My macbook pro has a virus/trojan that is resetting the EFI via apci and it is getting root access privileges. It seems to be creating multiple aliases that bundle with rogue apps and preferences so it is very difficult to control or fix. Please help..

You don't have SSH turned on.

But if it makes you feel better to check for yourself...Launch "System Preferences" from teh Apple menu. Select the "Sharing" preferences. Confirm that "Remote Login" is not checked.

Alternatively, if you like the command line, you can open a terminal and type "ps ax | grep sshd". The result should be a single line showing the process output of the grep search itself (ie "grep sshd").

And to repeat what I and others have been saying...again...what specific and detailed symptoms are you experiencoing that makes you think there is a problem with your system?

Michael Superczynski wrote:

Ok. So how would such malware get installed on my MacBook Pro With Retina Display?

Do I have to buy a compromised USB peripheral of some sort of off eBay?

More to the point - why are any of us wasting time with this nonsense?

I am watching birds nesting at the YMCA and that is far more interesting than this thread.

From your article:

Anecdotal evidence has indicated that Mac systems also contain a “boot ROM”, which is executed before the EFI firmware and verifies the integrity of the firmware image including its cryptographic signature at the end of the firmware volume. If the firmware image is not deemed to be valid, the system generates the “S.O.S.” beep sound (literally “S O S” in Morse code) and refuses to boot. The author has not explored this any further; however, it may be a future area of research.

Note, that there is no evidence that this is in the wild. We are back to your "friends" getting access to your computer.

2012 is a long time ago in the security field. There is absolutely no evidence that there is any Mac malware capable of doing this, assuming it is still possible anyway. I've got a number of contacts in the security industry, yet I haven't heard of an active exploit for this.

So, you're still dodging the question. What is leading you to believe that you have been hacked? What actual symptoms are you seeing? If you won't answer, you'll get no help here. As you can see from other responses, people are already getting tired of listening. If you want assistance, you're going to have to provide the requested information.

Not "getting" tired, Thomas...all the way to gotten.

Aside from the complete lack of a response to our questions about symptoms, that article isn't even relevent to the original complaint of "EFI being reset by an ACPI virus (paraphrasing)", as it describes a theoretical attack against EFI using PCIe devices with onboard ROM...

I swear, sometimes I think there's a computer security version of Morgellon's Disease...

Yet another new psychological syndrome due to the Internet. "People are monitoring me through my computer."

Symptoms:

The user claims their computer is behaving suspicious. The same symptoms appear shortly after they switch to another computer (a usual claim is "this is my n-th computer in x months"). Reported symptoms include sudden disk activity, unknown internet access, files with weird names, files and folders that are "unaccessible" through normal means.

The afflicted person produces lots of system dump data, ranging from hundreds to thousands of lines, and points out various suspects in this: files, processess, and events with no immediately obvious purpose.

The afflicted person uses low level system commands to produce this data. Since only professional users are aware of these commands to begin with, and can understand the meaning of the output, the afflicted person creates a closed relation: only pros can give an exact answer to his inquiries, while others may only express sympathy.

"Regular" users who type in the same commands may get similar "suspicious" results, thus prompting them to join in the discussion with "help! me too!" -- which is further justification for the original poster.

Claims of "semi-advanced" users with layman's knowledge of the underlying processes that the "evidence" shown is inconclusive, incoherent, or don't mean nothing special, are brushed off as "amateur opinion".

Claims of "advanced" users that the data is perfectly normal, is discarded when they fail to give easy-to-understand one-paragraph explanations for each of the suspicious processes (/files/events, etc.). That supports and enhances the conviction of the poster that either "they" are all in it, or they do not know what they are talking about anyway.

Cure: none so far.

LOL... This thread at least has some comedic value. It's sad to see that people were willing to help, but you don't realize that nothing that you have posted actually gives any indication of what you claim. This is truly a case of having a little knowledge about low level commands, but no understanding of what the output really means, augmented by a lot of imagination backed up by meaningless forum posts or an old theoretical security article.

If you really want to find the source of your issue, work from the top (from the symptom).

Hi,

I wrote the paper on EFI rootkits posted above. I can assure you it is most certainly not a "theoretical" attack - I demonstrated proof of concept attacks in the presentations that accompanied the paper, and others have done similar work.

That said, Samurai184, I think it is *extremely* unlikely that you are the victim of such an attack. Your diagnosis seems completely based on guesses and paranoia without an understanding of how the OS or firmware work. If you specify exactly what leads you to believe that your EFI firmware is infected I am happy to give you my opinion, but I have seen nothing in the dumps of config output/ioregistry/mounts/etc that would indicate any problem.

snare

And a very nicely researched paper it was.

In my case, however, the term "theoretical" was used in reference to an actual "weaponization" of an exploit beyond a proof of concept stage, which to my knowledge hasn't been done (except maybe by various three-letter agencies, since assuming some nation state is researching any known vulnerability is always prudent).

Also, from what I took from your paper, such an attack requires either physical acces (a la an "evil maid" attack), or for the user to provide an administrator password to allow the EFI module(s) to be overwritten. Neither of which seems to have happened here (although it's hard to know since the OP consistently refused to answer any questions for additional details).

Glad you liked the paper 🙂 Sure, there have been no public examples of this kind of attack - absolutely true.

It would either require physical access or a 0day privesc vuln to patch either the bootloader or the firmware. I agree that it is extremely unlikely that this kind of attack is involved (or probably any attack TBH).

I WROTE that paper. Nobody's flaming you, just doubting that you're the victim of this kind of attack. None of the technical information you've posted leads me to believe this is the case. "lots of network traffic" does not either - modern OS X is pretty noisy on the network.

Well the network traffic is intense enough for my ISP to suspend service (even when it's the only device that is phyiscally on). My friend's ISP (different provider) did the same thing to him after we both used a common external HD with its own power source (and I watched as a %SYSROOT% or something like that quickly mounted and disappeared along w all his desktop icons which came back secons later).

Listen.. I thought I had the "Medical students' disease" (thanks for the "vote of confidence" nbar). But this issue continues to persist. I have seen keylogs and system activity logs get sent from my comp over the network. This is on a fresh install.

I understand this is possible without it being an EFI/BIOS issue... but check this: I called my ISP to get reconnected, ripped out my PC harddrive and booted from a linux boot CD and let that idle. Not half a day later my ISP cut me again (only device connected). I watched netstat and network activity on the device skyrocket not long after boot.

Further, based on wireshark info... I believe my iPhone/iPad attempt to ARP attack ppl from time to time and they get really hot when doing so... Ha!

I'm not trying to stir the pot / be a "conspiracy theorist" or anything.. just want to get my hardware to act normally again. Whenever I look up discussions with common symptoms, it seems people are there to blame the user and call them crazy with ZERO reference to their technical question.

Here's a simple question I hope somebody will address: Why does my Macbook (with freshly re-installed OS) have a number of active UDP connections? If it is "normal" then why does OSX have this and how can I disable (already turned off all sharing etc).

Proto Recv-Q Send-Q Local Address Foreign Address (state)

tcp4 0 0 127.0.0.1.631 *.* LISTEN

tcp6 0 0 ::1.631 *.* LISTEN

udp4 0 0 *.* *.*

udp4 0 0 *.* *.*

udp4 0 0 127.0.0.1.123 *.*

udp6 0 0 fe80::1%lo0.123 *.*

udp6 0 0 ::1.123 *.*

udp6 0 0 *.123 *.*

udp4 0 0 *.123 *.*

udp4 0 0 *.* *.*

udp6 0 0 *.5353 *.*

udp4 0 0 *.5353 *.*

udp4 0 0 *.* *.*

Appreciate the responses red_menace and snarez. As a couple final remarks.. I simply tacked on to this post to highlight the subtle jabs at the original author, lack of technical discussion w regards to his original question (suppose we can leave it to more appropriate websites such as "Wikipedia"), and claims of the improbable nature of contracting EFI/BIOS level rootkits. I have reason to believe, given my previous employer (and the $$ involved -- stock mkt stuff), that I actually may have been exposed to the most fascinating, complex, and pain in the *** virus I have ever encountered! And it shows characteristics of having hardware level persistence...

Snarez, I will let you know if I come back to this discussion board to open a new thread with tangible logs and a coherent explanation of my experiences -- would be interested in your take and suspect that you are quite good at what you do!!

Red_menace: I have disabled all the sharing / updating features you mentioned above.. the CUPS stuff is particularly suspicions btw. I know what "a tool like netstat" does and what to expect.

Actually, it sounds more like you have some kind of hardware problem with a router or NIC, but you would need more specialized tools to check. I'm not sure what would be suspicious about the printing system on the localhost.

I have been suspecting that my ISP supplied router may be part of the problem / contributing to persistence. Appreciate response again. Ignore my comments on CUPS for now.. will likely be posting a more comprehensive post once I get the details on the greater issue consolidated. Thx again--don't mean to be a dick I'm just frustrated at this point...