3 Replies Latest reply: Aug 14, 2012 1:14 PM by thomas_r.
m@cd33p Level 1 (10 points)


I realize this post is almost exactly the same issue as (https://discussions.apple.com/thread/1787259?start=15&tstart=0) however, there is no answer to the problem.


Problem: Recently my wireless router was compromised, leading to metasploit backdoors and etc being placed inside of several of my computers. My Macbook (intel based core 2 duo, 160gb hdd) was found to have a "bootroot loader" malware infection by avast for mac being recoginized as a "decompression bomb". My network is now fully secure (wired router) with managed cisco switch, Backtrack 5 packet monitoring machine...blah...blah, and I am still having the bootloader infection!


Since then, I have re-install linux over the drive, re-installed windows over it on a seperate computer, partitioned it to various formats, deleted free space and volume space, taken it to areas where there are no wireless signals and reinstalled, and etc. I STILL HAVE THE MALWARE, VERY SIMILAR ISSUE TO THE ABOVE LINK and EFT script!!! The last time I reinstalled from my apple purchased dvd, I found even more infections (i.e. payload injections, private/var infections etc).


I know how to harden the OS but it makes no difference when the bootloader has already been compromised!!! H3LP M3!!!

MacBook, Mac OS X (10.6.8), Malware in Bootloader
  • thomas_r. Level 7 (30,645 points)

    There is a file called "bootroot.loader" that is a normal part of Mac OS X, and that has (apparently) been falsely identified as a decompression bomb at times in the past by Avast. This is not malware. I'm no longer using Snow Leopard, but on Mountain Lion, I find the file at the following path:


    /System/Library/PrivateFrameworks/MediaKit.framework/Versions/A/Loaders/MKDriver s.bundle/Contents/Resources/bootroot.loader

  • m@cd33p Level 1 (10 points)

    Thanks Thomas!

    After seeking your advise and uninstalling AVAST, I installed Sophos per your instructions and all my issues were magically fixed. I am amazed that AVAST would release software that is bug ridden. After close examination, the "payloads" flagged were being found on Apples DVD (false positives). I over-reacted because of a seperate threat instance. Thanks again for all of your help!

  • thomas_r. Level 7 (30,645 points)

    No problem. Unfortunately, there are a lot of anti-virus companies that have flocked to the Mac platform in the wake of the Flashback outbreak, and most of them don't really have a good understanding of the Mac yet. Companies like Avast may be well-regarded in the Windows world, but I'd steer clear of them on the Mac for now. ClamXav and Sophos both have proven track records on the Mac.