How to remove rootkits and malware?

Minty18522 wrote:

The following are the worrying results identified by Rootkit Hunter:

For "Checking LD_LIBRARY_PATH variable", it says in yellow "skipped".

For "Checking for hidden processes", it also says in yellow "skipped".

I also have red warning notices in relation to system configuration file checks and filesystem checks alerting me to the following:

"Checking if SSH protocol v1 in allowed The SSH configuration option 'Protocol' has not been set";

"Checking if syslog remote logging is allowed Syslog configuration file allows remote logging: install.* .0.1:32376"

"Checking /dev for suspicious file types Suspicious file types found in /dev: /dev/fd/6: MS Windows icon resource"

"Checking for hidden files and directories Hidden file found: /usr/share/man/man5/. rhosts.5: troff or preprocessor input text".

Skipped items are not applicable to Macs.

The SSH protocol not being set is the default with OS X.

The hidden file is the actual name of a Unix man file that has been on every mac since the original OS X.

I have always seen both of these for many years. I used to know how to correct the first one by hacking the default, but I've never heard of anybody ever taking advantage of it.

The MS Windows icon resource would seem to indicate that you have WIndows installed in a virtual environment.

So the only thing that's a bit suspicious to me is the syslog remote logging.

I second everything that Thomas has said. The type of scenario you are describing cannot be the result of the remote exploitation of all your computers and devices by one person. Even if this person was theoretically a member of a national intelligence agency, there's no way they would have the ability to do this (one person might have expertise related to one OS or device, not four or five).

If some kind of remote desktop software were installed on your system, that might permit some of the things you describe (primarily on the computers).

But I have to wonder, if this person has, as you claim, bragged to you about how they are able to access, observe and control your system...why don't you simply file a criminal complaint with the police? Unauthorized access to computer systems is a crime in most of the Western world. And a crime that tends to have disproportionately harsh punishments associated with it...why not make use of that? In my experience, being arrested does tend to be a deterrent...

Minty18522 wrote:

And most anti-virus programmes are just a waste of space on your computer or phone when it comes to malware of this level of insidiousness.

That's correct in that all currently known spyware requires physcial access to your Mac or you would have to approve shared access over the network. Since A-V software is designed to catch malware and spyware does have legitabmate use, it won't find them.

The only software that specializes in this soft of thing is MacScan from SecureMac. It is known for producing false alarms, so make certain that it is properly identified before deleting any files. It also does a poor job of regular malware detection, so don't use it for that. Thomas is particularly critical of it in Macscan disappoints.

I can't comment on that, not having seen (or heard of) Sourcefire's report.

However, one observation: note that number of CVEs does not necessarily equate to insecurity. In the case of iOS, I would bet that the CVEs in question have been fixed, and most people using iOS are using the latest version, which would include those fixes. In contrast, Android has been demonstrated to have a far higher rate of malware infections (ie, active exploitation) than any other system, including the previously-undisputed winner in this category: Windows. This is primarily because of fragmentation of the Android system, with different wireless carriers creating their own customized versions of Android that don't get patched as often as they should, and that usually contain old vulnerabilities that Google has actually fixed in the latest version of the official Android.

So, it really doesn't matter how many CVEs might have appeared for iOS in a given amount of time, since there's still no malware out there capable of infecting iOS. (Unless the device has been jailbroken.)

Further, that article is way off base by saying that Apple had no security in early versions of iOS. The security, in fact, has been present since day one, and has been the source of one of the most significant criticisms of the platform... namely, its lack of openness, and the requirement to download all apps from the App Store.

I can see how synced contacts could be easily accessable - but what about my phone browser activity?

That's easy too. If they have access to iCloud, and if you are syncing Safari to iCloud, they can see what tabs are open on each of your devices (Mac or iOS). See:

http://www.macgasm.net/2013/04/02/syncing-safari-tabs-between-macs-ios-devices/

It really sounds like this person has access to your iCloud account. You need to change that password, and should also be sure to lock it down a little tighter with two-factor authentication:

Apple introduces two-factor authentication

Also, g_wolfman makes an excellent point... if you can collect evidence showing that this individual is harassing you and spying on you online, you can report this to the authorities and get that person prosecuted. If the action is taking place across state lines in the US, it would (I would guess) be a federal crime, justifying FBI involvement.

I know the girl in question, and she is not actually doing anything other than snooping on me, which she seems to view as just a bit cheeky and a bit of harmless fun.

Well, keep in mind that if she has actually done what you have said - getting malware installed on all of your devices - that is very, very far from harmless fun. That would be serious hacking of a magnitude that would make her instantly world famous in the underworld, the top dog in the "black hat" hacker community, and would be of great interest to law enforcement agencies like the FBI.

On the other hand, if she's just gaining access to some of your online accounts by being able to guess the password, or something similar, that's fairly minor... the sort of thing that matches the motivations you describe.

I might have been a little vague. State Actor is the resource of an entire state, not one employee of an intelligence agency.

And yes the intelligence community can do exactly what this person has described.

a) I don't consider compromising someone's system(s) and then spying on them, and then harrassing them about it to be "cheeky fun".

b) So what? Is there a threshold beyond which not embarassing your parents' friends becomes irrelevant? Or am I being insensitive to some cultural phenomenon involving saving face?

c) If nothing else, the police can give her a stern talking-to, make reference to teh fact that even if she is managing to skirt cyber-crime laws that she's well into cyber-stalking and or harassment territory, and impress upon her the fact they if they have to come back a second time then it could be more than merely embarassing.

Quite frankly, "but I know her and our families know each other and I don't want to rock the boat because people will blame me for over-reacting" just sounds like you're being a sucker. If she is cyber-stalking, it will eventually escalate...best to nip it in the bud now.

But on the other hand, I also can't believe that you still keep insisting that "silly little girls" with no knowledge of computer engineering routinely have access to world-class hacking tools that operate at levels of sophistication only reachable by national intelligence agencies...whatever she's doing is either far less sophisticated (eg, guessing a password for one account that you have foolishly re-used in many places), or you have installed the software that she is using to access your system. Which still wouldn't explain teh devices.

I know what a State Actor is; I prefer the term Advanced Persistent Threat, personally.

And while the "Intelligence Community", or an "Intelligent Service", might be able to perform the kinds of attacks the OP alludes to...a single "Intelligence Operative" could not. There would be too much expertise in too many disparate systems for one person to do this. Compromising OS X, iOS, Windows and Android devices would require a team.

APTs compile teams of people with extensive depth knowledge in specific areas. They don't look for people with breadth knowledge (at least not for technical disciplines). And the kind of depth required for what's described here doesn't get acquired in breadth anyway.

I was replying to g_wolfman about the initial comment made by you describing how your entire network along with all of your devices have been compromised (in your opinion).

I find it highly unlikely that 'some girl' did a 'little research' on google and was able to 'enlist the help' of third party actors in order to gain physical access to your premises, in order to launch a coordinated attack on you.

But that is just my opinion.