Hi mate, I know it’s been a few years since you posted about this issue and at the time I would not have believed that what you were experiencing was anything like what you were describing. I understand how frustrating it is to have people tell you that something isn’t possible, when it’s obvious to you that it is. I found your post because a similar Trojan has infected nearly all of the devices on my network also. It has similar functionalities to what you have described and I’m about ready to give up and just deal with it.
I have five macs, an iPad, two iPhones, an Apple TV and a technicolor gateway/router which are all infected. Two of the macs had boot camp installs of windows which were also infected and all the devices are compromised at the NVRAM / SMC / EFI and system partition levels. On the macs it works by changing the boot order of the drivers in the NVRAM parameters so that the Bluetooth driver loads first, it loads an infected blued.plist file which launches all the processes required to take control of your system before it even gets to load the USB drivers required to accept any input from your keyboard. So, no key combinations for SMC reset or NVRAM reset, or alternate boot device menu, or single user mode boot can intervene. Remove all the drives from the machine and make the blued.plist file inaccessible and instead it will attempt to NetBoot the infection from any attached devices, including a time capsule and even a thunderbolt adapter if it contains an option ROM, failing that it will got for a remote server and if there’s no internet connection it displays the ‘Internet Recovery’ screen and asks you to connect to a wifi network. Internet recovery appears to be running as normal, but actually the boot loader just redownloaded the infection from a remote server, created a ram drive with some bootable Linux based UEFI parent/controller and then runs the recovery mode below that, infecting the OS installer as it downloads from the secure apple server.
Back to square one.
I haven’t even begun to figure out how it works on iOS yet but I assure you it has infected those devices in a similar way.
I believe i was infected because of a JavaScript/sandbox vulnerability. I think I entered my Apple ID info into a malicious password prompt pop up which looked identical to what a real one did at the time (iOS 10.2). Now iOS and OS X both operate as if they have been sandboxed, with processes invisible to activity monitor but not to a root level terminal shell. It creates TCP connections to the remote control centre which aren’t easily detected because it compromises existing system processes like airplay, screen sharing, spotlight etc. It intercepts the dns requestes of all the antivirus software updaters that I’ve tried so far, and either downloads fake definitions files or modifies the applications to skip the infected files like you mentioned. Malware bytes, little snitch, blockblock, kaspersky, norton, Sophos, intego, the App Store updates and iTunes all get intercepted and redirected to alternate download servers. NetBarrier by intego is the only software that seems to actually still operate correctly and prompt when a connection attempt is made, it shows the address of the server that the app attempted to contact and they’re usually amazon hosted cloud storage or some real looking address like updserv.live.norton.com but with a .aksdns.net at the end of it. None of the addresses ever resolve to a server in safari because if you attempt to connect without presenting the software’s built in encryption key then it just silently drops your request and resolves to a 404 error.
I could give you another 2000 words on other behaviours I have discovered but I think you get the point. Basically the main ones are; keys are logged, passwords are captured, time machine backups are infected, any and all drives that are connected to an infected system are immediately repartitioned with a hidden 60mb EFI boot volume so as to infect any other devices it may be connected to during a reboot, RPCs for hidden screen sharing connections appear in Console and most deceiving and destructive of all, wifi and Bluetooth are both active even when OS X shows them as disabled and even when the network device is completely removed from the network pane of system config.
My next option is to attempt a physical hardware flash of the NVRAM to a clean factory state followed by an internet recovery from an alternate internet connection or with a new modem (the technicolor gateway is a SOC device running FreeBSD so it was infected also).
Anyways, my point is, I believe you, it’s possible now and the vault 7 leaks show that it was possible in 2013 as well. I’m sorry that you had to go through it, I feel your pain and I hope you’ve upgraded devices since then and managed to keep them from becoming infected also. Apple says that it’s beyond the scope of their engineering department and that I would need to consult a cyber security specialist in order to remove it. If I don’t figure it out soon I will be returning my six week old iMac and asking for a new one.
Wish me luck!
