You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

How to remove rootkits and malware?

I have downloaded and ran the programme Rootkit Hunter and the results are worrying.

I don't know much about malware other than a malicious individual has persistently been installing it onto my machines via malicious emails - this time targeting my iPhone 4 (which I promptly got rid of upon discovering this individual's presence and replaced with a new Samsung S4, which is probably infected as well now) first; and from there using my house Wifi network to get onto my Macbook Pro 10.8.3 (which is the machine I am on now, and the machine the results refer to); and also my Samsung Galaxy Tab 10.1; and most likely the phones and computers belonging to other members of my family are compromised as well.

The following are the worrying results identified by Rootkit Hunter:

For "Checking LD_LIBRARY_PATH variable", it says in yellow "skipped".

For "Checking for hidden processes", it also says in yellow "skipped".

I also have red warning notices in relation to system configuration file checks and filesystem checks alerting me to the following:

"Checking if SSH protocol v1 in allowed The SSH configuration option 'Protocol' has not been set";

"Checking if syslog remote logging is allowed Syslog configuration file allows remote logging: install.* .0.1:32376"

"Checking /dev for suspicious file types Suspicious file types found in /dev: /dev/fd/6: MS Windows icon resource"

"Checking for hidden files and directories Hidden file found: /usr/share/man/man5/. rhosts.5: troff or preprocessor input text".

I do not know how to interpret these results other than of course realising they are alerting me to the fact that something is wrong and needs fixing.

I do not know exactly what Rootkit Hunter is telling me is wrong, and I do not know how to fix the problems it has identified.

I would greatly appreciate it if anybody could perhaps tell me how I can do these things. And any advice on which programmes to use for my Samsung machines and the best way to protect my devices in the future would also be greatly appreciated.

Posted on Aug 23, 2013 11:05 AM

Reply
Question marked as Top-ranking reply

Posted on Nov 13, 2017 6:00 AM

Hi mate, I know it’s been a few years since you posted about this issue and at the time I would not have believed that what you were experiencing was anything like what you were describing. I understand how frustrating it is to have people tell you that something isn’t possible, when it’s obvious to you that it is. I found your post because a similar Trojan has infected nearly all of the devices on my network also. It has similar functionalities to what you have described and I’m about ready to give up and just deal with it.

I have five macs, an iPad, two iPhones, an Apple TV and a technicolor gateway/router which are all infected. Two of the macs had boot camp installs of windows which were also infected and all the devices are compromised at the NVRAM / SMC / EFI and system partition levels. On the macs it works by changing the boot order of the drivers in the NVRAM parameters so that the Bluetooth driver loads first, it loads an infected blued.plist file which launches all the processes required to take control of your system before it even gets to load the USB drivers required to accept any input from your keyboard. So, no key combinations for SMC reset or NVRAM reset, or alternate boot device menu, or single user mode boot can intervene. Remove all the drives from the machine and make the blued.plist file inaccessible and instead it will attempt to NetBoot the infection from any attached devices, including a time capsule and even a thunderbolt adapter if it contains an option ROM, failing that it will got for a remote server and if there’s no internet connection it displays the ‘Internet Recovery’ screen and asks you to connect to a wifi network. Internet recovery appears to be running as normal, but actually the boot loader just redownloaded the infection from a remote server, created a ram drive with some bootable Linux based UEFI parent/controller and then runs the recovery mode below that, infecting the OS installer as it downloads from the secure apple server.


Back to square one.


I haven’t even begun to figure out how it works on iOS yet but I assure you it has infected those devices in a similar way.


I believe i was infected because of a JavaScript/sandbox vulnerability. I think I entered my Apple ID info into a malicious password prompt pop up which looked identical to what a real one did at the time (iOS 10.2). Now iOS and OS X both operate as if they have been sandboxed, with processes invisible to activity monitor but not to a root level terminal shell. It creates TCP connections to the remote control centre which aren’t easily detected because it compromises existing system processes like airplay, screen sharing, spotlight etc. It intercepts the dns requestes of all the antivirus software updaters that I’ve tried so far, and either downloads fake definitions files or modifies the applications to skip the infected files like you mentioned. Malware bytes, little snitch, blockblock, kaspersky, norton, Sophos, intego, the App Store updates and iTunes all get intercepted and redirected to alternate download servers. NetBarrier by intego is the only software that seems to actually still operate correctly and prompt when a connection attempt is made, it shows the address of the server that the app attempted to contact and they’re usually amazon hosted cloud storage or some real looking address like updserv.live.norton.com but with a .aksdns.net at the end of it. None of the addresses ever resolve to a server in safari because if you attempt to connect without presenting the software’s built in encryption key then it just silently drops your request and resolves to a 404 error.


I could give you another 2000 words on other behaviours I have discovered but I think you get the point. Basically the main ones are; keys are logged, passwords are captured, time machine backups are infected, any and all drives that are connected to an infected system are immediately repartitioned with a hidden 60mb EFI boot volume so as to infect any other devices it may be connected to during a reboot, RPCs for hidden screen sharing connections appear in Console and most deceiving and destructive of all, wifi and Bluetooth are both active even when OS X shows them as disabled and even when the network device is completely removed from the network pane of system config.


My next option is to attempt a physical hardware flash of the NVRAM to a clean factory state followed by an internet recovery from an alternate internet connection or with a new modem (the technicolor gateway is a SOC device running FreeBSD so it was infected also).


Anyways, my point is, I believe you, it’s possible now and the vault 7 leaks show that it was possible in 2013 as well. I’m sorry that you had to go through it, I feel your pain and I hope you’ve upgraded devices since then and managed to keep them from becoming infected also. Apple says that it’s beyond the scope of their engineering department and that I would need to consult a cyber security specialist in order to remove it. If I don’t figure it out soon I will be returning my six week old iMac and asking for a new one.


Wish me luck!

68 replies

Sep 5, 2013 5:37 PM in response to Minty18522

Minty18522 wrote:


And most anti-virus programmes are just a waste of space on your computer or phone when it comes to malware of this level of insidiousness.

That's correct in that all currently known spyware requires physcial access to your Mac or you would have to approve shared access over the network. Since A-V software is designed to catch malware and spyware does have legitabmate use, it won't find them.


The only software that specializes in this soft of thing is MacScan from SecureMac. It is known for producing false alarms, so make certain that it is properly identified before deleting any files. It also does a poor job of regular malware detection, so don't use it for that. Thomas is particularly critical of it in Macscan disappoints.

Sep 5, 2013 5:40 PM in response to Minty18522

I can't comment on that, not having seen (or heard of) Sourcefire's report.


However, one observation: note that number of CVEs does not necessarily equate to insecurity. In the case of iOS, I would bet that the CVEs in question have been fixed, and most people using iOS are using the latest version, which would include those fixes. In contrast, Android has been demonstrated to have a far higher rate of malware infections (ie, active exploitation) than any other system, including the previously-undisputed winner in this category: Windows. This is primarily because of fragmentation of the Android system, with different wireless carriers creating their own customized versions of Android that don't get patched as often as they should, and that usually contain old vulnerabilities that Google has actually fixed in the latest version of the official Android.


So, it really doesn't matter how many CVEs might have appeared for iOS in a given amount of time, since there's still no malware out there capable of infecting iOS. (Unless the device has been jailbroken.)


Further, that article is way off base by saying that Apple had no security in early versions of iOS. The security, in fact, has been present since day one, and has been the source of one of the most significant criticisms of the platform... namely, its lack of openness, and the requirement to download all apps from the App Store.

Sep 5, 2013 5:51 PM in response to Minty18522

I can see how synced contacts could be easily accessable - but what about my phone browser activity?


That's easy too. If they have access to iCloud, and if you are syncing Safari to iCloud, they can see what tabs are open on each of your devices (Mac or iOS). See:


http://www.macgasm.net/2013/04/02/syncing-safari-tabs-between-macs-ios-devices/


It really sounds like this person has access to your iCloud account. You need to change that password, and should also be sure to lock it down a little tighter with two-factor authentication:


Apple introduces two-factor authentication


Also, g_wolfman makes an excellent point... if you can collect evidence showing that this individual is harassing you and spying on you online, you can report this to the authorities and get that person prosecuted. If the action is taking place across state lines in the US, it would (I would guess) be a federal crime, justifying FBI involvement.

Sep 5, 2013 5:54 PM in response to g_wolfman

Thanks everybody for your advice.


@Wolfman - I would be reluctant to go complaining to the police for a number of reasons; most notably:


a) I know it is malicious, but I know the girl in question, and she is not actually doing anything other than snooping on me, which she seems to view as just a bit cheeky and a bit of harmless fun. She isn't trying to steal money from my bank account or anyhthing and would think I was wildly overreacting if I took such action - although it is hard to get her to understand how much of a nightmare it is for me.


b) I would not want to cause either my parents or her parents any distress or embarassment by involving the police.


c) I doubt the police would be able to do much anyway, as she is not sending me threatening emails or anyhting like that - the emails she is sending which I believed contained the malware are pump and dump-style ones about stocks and have been generated somehow. They are not directly from her. So even if I did try and complain, I would most likely have insufficient evidence, and the police would most likely struggle with dealing with such a complaint.

Sep 5, 2013 6:09 PM in response to Minty18522

I know the girl in question, and she is not actually doing anything other than snooping on me, which she seems to view as just a bit cheeky and a bit of harmless fun.


Well, keep in mind that if she has actually done what you have said - getting malware installed on all of your devices - that is very, very far from harmless fun. That would be serious hacking of a magnitude that would make her instantly world famous in the underworld, the top dog in the "black hat" hacker community, and would be of great interest to law enforcement agencies like the FBI.


On the other hand, if she's just gaining access to some of your online accounts by being able to guess the password, or something similar, that's fairly minor... the sort of thing that matches the motivations you describe.

Sep 5, 2013 6:50 PM in response to thomas_r.

Well I know she reads the likes of "Hack in the Box".


You say remotely installing malware, like keyloggers and rootkits is difficult.


But I have actually had another girl who did this as well in the past, this time some nutter who I didn't know in person, but whom I was unfortunately briefly and tenuously acquainted with online - and she was much less intelligent than the current girl who is doing it (who is Cambridge educated and both her parents are doctors) - and she was able to do it just by sending emails, which I stupidly clicked on sometimes before I was aware of this stuff. These were on old Windows machines. She has no access to any of my machines now - so I got rid of one cyberstalker and acquired another after the briefest of restbites - but she would still send me dubious emails from time to time in the hope I will click on her dodgy links.


Are you totally sure that just opening the emails won't give any malware access to my machines? Because I have seen forums where wannabe hackers have requested advice on how to remotely put spyware on people's machines via just emails without links and attachments, by just opening them, and plenty of people responded positively I noticed.


But in my experience, it is silly little girls who sit doing this kind of thing - perhaps not on multiple devices like you say, but certainly on just one at a time; and that it doesn't seem particularly difficult.


"Remotely install a keylogger in just a few seconds" - these are the kinds of statements I am reading aimed at people who would be interesting in dabbling in this kind of stuff.

Sep 5, 2013 7:12 PM in response to thomas_r.

Well if she didn't do what I believed, then the only way she could have accessed all the machines was via my hotmail account.


So if I open a dodgy email (and none of the emails had links or attachments, but it must have been them, as there is no other way I can think of she could have remotely accessed the machines - unless she used my IP address somehow) on one device and do not delete it from the hotmail account, it will obviously still be there when I use my hotmail account on other devices. Is this a risk?


Also, on my Android devices I also use a Gmail account for Google Play. I have not changed the password in a while. Could this be the reason why she is still able to snoop on my android devices, even after restoring them to the factory settings?

Sep 5, 2013 7:19 PM in response to Minty18522

a) I don't consider compromising someone's system(s) and then spying on them, and then harrassing them about it to be "cheeky fun".


b) So what? Is there a threshold beyond which not embarassing your parents' friends becomes irrelevant? Or am I being insensitive to some cultural phenomenon involving saving face?


c) If nothing else, the police can give her a stern talking-to, make reference to teh fact that even if she is managing to skirt cyber-crime laws that she's well into cyber-stalking and or harassment territory, and impress upon her the fact they if they have to come back a second time then it could be more than merely embarassing.


Quite frankly, "but I know her and our families know each other and I don't want to rock the boat because people will blame me for over-reacting" just sounds like you're being a sucker. If she is cyber-stalking, it will eventually escalate...best to nip it in the bud now.


But on the other hand, I also can't believe that you still keep insisting that "silly little girls" with no knowledge of computer engineering routinely have access to world-class hacking tools that operate at levels of sophistication only reachable by national intelligence agencies...whatever she's doing is either far less sophisticated (eg, guessing a password for one account that you have foolishly re-used in many places), or you have installed the software that she is using to access your system. Which still wouldn't explain teh devices.

Sep 5, 2013 7:26 PM in response to victoryhat

I know what a State Actor is; I prefer the term Advanced Persistent Threat, personally.


And while the "Intelligence Community", or an "Intelligent Service", might be able to perform the kinds of attacks the OP alludes to...a single "Intelligence Operative" could not. There would be too much expertise in too many disparate systems for one person to do this. Compromising OS X, iOS, Windows and Android devices would require a team.


APTs compile teams of people with extensive depth knowledge in specific areas. They don't look for people with breadth knowledge (at least not for technical disciplines). And the kind of depth required for what's described here doesn't get acquired in breadth anyway.

Sep 5, 2013 7:26 PM in response to Minty18522

I was replying to g_wolfman about the initial comment made by you describing how your entire network along with all of your devices have been compromised (in your opinion).


I find it highly unlikely that 'some girl' did a 'little research' on google and was able to 'enlist the help' of third party actors in order to gain physical access to your premises, in order to launch a coordinated attack on you.


But that is just my opinion.

Sep 5, 2013 7:31 PM in response to victoryhat

I never said she enlisted the help of third party actors - just that she hacked my iPhone; switched Wifi on on it; got onto my house Wifi network from there; and then onto my other machines/devices.


I'm not a tech expert, but to me it didn't look like a particularly diffucult thing to do if someone really wanted to do it - especially with a weak Wifi network password.

Sep 5, 2013 7:48 PM in response to g_wolfman

I never said hat our parents knew each other. I went to university with the girl just. I know what you mean about nipping it in the bud and have thought about that.


But her parents are respectable people, both doctors as I said, and bringing the police to their door would cause them immense embarassment, as it would for the girl - who, apart from annoying me by doing this, I otherwise quite like, and who I know likes me similarily.


Maybe I have just met the wrong ones, but I am starting to think that females are just inclined to do this kind of thing.


And I am shocked myself that you use phases like "world-class hacking", when literally anybody can download software which enables them to install keyloggers and remotely spy on people.


Anyway, thanks to yorurself, and everybody else who has responded for all the helpful advice.

How to remove rootkits and malware?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.