How to remove rootkits and malware?

Hi mate, I know it’s been a few years since you posted about this issue and at the time I would not have believed that what you were experiencing was anything like what you were describing. I understand how frustrating it is to have people tell you that something isn’t possible, when it’s obvious to you that it is. I found your post because a similar Trojan has infected nearly all of the devices on my network also. It has similar functionalities to what you have described and I’m about ready to give up and just deal with it.

I have five macs, an iPad, two iPhones, an Apple TV and a technicolor gateway/router which are all infected. Two of the macs had boot camp installs of windows which were also infected and all the devices are compromised at the NVRAM / SMC / EFI and system partition levels. On the macs it works by changing the boot order of the drivers in the NVRAM parameters so that the Bluetooth driver loads first, it loads an infected blued.plist file which launches all the processes required to take control of your system before it even gets to load the USB drivers required to accept any input from your keyboard. So, no key combinations for SMC reset or NVRAM reset, or alternate boot device menu, or single user mode boot can intervene. Remove all the drives from the machine and make the blued.plist file inaccessible and instead it will attempt to NetBoot the infection from any attached devices, including a time capsule and even a thunderbolt adapter if it contains an option ROM, failing that it will got for a remote server and if there’s no internet connection it displays the ‘Internet Recovery’ screen and asks you to connect to a wifi network. Internet recovery appears to be running as normal, but actually the boot loader just redownloaded the infection from a remote server, created a ram drive with some bootable Linux based UEFI parent/controller and then runs the recovery mode below that, infecting the OS installer as it downloads from the secure apple server.

Back to square one.

I haven’t even begun to figure out how it works on iOS yet but I assure you it has infected those devices in a similar way.

I believe i was infected because of a JavaScript/sandbox vulnerability. I think I entered my Apple ID info into a malicious password prompt pop up which looked identical to what a real one did at the time (iOS 10.2). Now iOS and OS X both operate as if they have been sandboxed, with processes invisible to activity monitor but not to a root level terminal shell. It creates TCP connections to the remote control centre which aren’t easily detected because it compromises existing system processes like airplay, screen sharing, spotlight etc. It intercepts the dns requestes of all the antivirus software updaters that I’ve tried so far, and either downloads fake definitions files or modifies the applications to skip the infected files like you mentioned. Malware bytes, little snitch, blockblock, kaspersky, norton, Sophos, intego, the App Store updates and iTunes all get intercepted and redirected to alternate download servers. NetBarrier by intego is the only software that seems to actually still operate correctly and prompt when a connection attempt is made, it shows the address of the server that the app attempted to contact and they’re usually amazon hosted cloud storage or some real looking address like updserv.live.norton.com but with a .aksdns.net at the end of it. None of the addresses ever resolve to a server in safari because if you attempt to connect without presenting the software’s built in encryption key then it just silently drops your request and resolves to a 404 error.

I could give you another 2000 words on other behaviours I have discovered but I think you get the point. Basically the main ones are; keys are logged, passwords are captured, time machine backups are infected, any and all drives that are connected to an infected system are immediately repartitioned with a hidden 60mb EFI boot volume so as to infect any other devices it may be connected to during a reboot, RPCs for hidden screen sharing connections appear in Console and most deceiving and destructive of all, wifi and Bluetooth are both active even when OS X shows them as disabled and even when the network device is completely removed from the network pane of system config.

My next option is to attempt a physical hardware flash of the NVRAM to a clean factory state followed by an internet recovery from an alternate internet connection or with a new modem (the technicolor gateway is a SOC device running FreeBSD so it was infected also).

Anyways, my point is, I believe you, it’s possible now and the vault 7 leaks show that it was possible in 2013 as well. I’m sorry that you had to go through it, I feel your pain and I hope you’ve upgraded devices since then and managed to keep them from becoming infected also. Apple says that it’s beyond the scope of their engineering department and that I would need to consult a cyber security specialist in order to remove it. If I don’t figure it out soon I will be returning my six week old iMac and asking for a new one.

Wish me luck!

I didn't see this post earlier, but note that it's extremely unlikely for all your devices to be getting infected with something all at the same time. Especially the iPhone, for which there is no known malware and no known way of hacking it remotely. (Ironic that you got rid of this for an Android phone, when Android now has the greatest market share of malware of any system on the planet, Windows included.)

Rather than worrying about what Rootkit Hunter is telling you, which is almost certainly nothing to worry about on a Mac running 10.8.3, why don't you relate the specific symptoms you have seen that have led you to believe that you are being targeted by a hacker?

I would clean install the mac computers and before taking the machines online I would turn on the firewall in 'security and privacy'. There are some decent anti-virus programs for mac machines. I have to have one installed because my college mandates it for wifi access on campus. And with all due respect to you and your parents, the kind of attack that you have described would only be possible by a state actor.

First, before I respond on specific points, I'd like you to take a look at my web site:

http://www.thesafemac.com

...just so you can see what qualifications I have for speaking about this topic. I'm not just blowing wind, as many folks on forums can do sometimes.

I was sent a dodgy email to the old iPhone 4 [...], and I clicked on it, had a quick look at it and quickly deleted it.[...] I did not know at the time that just opening them can open the door for malware to install itself onto given device

That is absolutely not true... at least, not using the Mail app on either a Mac or an iOS device. Opening an e-mail message does not do anything that could run unauthorized code on your machine, so there's absolutely no way that any kind of malware could have been installed just by opening and viewing an e-mail message. If you opened a malicious attachment, of course, that could infect your Mac with something, but only if it somehow managed to bypass all of the Mac's built-in security. On an iPhone, the only code allowed to run must be downloaded from the App Store, so it's not possible for any code attached to an e-mail message to run.

I reached over to phone and when I picked up I saw that it was asking me for my Wifi password. [...] I checked and it was Wifi was off, but when I tapped Wifi and opened it, underneath it was revealed that it was actually on - same with Bluetooth etc.

Sounds like a glitch with the phone. That's definitely not evidence of malware.

the person had half an hour to crack my parents' home 10 character Wifi network from the Iphone 4

If your wifi network actually got hacked (you don't say how you know that it was), it is probably mis-configured to allow remote administration with no password or with the router's default password. That definitely wouldn't be something they did via the iPhone.

The person even taunts me that they can see exactly what I am doing on them - they can see all my pictures; wallpapers; know what online radio stations that I listen to; read my emails; watch me playing video games; and know everything I type in my browser; and what I don't type as well via screenshots. I know this because they confirm to me.

There are a few possible explanations for that. One is that this person has gotten access to some online account of yours that gives them access to your machines. For example, if your Apple ID/iCloud account is hacked, depending on the settings on your computer and how you use iCloud, that person can see a lot of your data, locate all your devices and even potentially get access to your Mac via Back to My Mac.

If you use other remote access software, such as LogMeIn, that would explain the issue on all the machines. The LogMeIn account (or whatever other remote access account you have) has been compromised.

It's also possible that your hacker has somehow gotten access to your network such that he/she can see all the network traffic being sent and received. This could expose passwords and other sensitve information that could lead to gaining access to cloud-based data or accessing your computer via some remote access software that you have already installed.

Another possibility is that this person has a local accomplice who is able to get physical access to your machines, and who has installed remote access software of some kind. With physical access, a knowledgeable person can do a lot!

What is really not a likely possibility is for all these machines to be simultaneously and transparently infected with malware remotely. Each device would have to be infected with something completely different, through different means, and each of these pieces of malware would have to get past the protections running on each system. (To see more about what protection is built in on Mac OS X, see How does Mac OS X protect me?.)

I hear what you say about the iPhone, but I have been reading news articles online recently which actually claim it is the least secure phone.

I'm not sure what news site you were looking at... probably not a reputable one! Android has gotten a reputation for being the most insecure system on the planet, while iOS is known to all but a few biased detractors as being quite secure. Take a look here, for example:

http://thenextweb.com/google/2013/08/26/internal-us-government-memo-warns-author ities-about-android-malware-threats/

Fixing it so my devices aren't recognisable to snoopers on a network is also somewthing which I am interested in knowing how to do.

Well, the first order of business is to find out if this is all just a bunch of smoke-and-mirrors on the part of the person harassing you, or if they have actually gained access to something. If they have access, you need to find out what and how.

I'd advise changing passwords on ALL online accounts, resetting the wifi router to factory defaults and setting it up securely, and installing Little Snitch on your Mac. (Little Snitch is difficult to configure correctly, and will warn you about all kinds of normal processes. You will learn a lot about what your Mac connects to on a daily basis, and if there's actually any hacking going on, Little Snitch should catch it and prevent it.)

I'd also advise you to take a look at my Mac Malware Guide for more information on what kind of malware threats are out there, how your Mac protects you and what you need to do to stay safe.

Even on Youtube I watched an ABC news story of all the frightening things that a hacker can do with an iPhone - pretty much anything they wan't remotely.

To be brutally direct, that news story was crap. It's always possible that there could be iPhone exploits out there, but if there are, the security community is unaware of them, which means there's no way an ABC news reporter would know about them. Believe me, if anyone knew anything about this stuff, it would be Charlie Miller, and he isn't known for keeping his mouth shut about that kind of thing. He's fond of poking Apple in the eye whenever he discovers a vulnerability.

Perhaps you midunderstood the report, though? There was recently a proof of concept iOS trojan developed at Georgia Tech. The trojan was an app that did nothing suspicious on review, but when a signal was sent, the app changed its behavior and did things that would not have passed Apple's review process. It's theoretically possible for a trojan to be developed in this manner that could do a variety of things, but there are none currently known, and if one was developed it would still be limited by what it was allowed to do by the iOS sandbox.

And then, as I said, the fact is that I am absolutely certain that person can see everything I do on all the aforemerntioned devices - another one I forgot to menton is that they know all the contacts on my phone.

Yes, but, keep in mind that your contacts are probably synced to iCloud. (If not iCloud, somewhere else, like Google.) If your attacker has access to your iCloud account, he/she would be able to see such data easily. Access to your iPhone would not be necessary.

And they are a few hundred miles away and have nobody local who is assisting them.

Then that rules out having malicious software installed on all your devices. There's just no way that that happened remotely on all of them.

Minty18522 wrote:

Even on Youtube I watched an ABC news story of all the frightening things that a hacker can do with an iPhone - pretty much anything they wan't remotely. And it actually warned to check for Wifi being secretly on like mine was.

Do you have a link? The only thing I could locate was a very old (2007) story on celebraty phone hacking and this article Security Firm: iPhone Gets Hacked which must have been dealt with by now. Both indicated that information could be downloaded but nothing about being able to do anything to the phone itself.

Minty18522 wrote:

The following are the worrying results identified by Rootkit Hunter:

For "Checking LD_LIBRARY_PATH variable", it says in yellow "skipped".

For "Checking for hidden processes", it also says in yellow "skipped".

I also have red warning notices in relation to system configuration file checks and filesystem checks alerting me to the following:

"Checking if SSH protocol v1 in allowed The SSH configuration option 'Protocol' has not been set";

"Checking if syslog remote logging is allowed Syslog configuration file allows remote logging: install.* .0.1:32376"

"Checking /dev for suspicious file types Suspicious file types found in /dev: /dev/fd/6: MS Windows icon resource"

"Checking for hidden files and directories Hidden file found: /usr/share/man/man5/. rhosts.5: troff or preprocessor input text".

Skipped items are not applicable to Macs.

The SSH protocol not being set is the default with OS X.

The hidden file is the actual name of a Unix man file that has been on every mac since the original OS X.

I have always seen both of these for many years. I used to know how to correct the first one by hacking the default, but I've never heard of anybody ever taking advantage of it.

The MS Windows icon resource would seem to indicate that you have WIndows installed in a virtual environment.

So the only thing that's a bit suspicious to me is the syslog remote logging.

I second everything that Thomas has said. The type of scenario you are describing cannot be the result of the remote exploitation of all your computers and devices by one person. Even if this person was theoretically a member of a national intelligence agency, there's no way they would have the ability to do this (one person might have expertise related to one OS or device, not four or five).

If some kind of remote desktop software were installed on your system, that might permit some of the things you describe (primarily on the computers).

But I have to wonder, if this person has, as you claim, bragged to you about how they are able to access, observe and control your system...why don't you simply file a criminal complaint with the police? Unauthorized access to computer systems is a crime in most of the Western world. And a crime that tends to have disproportionately harsh punishments associated with it...why not make use of that? In my experience, being arrested does tend to be a deterrent...