Level 1

11 points

How to remove rootkits and malware?

I have downloaded and ran the programme Rootkit Hunter and the results are worrying.

I don't know much about malware other than a malicious individual has persistently been installing it onto my machines via malicious emails - this time targeting my iPhone 4 (which I promptly got rid of upon discovering this individual's presence and replaced with a new Samsung S4, which is probably infected as well now) first; and from there using my house Wifi network to get onto my Macbook Pro 10.8.3 (which is the machine I am on now, and the machine the results refer to); and also my Samsung Galaxy Tab 10.1; and most likely the phones and computers belonging to other members of my family are compromised as well.

The following are the worrying results identified by Rootkit Hunter:

For "Checking LD_LIBRARY_PATH variable", it says in yellow "skipped".

For "Checking for hidden processes", it also says in yellow "skipped".

I also have red warning notices in relation to system configuration file checks and filesystem checks alerting me to the following:

"Checking if SSH protocol v1 in allowed The SSH configuration option 'Protocol' has not been set";

"Checking if syslog remote logging is allowed Syslog configuration file allows remote logging: install.* .0.1:32376"

"Checking /dev for suspicious file types Suspicious file types found in /dev: /dev/fd/6: MS Windows icon resource"

"Checking for hidden files and directories Hidden file found: /usr/share/man/man5/. rhosts.5: troff or preprocessor input text".

I do not know how to interpret these results other than of course realising they are alerting me to the fact that something is wrong and needs fixing.

I do not know exactly what Rootkit Hunter is telling me is wrong, and I do not know how to fix the problems it has identified.

I would greatly appreciate it if anybody could perhaps tell me how I can do these things. And any advice on which programmes to use for my Samsung machines and the best way to protect my devices in the future would also be greatly appreciated.

Posted on Aug 23, 2013 11:05 AM

68 replies

Minty18522 Author

Level 1

11 points

Sep 7, 2013 5:13 AM in response to Minty18522

And would it be worth it abandoning compromised email accounts altogether and opening new ones or would just changing the passwords suffice?

I created a whole new Google Play account for my Android devices - as I know for sure she had pretty much unfettered access to my Galaxy Tab - but I am starting to think that was a little extreme and a mere password change on my Play acount would have done the job.

Although if she had already infected apps which I am currently using then surely a mere password change would not correct that.

Minty18522 Author

Level 1

11 points

Sep 7, 2013 5:28 AM in response to Minty18522

And could anyody please recommend the most effective software programme I can download onto my Macbook Pro (and Android devices too if anybody knows) which will detect and remove this kind of malware, and which will keep my machine fortified from attacks?

I have just installed Little Snitch as a poster here recommended, but I am reluctant to clutter up my machine with any more programmes if they aren't even going to do anything. I want the best one there is.

MadMacs0

Level 5

5,233 points

Sep 7, 2013 4:49 PM in response to Minty18522

Minty18522 wrote:

If the person is/was not accessing my machines via these email accounts, then could someone who knows what they are talking about please confirm to me that if they can't access my machines through these email accounts, then they can't access my computers and phones at all?

The usual way of using e-mail to access a PC is to include an attachment, usually disguised as something else such as an MS Word document, PDF, image or USPS/UPS/FEDEX delivery receipt, which either takes advantage of a vulnerability or tricks you into allowing it to install something capable of communicating over the Internet (a bot). That process would contact a command and control server which would tell it what to do, which could be the installation of additional malware (e.g. Flashback) or simply pass on userid/password credentials. Little Snitch would then alert you to that fact that a new process was trying to open an outbound connection from your computer. Again, there have been no instances of being able to do any of this by simply reading and e-mail.

At the present time, all such currently known attachment malware has had the vulnerabilities patched and/or the fully up-to-date OS X 1.6.8 and above Quarantine and XProtect system will warn you when you attempt to open them.

And I own an external hard drive with a lot of valuable stuff on it. Should I be worried that anything nasty could have wormed its way onto that? I had plugged it into my infected machine before I took it to the store.

There are no currently known "Worms" that could have worked their way to an external hard drive. It would have had to have been something you copied to it. As long as it's not a backup drive, you should scan it should you decide you need additional security software.

MadMacs0

Level 5

5,233 points

Sep 7, 2013 4:48 PM in response to Minty18522

Minty18522 wrote:

And would it be worth it abandoning compromised email accounts altogether and opening new ones or would just changing the passwords suffice?

That's normally appropriate when someone is using your e-mail address to send a lot of Spam. If you have changed your strong password and verified that your e-mail ISP doesn't allow proxy users to send mail from it (businesses do this so a Secretary can send e-mail in the name of their boss) then that should be sufficient. Of course if there is a communicating keylogger on your computer then it doesn't matter what you change, as all your new account names and passwords will still be sent out.

Minty18522 Author

Level 1

11 points

Sep 8, 2013 7:37 AM in response to Minty18522

Okay thanks.

I tried Macscan before and wasn't all that impressed.

My university let all the students install and use Sophos for free and I was impressed with it.

So I think I will try it this time around for this problem.

Thanks again.

Minty18522 Author

Level 1

11 points

Sep 19, 2013 2:23 AM in response to Minty18522

Any of you guys know of a programme like Keyscrambler Personal (which is for Windows only I believe) for Mac and/or Android, so I can at least protect my most important passwords.

Kaspersky's virtual keyboard in ineffective; fails to shroud what I type in password fields.

thomas_r.

Level 7

32,031 points

Sep 19, 2013 3:26 AM in response to Minty18522

I'm not sure how a scrambled virtual keyboard is supposed to protect you from keyloggers, which would capture the actual character sent and wouldn't give a darn about how that character was generated.

Minty18522 Author

Level 1

11 points

Sep 19, 2013 10:00 AM in response to thomas_r.

But with a virtual keylogger it doesn't capture the actual characters - in the password fields there are just a series of dots typed in with an on-screen keyboard.

The only way the person operating the keylogger can find out what the dots are/were is if they were able to take control of and manipulate the Kaspersky anti-keylogger virtual keyboard with their malware.

Or else if their malware can successfully quess - along with themselves watching the characters being typed via screenshots (I type rather slowly, speeding my typing up and appearing to type erratically could perhaps work and leave them in confusion) - which keys are being typed; and thus the passwords.

If it was totally useless why would Kaspersky's much-vaunted anti-keylogger virtual keyboard be even marketed at a high price and be seemingly held in high regard?

Apparently though with a keyboard with jumbled letters, numbers, and characters, the chances of evading the keylogger is much higher.

That is why I am asking about one of these for the Mac and/or Android.

And again, any other advice about evading keyloggers would be much appreciated - I have given up trying to get rid of the Rootkit for now, as even a clean reinstall made by the clueless as of what to do staff at the Apple "Genius Bar" didn't work (the Samsung staff were even more clueless and devoid of any helpful sugestions).

I've resigned myself to just putting up with this parasite until I have changed my machines and have new clean ones, and can finally shake them off once and for all.

I really want to protect my most important passwords now however.

Once again, thanks to anyone who can offer helpful advice in advance.

MadMacs0

Level 5

5,233 points

Sep 19, 2013 10:41 AM in response to Minty18522

Minty18522 wrote:

if their malware can successfully quess - along with themselves watching the characters being typed via screenshots (I type rather slowly, speeding my typing up and appearing to type erratically could perhaps work and leave them in confusion) - which keys are being typed; and thus the passwords.

There are no currently known malware keyloggers that can impact OS X. Of course there are quite a few commercial or hack keyloggers, but they have legitimate uses and are thus not found by any Mac A-V software, unless identified as PUA (Potentially Unwanted Applications). They require physical access to your computer or local network (if you have sharing enabled) in order to install them.

Android is another story. There is all kinds of malware of every type and it continues to increase at an alaming rate see: “More trouble” brewing as mobile threats multiply “exponentially”, ex-ISACA chief warns.

Did you ever run MacScan on your Mac to see if anything showed up?

Minty18522 Author

Level 1

11 points

Sep 19, 2013 11:26 AM in response to MadMacs0

Not recently have I used MacScan - I tried it out before one of the countless wiping of the drive & reinstallation of the operating system combos I have went through and it took ages and didn't reveal anything remarkable. To be honest, at one point I had so many programmes like it all doing the same thing, nothing, that I was glad to get rid of them all after one of my regular formats.

At the minute I have Sophos, Little Snitch, Rootkithunter (which I don't have activated - it is known for its false positives I understand, so it just confuses the issues further for me; and Kasperky - specifically for its anti-kelogging virtual keyboard feature.

The person definitely didn't have physical access to any of my devices, so they definitely infected me remotely via my network.

As for the plethora of legitimate keyloggers which are used for illegatimate and illegal purposes, how does one set about identifying them as "Potentially Unwanted applications"?

I am most worried about my bank details: but if there was any dodgy activity going on with my online bank account the fraud department and police would on top of the person like a ton of bricks; so they would behaving seriously recklessly if they even thought about going near my online banking and would almost certainly land themselves in very very serious trouble.

Thanks Again!

MadMacs0

Level 5

5,233 points

Sep 19, 2013 12:09 PM in response to Minty18522

Minty18522 wrote:

As for the plethora of legitimate keyloggers which are used for illegatimate and illegal purposes, how does one set about identifying them as "Potentially Unwanted applications"?

That's up to the individual A-V signature folks to classify them that way.

With ClamXav the default is to not scan for them, but I won't bother to explain how to turn that feature on since none of the 5278 PUA definitions are also OSX. At least 3936 are Windows, only one is identified as Android but there are 147 RATs.

Rootkithunter (which I don't have activated - it is known for its false positives I understand

Not exactly false positive, IMHO, just that it's really designed to be a Unix tool to warn IT administrators that something has changed or is out of the norm with their setup. Since Apple makes a few changes to the way it's Darwin Unix code is configured, RKHunter will give warnings about such things. I have whitelisted several of those items, but I've also found minor changes with many new major OS X version.

They currently have specific checks of four OSX Rootkits (Boonana-A Trojan (aka Koobface.A), Inqtana w/3-variants, OSX Rootkit 0.2.1 (OSXRK) and Togroot Rootkit). None of these are considered to be "Darwin" rootkits as they don't reside in any of the Unix directories, only the System, Library and User directories (folders).

I used to be somewhat concerned that SSH root access was allowed by default, but that appears to have changed at some point and is no longer the case with Mountain Lion.

MadMacs0

Level 5

5,233 points

Sep 19, 2013 12:34 PM in response to Minty18522

Minty18522 wrote:

What are "147 Rats" by the way? I have Android devices.

Hard to say:

8dd7d6fbd1c09c2caaacdb3590a325dc:1511664:PUA.RAT.Radmin-30

daily.cvd e2f2e16671eb5d8900339f41741f598a:231085:PUA.RAT.VNC-43

daily.cvd 407449f2a326a81163b76b7354cae031:1382683:PUA.RAT.Radmin-31

daily.cvd 004daa3e66f51e6252713b7abf271493:1943133:PUA.RAT.Radmin-32

daily.cvd 4fc34aa688701e0149f318316f984e81:1863767:PUA.RAT.Radmin-33

daily.cvd 98ee2c22c45bbe3f250b73226d357845:743469:PUA.RAT.VNC-44

daily.cvd 3538936fabb7dd3ca6d7b4e373497d8b:724960:PUA.RAT.VNC-45

daily.cvd 1b3e7a853727724bfb1ce6ad71df35f8:739240:PUA.RAT.VNC-46

daily.cvd 0b390b76e2cd84b5a060656e94171991:1382519:PUA.RAT.Radmin-34

daily.cvd 7599ef23caae767c15eba88570e6899b:1684394:PUA.RAT.ChrisControl

daily.cvd d22cf28dda2896149e57542f8b7f015b:1758856:PUA.RAT.VNC-47

daily.cvd 55242f2aa0da7f45fdd101265f950e5d:1452014:PUA.RAT.eSurveiller

daily.cvd PUA.RAT.Radmin-3

daily.cvd PUA.RAT.Radmin-4

daily.cvd PUA.RAT.VNC-7

daily.cvd PUA.RAT.VNC-8

daily.cvd PUA.RAT.VNC-9

daily.cvd PUA.RAT.VNC-10

daily.cvd PUA.RAT.VNC-11

daily.cvd PUA.RAT.VNC-12

daily.cvd PUA.RAT.VNC-13

daily.cvd PUA.RAT.VNC-14

daily.cvd PUA.RAT.VNC-15

daily.cvd PUA.RAT.VNC-16

daily.cvd PUA.RAT.VNC-17

daily.cvd PUA.RAT.VNC-18

daily.cvd PUA.RAT.VNC-19

daily.cvd PUA.RAT.VNC-20

daily.cvd PUA.RAT.VNC-21

daily.cvd PUA.RAT.VNC-22

daily.cvd PUA.RAT.VNC-23

daily.cvd PUA.RAT.VNC-24

daily.cvd PUA.RAT.VNC-25

daily.cvd PUA.RAT.VNC-26

daily.cvd PUA.RAT.VNC-27

daily.cvd PUA.RAT.VNC-28

daily.cvd PUA.RAT.VNC-29

daily.cvd PUA.RAT.VNC-30

daily.cvd PUA.RAT.VNC-31

daily.cvd PUA.RAT.VNC-32

daily.cvd PUA.RAT.VNC-33

daily.cvd PUA.RAT.VNC-34

daily.cvd PUA.RAT.VNC-35

daily.cvd PUA.RAT.VNC-36

daily.cvd PUA.RAT.VNC-37

daily.cvd PUA.RAT.VNC-38

daily.cvd PUA.RAT.VNC-39

daily.cvd PUA.RAT.VNC-40

daily.cvd PUA.RAT.RAdmin-5

daily.cvd PUA.RAT.VNC-41

daily.cvd PUA.RAT.VNC-42

daily.cvd PUA.RAT.RAdmin-6

daily.cvd PUA.RAT.RAdmin-7

daily.cvd PUA.RAT.Radmin-8

daily.cvd PUA.RAT.RAdmin-9

daily.cvd PUA.RAT.Radmin-10

daily.cvd PUA.RAT.RAdmin-11

daily.cvd PUA.RAT.RAdmin-12

daily.cvd PUA.RAT.RAdmin-13

daily.cvd PUA.RAT.RAdmin-14

daily.cvd PUA.RAT.RAdmin-15

daily.cvd PUA.RAT.RAdmin-16

daily.cvd PUA.RAT.RAdmin-17

daily.cvd PUA.RAT.RAdmin-18

daily.cvd PUA.RAT.RAdmin-19

daily.cvd PUA.RAT.RAdmin-20

daily.cvd PUA.RAT.RAdmin-21

daily.cvd PUA.RAT.RAdmin-22

daily.cvd PUA.RAT.RAdmin-23

daily.cvd PUA.RAT.RAdmin-24

daily.cvd PUA.RAT.RAdmin-25

daily.cvd PUA.RAT.RAdmin-26

daily.cvd PUA.RAT.RAdmin-27

daily.cvd PUA.RAT.RAdmin-28

daily.cvd PUA.RAT.RAdmin-29

daily.cvd PUA.RAT.RAdmin-35

daily.cvd PUA.RAT.SystemsInternals.pkill

daily.cvd PUA.RAT.Proxy

daily.cvd PUA.RAT.RacServer

daily.cvd PUA.RAT.RemoteABC

daily.cvd PUA.RAT.CoolCat

daily.cvd PUA.RAT.Slave

daily.cvd PUA.RAT.Radmin-36

daily.cvd PUA.RAT.Transmit

daily.cvd PUA.RAT.OCXDLLRegister

daily.cvd PUA.RAT.RACs

daily.cvd PUA.RAT.RAdmin-37

daily.cvd PUA.RAT.ProxyCrack.SP5

daily.cvd PUA.RAT.Pciext-1

daily.cvd PUA.RAT.Polip-1

daily.cvd PUA.RAT.GhostRadmin-1

daily.cvd PUA.RAT.Netcat-1

daily.cvd PUA.RAT.Netheif

daily.cvd PUA.RAT.Hackarmy

daily.cvd PUA.RAT.Azrael

daily.cvd PUA.RAT.BDHA

daily.cvd PUA.RAT.YahooBoot

daily.cvd PUA.RAT.VNC-48

daily.cvd PUA.RAT.RemoteWMI.Recton

daily.cvd PUA.RAT.VisiBrokerSmartAgt

daily.cvd PUA.RAT.NetManager

daily.cvd PUA.RAT.PortChanger

daily.cvd PUA.RAT.PsExec

daily.cvd PUA.RAT.Ycrack

daily.cvd PUA.RAT.RemoteAnything-11

daily.cvd PUA.RAT.GhostRadmin-2

daily.cvd PUA.RAT.Pipe

daily.cvd PUA.RAT.RAServer

daily.cvd PUA.RAT.VNC

daily.cvd PUA.RAT.VNC-1

daily.cvd PUA.RAT.VNC-2

daily.cvd PUA.RAT.RAdmin

daily.cvd PUA.RAT.RAdmin-1

daily.cvd PUA.RAT.RAdmin-2

daily.cvd PUA.RAT.VNC-3

daily.cvd PUA.RAT.VNC-4

daily.cvd PUA.RAT.VNC-5

daily.cvd PUA.RAT.VNC-6

daily.cvd PUA.RAT.HiddenAdmin

daily.cvd PUA.RAT.HiddenAdmin-1

daily.cvd PUA.RAT.HiddenAdmin-2

daily.cvd PUA.RAT.HiddenAdmin-3

daily.cvd PUA.RAT.HiddenAdmin-4

daily.cvd PUA.RAT.HiddenAdmin-5

daily.cvd PUA.RAT.HiddenAdmin-6

daily.cvd PUA.RAT.HiddenAdmin-7

daily.cvd PUA.RAT.HiddenAdmin-8

daily.cvd PUA.RAT.TFAK

daily.cvd PUA.RAT.RemoteAnything

daily.cvd PUA.RAT.RemoteAnything-1

daily.cvd PUA.RAT.RemoteAnything-2

daily.cvd PUA.RAT.RemoteAnything-3

daily.cvd PUA.RAT.RemoteAnything-4

daily.cvd PUA.RAT.RemoteAnything-5

daily.cvd PUA.RAT.RemoteAnything-6

daily.cvd PUA.RAT.RemoteAnything-7

daily.cvd PUA.RAT.RemoteAnything-8

daily.cvd PUA.RAT.RemoteAnything-9

daily.cvd PUA.RAT.RemoteAnything-10

daily.cvd PUA.RAT.PsExec-1

daily.cvd PUA.RAT.Sysinternals.PsExec

daily.cvd PUA.RAT.TFTPServer

daily.cvd PUA.RAT.RAdmin-38

daily.cvd PUA.RAT.Perl

daily.cvd PUA.RAT.Perl.CGItelnet

daily.cvd PUA.RAT.Neteye

daily.cvd PUA.RAT.eSurveiller-1

MadMacs0

Level 5

5,233 points

Sep 20, 2013 9:02 PM in response to g_wolfman

g_wolfman wrote:

RAT stands for Remote Access Tool.

Among other things.

It can also mean Remote Access Trojan, which is definitely malware or Remote Administration Tool which is commonly used by cell phone access providers, businesses, etc. that need to administer a "fleet" of cell phones, tablets or computers.

They all provide a means of remotely accessing a computer or device either with or without the users knowledge. Legitimate usage includes updating firmware. You can probably imagine what could be done for the purposes of spying on your device.

MadMacs0

Level 5

5,233 points

Sep 21, 2013 2:08 PM in response to g_wolfman

g_wolfman wrote:

I doubt Remote Admin Tools used for fleet management are included in malware definition databases, for example.

Actually, that's exactly the type of RAT that qualifies as PUA. They are software that have legitimate uses but can be applied surreptitiously for other uses that the user isn't aware of. I could only locate two definitions for RATs that were classified as true malware.

May 7, 2016 9:47 AM in response to thomas_r.

I would disagree that they could both become infected. Safari is one of the major problems - and they are always connected, no matter what. It is coming out that there are so many vulnerabilities - many which they - Apple - have long known about. If you have a pre-2014 MacBookPro and let it go to sleep - root kit and bios overwritten - you have lost control. I have been telling them this - though didn't know reason just tons of proof - since 2011. They act like I'll crazy yet they can't fix any of the odd things that occur. I have had control taken from me while using! AT&T recently agreed - and opened a case on this. So unless you are sure of your facts, please don't talk down to someone experiencing problems. 🙂

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

How to remove rootkits and malware?