Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: m@cd33p
m@cd33p Author
User level: Level 1
10 points

Malware in Bootsector of Snow Leopard

Hello,

I realize this post is almost exactly the same issue as (https://discussions.apple.com/thread/1787259?start=15&tstart=0) however, there is no answer to the problem.


Problem: Recently my wireless router was compromised, leading to metasploit backdoors and etc being placed inside of several of my computers. My Macbook (intel based core 2 duo, 160gb hdd) was found to have a "bootroot loader" malware infection by avast for mac being recoginized as a "decompression bomb". My network is now fully secure (wired router) with managed cisco switch, Backtrack 5 packet monitoring machine...blah...blah, and I am still having the bootloader infection!


Since then, I have re-install linux over the drive, re-installed windows over it on a seperate computer, partitioned it to various formats, deleted free space and volume space, taken it to areas where there are no wireless signals and reinstalled, and etc. I STILL HAVE THE MALWARE, VERY SIMILAR ISSUE TO THE ABOVE LINK and EFT script!!! The last time I reinstalled from my apple purchased dvd, I found even more infections (i.e. payload injections, private/var infections etc).


I know how to harden the OS but it makes no difference when the bootloader has already been compromised!!! H3LP M3!!!

MacBook, Mac OS X (10.6.8), Malware in Bootloader

Posted on Aug 14, 2012 9:32 AM

Reply
Question marked as Best reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Posted on Aug 14, 2012 11:03 AM

There is a file called "bootroot.loader" that is a normal part of Mac OS X, and that has (apparently) been falsely identified as a decompression bomb at times in the past by Avast. This is not malware. I'm no longer using Snow Leopard, but on Mountain Lion, I find the file at the following path:


/System/Library/PrivateFrameworks/MediaKit.framework/Versions/A/Loaders/MKDriver s.bundle/Contents/Resources/bootroot.loader

View in context
3 replies
Question marked as Best reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Aug 14, 2012 11:03 AM in response to m@cd33p

There is a file called "bootroot.loader" that is a normal part of Mac OS X, and that has (apparently) been falsely identified as a decompression bomb at times in the past by Avast. This is not malware. I'm no longer using Snow Leopard, but on Mountain Lion, I find the file at the following path:


/System/Library/PrivateFrameworks/MediaKit.framework/Versions/A/Loaders/MKDriver s.bundle/Contents/Resources/bootroot.loader

Reply
User profile for user: m@cd33p
m@cd33p Author
User level: Level 1
10 points

Aug 14, 2012 1:09 PM in response to thomas_r.

Thanks Thomas!

After seeking your advise and uninstalling AVAST, I installed Sophos per your instructions and all my issues were magically fixed. I am amazed that AVAST would release software that is bug ridden. After close examination, the "payloads" flagged were being found on Apples DVD (false positives). I over-reacted because of a seperate threat instance. Thanks again for all of your help!

Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Aug 14, 2012 1:14 PM in response to m@cd33p

No problem. Unfortunately, there are a lot of anti-virus companies that have flocked to the Mac platform in the wake of the Flashback outbreak, and most of them don't really have a good understanding of the Mac yet. Companies like Avast may be well-regarded in the Windows world, but I'd steer clear of them on the Mac for now. ClamXav and Sophos both have proven track records on the Mac.

Reply

Malware in Bootsector of Snow Leopard

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up