25, 2012 7:21 PM in response to MAC ATTACKED

If you care to learn something you may be interested in what I have to say.

I came to this message board with information and questions relating to experiences I had with my MacBookPro and OSX Lion. Although not familiar with Mac's I was very familiar with the internet in general. I was quite suprised how quickly my Mac was compromised. Not familiar with the operating system, I really didn't know where to begin or what to say.

When I tried to report some of the vulnerabilities I detected much of what I was saying was dismissed as implausible, impossible or nothing to worry about. Unfortunately, I wasn't wrong. Exploitable vulnerabilities did exist and, as we all found out, infection could take place without the user even knowing about it or giving permission as I was told. Malware had evolved beyond social engineering vectors and perhaps, even beyond detection. Had I known more about Unix, OSX and the Apple paradigm at the time I might have been able to express myself in a more intelligible way. I had hoped I might have had more help however I can see how difficult at task it is for the uninitiated to describe the unseen to the unaware. Harry Markopolos had the facts and tried for 8 years to warn the authorities about Bernie Madoff and no one would listen to him so I'm not suprised. No one likes to feel unsafe, duped or vulnerable.

Through this process I have learned a lot about OSX, UNIX, programming, networks, Windows, Malware and escpecially human behavior. What's interesting to me is some of the clearly misguided logic employed by some. Some vulnerablities and work arounds seem so obvious to me yet not to others.

There are lots I like about Apple, much I don't. I sold my MacBook to someone who will get more enjoyment out of it than I will. For me and what I do, Windows is a better choice for now.

For those who have an expert reputation to maintain I thank you. I learned more about human behavior and ego than you can imagine. A piece of advice is to recognize a mistake or error in judgement and correct your path early. If you don't have all the facts, ask. These discussions are indexed and foolish statements last forever. For example stating that Background Instruments isn't an XCode program when it is, well that's just silly.

I'd love to play poker with Timmy Lead. Seems like he'd push his chips quickly and go on tilt easily. Funny how some defend with such certainty and resolve ideas that are so obviously flawed.

I might have jumped to conclusions about the how and why but in the end the threats were real. It was very interesting to watch it all happen.

For those who tried to help, thank you. I would only caution that a lot of this still is away of things like "Little Snitch", Sophos etc. and will stay silent while they are running. My advice is to be open minded about anyone who claims to be experiencing anything new. Zero Day exploits are out there.

It is likely that pay per click advertising will drive more and more people to look for ways to exploit such an obviously exploitable revenue stream. Thanks Google, thanks AdSense.

There are some interesting articles here;

http://www.securelist.com/en/blog/208193470/New_Version_of_OSX_SabPub_Confirmed_ Mac_APT_attacks

http://www.securelist.com/en/analysis/204792227/The_anatomy_of_Flashfake_Part_1

http://www.securelist.com/en/analysis/204792232/The_anatomy_of_Flashfake_Part_2

http://nakedsecurity.sophos.com/category/malware/

Maybe I'll be back someday back...good luck and stay safe.

Sep 16, 2012 12:36 PM in response to MAC ATTACKED

This guy is not crazy. I have been going through the same nightmare for over a month now only to get the same demeaning and insulting attitudes by anyone affiliated with Apple Support.

I only recently came to find that Xcode was behind all of the unexplained things that were going on with my system recently when I woke my MBP up to find the XCode Application open with iphone tools as well as OS X development tools loaded. Until this point I had never even heard of Xcode. Of course, once I started trying to play around with the application control of my computer was taken over (yes, I said it!) and the libraries of tools were no longer available.

Absolute crazy things such as this and every single thing MAC ATTACKED has described has happened to me as well. The crazy disk labels and partitions, the Mountain Lion installer files being modified immediately upon download to include extra backdoor access up to the point the actual Installer App that runs is modified to not allow certain options such as "System Information" from the utilities menu. How I came to notice the installer app was buggy is when I would go into Disk Utility from the recovery mode the spinning wheel would change to a colorless white box for a second or two then it would load up the disks. I know that Apple is not going to let one of their applications have a graphical mishap like this...it just doesn't happen.

I could go on and on about the crazy things both my MBP and my iMAC are going thought right now but I think I am done sounding like a lunatic for one day. Like this guy, I am not technically savvy enough using LINUX and am even worse probably about being able to explain things to others but if, for no other reason than to let this guy know he is not alone here, I thought I would share my experiences....

Good day!

0420

Level 1

0 points

Oct 3, 2012 9:59 PM in response to MAC ATTACKED

just want to say thanx to all in this forum for imforming me of similar issues i'm having with my Mac. i'll keep reading and ask for help. hopefully i am able to help as well. much mahalos.

Feb 4, 2013 11:11 AM in response to MAC ATTACKED

I have been having all these same issues and cant get any help from apple I have been going through this for 8 months and now my ipad & iphone have been takin over.I am not very tech savy.I do know that mine came through the windows part and I never even installed it.If any body can help I would really be thankful I feel as if I have been held hostage.

Jul 30, 2013 5:37 AM in response to MAC ATTACKED

"I'm not experienced enough to describe what is happening without being mocked. I didn't initiate a DTRACE. I didn't launch background instruments."

Some versions of Xcode, when run, set up backgroundinstruments to run as a login item, in order to support things like automatic profiling of spinning/unresponsive applications. As of Xcode 4.5, this is no longer done, and when run Xcode 4.5 removes the login item.

MALWARE access via hole in Browser Plugin Process. Applications achieving root level authorization. Please help.