Q: My macbook pro has a virus/trojan that is resetting the EFI via apci and it is getting root access privileges. It seems to be creating multiple aliases that bundle with rogue apps and preferences so it is very difficult to control or fix. Please help..

Hi,

I wrote the paper on EFI rootkits posted above. I can assure you it is most certainly not a "theoretical" attack - I demonstrated proof of concept attacks in the presentations that accompanied the paper, and others have done similar work.

That said, Samurai184, I think it is *extremely* unlikely that you are the victim of such an attack. Your diagnosis seems completely based on guesses and paranoia without an understanding of how the OS or firmware work. If you specify exactly what leads you to believe that your EFI firmware is infected I am happy to give you my opinion, but I have seen nothing in the dumps of config output/ioregistry/mounts/etc that would indicate any problem.

snare

And a very nicely researched paper it was.

In my case, however, the term "theoretical" was used in reference to an actual "weaponization" of an exploit beyond a proof of concept stage, which to my knowledge hasn't been done (except maybe by various three-letter agencies, since assuming some nation state is researching any known vulnerability is always prudent).

Also, from what I took from your paper, such an attack requires either physical acces (a la an "evil maid" attack), or for the user to provide an administrator password to allow the EFI module(s) to be overwritten.  Neither of which seems to have happened here (although it's hard to know since the OP consistently refused to answer any questions for additional details).

Glad you liked the paper Sure, there have been no public examples of this kind of attack - absolutely true.

It would either require physical access or a 0day privesc vuln to patch either the bootloader or the firmware. I agree that it is extremely unlikely that this kind of attack is involved (or probably any attack TBH).

I am currently victim of the most sophisticated rootkit I have ever encountered and I believe it exists at the EFI/BOIS level (beyond my Mac comps.. also owned the ROM in my Apple USB keyboard, all comps/external HDs, iPhone/Pad, PCs). I think that it is insulting to users (enlightened or not) to deny the possibility of their suspicions and to publicly flame them on an official discussion board. Check this (and it's a year old..) http://ho.ax/De_Mysteriis_Dom_Jobsivs_Black_Hat_Paper.pdf

Just got back from a fresh OS install @ Apple store and my MacBook's network activity is off the charts.. busy at the botnet party haha. All my hardware is trash right now as far as I'm concerned.

I WROTE that paper. Nobody's flaming you, just doubting that you're the victim of this kind of attack. None of the technical information you've posted leads me to believe this is the case. "lots of network traffic" does not either - modern OS X is pretty noisy on the network.

Medical students' disease - Wikipedia, the free encyclopedia

Well the network traffic is intense enough for my ISP to suspend service (even when it's the only device that is phyiscally on). My friend's ISP (different provider) did the same thing to him after we both used a common external HD with its own power source (and I watched as a %SYSROOT% or something like that quickly mounted and disappeared along w all his desktop icons which came back secons later).

Listen.. I thought I had the "Medical students' disease" (thanks for the "vote of confidence" nbar). But this issue continues to persist. I have seen keylogs and system activity logs get sent from my comp over the network. This is on a fresh install.

I understand this is possible without it being an EFI/BIOS issue... but check this: I called my ISP to get reconnected, ripped out my PC harddrive and booted from a linux boot CD and let that idle. Not half a day later my ISP cut me again (only device connected). I watched netstat and network activity on the device skyrocket not long after boot.

Further, based on wireshark info... I believe my iPhone/iPad attempt to ARP attack ppl from time to time and they get really hot when doing so... Ha!

I'm not trying to stir the pot / be a "conspiracy theorist" or anything.. just want to get my hardware to act normally again. Whenever I look up discussions with common symptoms, it seems people are there to blame the user and call them crazy with ZERO reference to their technical question.

Here's a simple question I hope somebody will address: Why does my Macbook (with freshly re-installed OS) have a number of active UDP connections? If it is "normal" then why does OSX have this and how can I disable (already turned off all sharing etc).

Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)

tcp4       0      0  127.0.0.1.631          *.*                    LISTEN

tcp6       0      0  ::1.631                *.*                    LISTEN

udp4       0      0  *.*                    *.*                   

udp4       0      0  *.*                    *.*                   

udp4       0      0  127.0.0.1.123          *.*                   

udp6       0      0  fe80::1%lo0.123        *.*                   

udp6       0      0  ::1.123                *.*                   

udp6       0      0  *.123                  *.*                   

udp4       0      0  *.123                  *.*                   

udp4       0      0  *.*                    *.*                   

udp6       0      0  *.5353                 *.*                   

udp4       0      0  *.5353                 *.*                   

udp4       0      0  *.*                    *.*                   

As already mentioned, you can't just run a tool like netstat without knowing what the results are and call it proof of some kind of malware.  You would also be better served by creating your own topic with your own specific details, instead of tacking onto an existing topic that has been abandoned months ago by most that could help with whatever problem you do have.

And by the way, those results don't show any specific connections and look normal to me (the system has a lot of "network" traffic such as time servers, CUPS, Bonjour, etc) - you can look up standard port numbers and their uses at sites such as Wikipedia.

Appreciate the responses red_menace and snarez. As a couple final remarks.. I simply tacked on to this post to highlight the subtle jabs at the original author, lack of technical discussion w regards to his original question (suppose we can leave it to more appropriate websites such as "Wikipedia"), and claims of the improbable nature of contracting EFI/BIOS level rootkits. I have reason to believe, given my previous employer (and the $$ involved -- stock mkt stuff), that I actually may have been exposed to the most fascinating, complex, and pain in the *** virus I have ever encountered! And it shows characteristics of having hardware level persistence...

Snarez, I will let you know if I come back to this discussion board to open a new thread with tangible logs and a coherent explanation of my experiences -- would be interested in your take and suspect that you are quite good at what you do!!

Red_menace: I have disabled all the sharing / updating features you mentioned above.. the CUPS stuff is particularly suspicions btw. I know what "a tool like netstat" does and what to expect.

Actually, it sounds more like you have some kind of hardware problem with a router or NIC, but you would need more specialized tools to check.  I'm not sure what would be suspicious about the printing system on the localhost.

I have been suspecting that my ISP supplied router may be part of the problem / contributing to persistence. Appreciate response again. Ignore my comments on CUPS for now.. will likely be posting a more comprehensive post once I get the details on the greater issue consolidated. Thx again--don't mean to be a dick I'm just frustrated at this point...

I think "Samuri" started this post and everyone thought he was "Crazy"... but the fact of the matter is there are certinaly all types of malware for Macs.  Most don't encounter these as they are most often target / limited attacks.

I will give a quick example and if anyone can explain this to me or has had a similiar experience I would love to hear back!! .....

So I have about 6 macs for my current and past business.  Plus I always love grabbing the newest technology.  That said this "Problem" occurs with every Mac I own.  Even to a brand new MBP Retina that no one has had access to.  I keep Firmware PW's on, I only use Eithernet connections, I have a $600 Hardware Firewall configured to let nothing in (No VPN's, etc)... obviously have sharing off, **** I don't even use Bluetooth.

Anyway when I wipe the drive I do it like this...

1.) Take out both the MAC HD and Recovery Partion....

2.) I have 50 MBPS Download Speed so Internet Recovery is very quick.  I go through the normal process.

3.) Once I have reached the new recovery partition from the Internet Recovery I partion the SSD a couple times in different formats and then go back to the normal Journaled that I will be using for my single partioned SSD

4.) Then I install and go through all the normal steps, expect I skip everything that I can.  I don't add location services, I set time manually and I don't sign into iCloud as this will be my Admin Account.  I normally just call the account Main or Admin.

5.) I check for updates and install any that might have not been included in the most recent Internet Recovery.

6). In the Admin  Account I set a tough PW and then begin with all the security options.  Again all sharing off, Firewall on, Wifi Off and requires Admin Access to Turn on, No Peer-to-Peer Networking without Admin Access, Bluetooth Off, Java and Extensions turned off in Safari, etc.  You name it I have done it as far as the GUI goes.  I am certainly no expert in Terminal, but can make my way around for some things.

7.) I create a Standard Account "The one in which I will conduct 99% of my business in." Again I create a strong PW for this account and confirm that the security settings that I setup in Admin match those of my Standard Account.

HERE IS WHERE THINGS GO WRONG...

8.) I go into options and login to icloud.

HERE IS WHERE IT IS ABSOULETLY WRONG...

911) I login to the apple store as I want to dowlonad some of the simple apps so I can go to work.  IMMEDIATELY, it starts downloading a program called "Mountain" ... please don't confuse this with Mountain Lion (You can see it listed second in the APP Store search "Mountain")... when I look down at my Launchpad bar without hitting anything the 2.1MB file is downoading and then dissapears from my launchpad.

** Also as this is going on "storeagent" with the linux exec box icon next to it shows up saying "storeagent is attempting to install software to your computer"  It does ask the for Admin User and PW, but no matter what I hit this "Mountain APP" downloads.

When I first noticed this I thought this was legit, well it certainly is not.  I have never purchaed that "APP" however it does show up in my APP store Purchaes.  The gateway is obviously not doing it's job and FURTHERMORE I don't have any of the options to "Automatically Download New Apps, etc."  I simply just check for updates manually everyday as it is a 2 second process and Mounain Lion doesnt check automatically until every 7 days.

Sorry for the long post... Anyway experiencing the same thing?  I can redo my drive over and over again... I have ever purchased a new Mac Book Air a year ago to see if it would happen and the problems eventually started and fairly quickly.  The weird thing also is that I have done wipes and renistalls in all sorts of different locations.

So all this said... how could it not be in the EFI or on the machine some how?

Thanks guys... I hope someone has experienced a similiar experince!!! .... as the Mac Store and Apple Care have been of no help!! ... and with a problem like this I think it is way above a level 2 Mac specialist head

Check your System Preferences

Note the last option.

He mentioned he did not have those options checked..

java-attack: has your ISP ever noted your comps "attacking" their networks and suspend your service? Mine did. Sounds similar but I have stopped pulling my hair out over specific sketchy behaviour as I rely on my computers much less now (a shame given I'm starting a software company hahah). Apple seems to be sneakily discouraging on the issue IMHO.

He mentioned he did not have those options checked..

On a new install these default checked.  java-attack didn't say he unchecked them before signing into the App Store.  At any rate, somehow Mountain was purchased on the Store using java-attack's appleID.