You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Minty18522 Author

Level 1

11 points

How to remove rootkits and malware?

I have downloaded and ran the programme Rootkit Hunter and the results are worrying.

I don't know much about malware other than a malicious individual has persistently been installing it onto my machines via malicious emails - this time targeting my iPhone 4 (which I promptly got rid of upon discovering this individual's presence and replaced with a new Samsung S4, which is probably infected as well now) first; and from there using my house Wifi network to get onto my Macbook Pro 10.8.3 (which is the machine I am on now, and the machine the results refer to); and also my Samsung Galaxy Tab 10.1; and most likely the phones and computers belonging to other members of my family are compromised as well.

The following are the worrying results identified by Rootkit Hunter:

For "Checking LD_LIBRARY_PATH variable", it says in yellow "skipped".

For "Checking for hidden processes", it also says in yellow "skipped".

I also have red warning notices in relation to system configuration file checks and filesystem checks alerting me to the following:

"Checking if SSH protocol v1 in allowed The SSH configuration option 'Protocol' has not been set";

"Checking if syslog remote logging is allowed Syslog configuration file allows remote logging: install.* .0.1:32376"

"Checking /dev for suspicious file types Suspicious file types found in /dev: /dev/fd/6: MS Windows icon resource"

"Checking for hidden files and directories Hidden file found: /usr/share/man/man5/. rhosts.5: troff or preprocessor input text".

I do not know how to interpret these results other than of course realising they are alerting me to the fact that something is wrong and needs fixing.

I do not know exactly what Rootkit Hunter is telling me is wrong, and I do not know how to fix the problems it has identified.

I would greatly appreciate it if anybody could perhaps tell me how I can do these things. And any advice on which programmes to use for my Samsung machines and the best way to protect my devices in the future would also be greatly appreciated.

Posted on Aug 23, 2013 11:05 AM

Top-ranking reply

dmg15

Level 1

4 points

Posted on Nov 13, 2017 6:00 AM

Hi mate, I know it’s been a few years since you posted about this issue and at the time I would not have believed that what you were experiencing was anything like what you were describing. I understand how frustrating it is to have people tell you that something isn’t possible, when it’s obvious to you that it is. I found your post because a similar Trojan has infected nearly all of the devices on my network also. It has similar functionalities to what you have described and I’m about ready to give up and just deal with it.

I have five macs, an iPad, two iPhones, an Apple TV and a technicolor gateway/router which are all infected. Two of the macs had boot camp installs of windows which were also infected and all the devices are compromised at the NVRAM / SMC / EFI and system partition levels. On the macs it works by changing the boot order of the drivers in the NVRAM parameters so that the Bluetooth driver loads first, it loads an infected blued.plist file which launches all the processes required to take control of your system before it even gets to load the USB drivers required to accept any input from your keyboard. So, no key combinations for SMC reset or NVRAM reset, or alternate boot device menu, or single user mode boot can intervene. Remove all the drives from the machine and make the blued.plist file inaccessible and instead it will attempt to NetBoot the infection from any attached devices, including a time capsule and even a thunderbolt adapter if it contains an option ROM, failing that it will got for a remote server and if there’s no internet connection it displays the ‘Internet Recovery’ screen and asks you to connect to a wifi network. Internet recovery appears to be running as normal, but actually the boot loader just redownloaded the infection from a remote server, created a ram drive with some bootable Linux based UEFI parent/controller and then runs the recovery mode below that, infecting the OS installer as it downloads from the secure apple server.

Back to square one.

I haven’t even begun to figure out how it works on iOS yet but I assure you it has infected those devices in a similar way.

I believe i was infected because of a JavaScript/sandbox vulnerability. I think I entered my Apple ID info into a malicious password prompt pop up which looked identical to what a real one did at the time (iOS 10.2). Now iOS and OS X both operate as if they have been sandboxed, with processes invisible to activity monitor but not to a root level terminal shell. It creates TCP connections to the remote control centre which aren’t easily detected because it compromises existing system processes like airplay, screen sharing, spotlight etc. It intercepts the dns requestes of all the antivirus software updaters that I’ve tried so far, and either downloads fake definitions files or modifies the applications to skip the infected files like you mentioned. Malware bytes, little snitch, blockblock, kaspersky, norton, Sophos, intego, the App Store updates and iTunes all get intercepted and redirected to alternate download servers. NetBarrier by intego is the only software that seems to actually still operate correctly and prompt when a connection attempt is made, it shows the address of the server that the app attempted to contact and they’re usually amazon hosted cloud storage or some real looking address like updserv.live.norton.com but with a .aksdns.net at the end of it. None of the addresses ever resolve to a server in safari because if you attempt to connect without presenting the software’s built in encryption key then it just silently drops your request and resolves to a 404 error.

I could give you another 2000 words on other behaviours I have discovered but I think you get the point. Basically the main ones are; keys are logged, passwords are captured, time machine backups are infected, any and all drives that are connected to an infected system are immediately repartitioned with a hidden 60mb EFI boot volume so as to infect any other devices it may be connected to during a reboot, RPCs for hidden screen sharing connections appear in Console and most deceiving and destructive of all, wifi and Bluetooth are both active even when OS X shows them as disabled and even when the network device is completely removed from the network pane of system config.

My next option is to attempt a physical hardware flash of the NVRAM to a clean factory state followed by an internet recovery from an alternate internet connection or with a new modem (the technicolor gateway is a SOC device running FreeBSD so it was infected also).

Anyways, my point is, I believe you, it’s possible now and the vault 7 leaks show that it was possible in 2013 as well. I’m sorry that you had to go through it, I feel your pain and I hope you’ve upgraded devices since then and managed to keep them from becoming infected also. Apple says that it’s beyond the scope of their engineering department and that I would need to consult a cyber security specialist in order to remove it. If I don’t figure it out soon I will be returning my six week old iMac and asking for a new one.

Wish me luck!

View in context

68 replies

MadMacs0

Level 5

5,227 points

Sep 19, 2013 12:34 PM in response to Minty18522

Minty18522 wrote:

What are "147 Rats" by the way? I have Android devices.

Hard to say:

8dd7d6fbd1c09c2caaacdb3590a325dc:1511664:PUA.RAT.Radmin-30

daily.cvd e2f2e16671eb5d8900339f41741f598a:231085:PUA.RAT.VNC-43

daily.cvd 407449f2a326a81163b76b7354cae031:1382683:PUA.RAT.Radmin-31

daily.cvd 004daa3e66f51e6252713b7abf271493:1943133:PUA.RAT.Radmin-32

daily.cvd 4fc34aa688701e0149f318316f984e81:1863767:PUA.RAT.Radmin-33

daily.cvd 98ee2c22c45bbe3f250b73226d357845:743469:PUA.RAT.VNC-44

daily.cvd 3538936fabb7dd3ca6d7b4e373497d8b:724960:PUA.RAT.VNC-45

daily.cvd 1b3e7a853727724bfb1ce6ad71df35f8:739240:PUA.RAT.VNC-46

daily.cvd 0b390b76e2cd84b5a060656e94171991:1382519:PUA.RAT.Radmin-34

daily.cvd 7599ef23caae767c15eba88570e6899b:1684394:PUA.RAT.ChrisControl

daily.cvd d22cf28dda2896149e57542f8b7f015b:1758856:PUA.RAT.VNC-47

daily.cvd 55242f2aa0da7f45fdd101265f950e5d:1452014:PUA.RAT.eSurveiller

daily.cvd PUA.RAT.Radmin-3

daily.cvd PUA.RAT.Radmin-4

daily.cvd PUA.RAT.VNC-7

daily.cvd PUA.RAT.VNC-8

daily.cvd PUA.RAT.VNC-9

daily.cvd PUA.RAT.VNC-10

daily.cvd PUA.RAT.VNC-11

daily.cvd PUA.RAT.VNC-12

daily.cvd PUA.RAT.VNC-13

daily.cvd PUA.RAT.VNC-14

daily.cvd PUA.RAT.VNC-15

daily.cvd PUA.RAT.VNC-16

daily.cvd PUA.RAT.VNC-17

daily.cvd PUA.RAT.VNC-18

daily.cvd PUA.RAT.VNC-19

daily.cvd PUA.RAT.VNC-20

daily.cvd PUA.RAT.VNC-21

daily.cvd PUA.RAT.VNC-22

daily.cvd PUA.RAT.VNC-23

daily.cvd PUA.RAT.VNC-24

daily.cvd PUA.RAT.VNC-25

daily.cvd PUA.RAT.VNC-26

daily.cvd PUA.RAT.VNC-27

daily.cvd PUA.RAT.VNC-28

daily.cvd PUA.RAT.VNC-29

daily.cvd PUA.RAT.VNC-30

daily.cvd PUA.RAT.VNC-31

daily.cvd PUA.RAT.VNC-32

daily.cvd PUA.RAT.VNC-33

daily.cvd PUA.RAT.VNC-34

daily.cvd PUA.RAT.VNC-35

daily.cvd PUA.RAT.VNC-36

daily.cvd PUA.RAT.VNC-37

daily.cvd PUA.RAT.VNC-38

daily.cvd PUA.RAT.VNC-39

daily.cvd PUA.RAT.VNC-40

daily.cvd PUA.RAT.RAdmin-5

daily.cvd PUA.RAT.VNC-41

daily.cvd PUA.RAT.VNC-42

daily.cvd PUA.RAT.RAdmin-6

daily.cvd PUA.RAT.RAdmin-7

daily.cvd PUA.RAT.Radmin-8

daily.cvd PUA.RAT.RAdmin-9

daily.cvd PUA.RAT.Radmin-10

daily.cvd PUA.RAT.RAdmin-11

daily.cvd PUA.RAT.RAdmin-12

daily.cvd PUA.RAT.RAdmin-13

daily.cvd PUA.RAT.RAdmin-14

daily.cvd PUA.RAT.RAdmin-15

daily.cvd PUA.RAT.RAdmin-16

daily.cvd PUA.RAT.RAdmin-17

daily.cvd PUA.RAT.RAdmin-18

daily.cvd PUA.RAT.RAdmin-19

daily.cvd PUA.RAT.RAdmin-20

daily.cvd PUA.RAT.RAdmin-21

daily.cvd PUA.RAT.RAdmin-22

daily.cvd PUA.RAT.RAdmin-23

daily.cvd PUA.RAT.RAdmin-24

daily.cvd PUA.RAT.RAdmin-25

daily.cvd PUA.RAT.RAdmin-26

daily.cvd PUA.RAT.RAdmin-27

daily.cvd PUA.RAT.RAdmin-28

daily.cvd PUA.RAT.RAdmin-29

daily.cvd PUA.RAT.RAdmin-35

daily.cvd PUA.RAT.SystemsInternals.pkill

daily.cvd PUA.RAT.Proxy

daily.cvd PUA.RAT.RacServer

daily.cvd PUA.RAT.RemoteABC

daily.cvd PUA.RAT.CoolCat

daily.cvd PUA.RAT.Slave

daily.cvd PUA.RAT.Radmin-36

daily.cvd PUA.RAT.Transmit

daily.cvd PUA.RAT.OCXDLLRegister

daily.cvd PUA.RAT.RACs

daily.cvd PUA.RAT.RAdmin-37

daily.cvd PUA.RAT.ProxyCrack.SP5

daily.cvd PUA.RAT.Pciext-1

daily.cvd PUA.RAT.Polip-1

daily.cvd PUA.RAT.GhostRadmin-1

daily.cvd PUA.RAT.Netcat-1

daily.cvd PUA.RAT.Netheif

daily.cvd PUA.RAT.Hackarmy

daily.cvd PUA.RAT.Azrael

daily.cvd PUA.RAT.BDHA

daily.cvd PUA.RAT.YahooBoot

daily.cvd PUA.RAT.VNC-48

daily.cvd PUA.RAT.RemoteWMI.Recton

daily.cvd PUA.RAT.VisiBrokerSmartAgt

daily.cvd PUA.RAT.NetManager

daily.cvd PUA.RAT.PortChanger

daily.cvd PUA.RAT.PsExec

daily.cvd PUA.RAT.Ycrack

daily.cvd PUA.RAT.RemoteAnything-11

daily.cvd PUA.RAT.GhostRadmin-2

daily.cvd PUA.RAT.Pipe

daily.cvd PUA.RAT.RAServer

daily.cvd PUA.RAT.VNC

daily.cvd PUA.RAT.VNC-1

daily.cvd PUA.RAT.VNC-2

daily.cvd PUA.RAT.RAdmin

daily.cvd PUA.RAT.RAdmin-1

daily.cvd PUA.RAT.RAdmin-2

daily.cvd PUA.RAT.VNC-3

daily.cvd PUA.RAT.VNC-4

daily.cvd PUA.RAT.VNC-5

daily.cvd PUA.RAT.VNC-6

daily.cvd PUA.RAT.HiddenAdmin

daily.cvd PUA.RAT.HiddenAdmin-1

daily.cvd PUA.RAT.HiddenAdmin-2

daily.cvd PUA.RAT.HiddenAdmin-3

daily.cvd PUA.RAT.HiddenAdmin-4

daily.cvd PUA.RAT.HiddenAdmin-5

daily.cvd PUA.RAT.HiddenAdmin-6

daily.cvd PUA.RAT.HiddenAdmin-7

daily.cvd PUA.RAT.HiddenAdmin-8

daily.cvd PUA.RAT.TFAK

daily.cvd PUA.RAT.RemoteAnything

daily.cvd PUA.RAT.RemoteAnything-1

daily.cvd PUA.RAT.RemoteAnything-2

daily.cvd PUA.RAT.RemoteAnything-3

daily.cvd PUA.RAT.RemoteAnything-4

daily.cvd PUA.RAT.RemoteAnything-5

daily.cvd PUA.RAT.RemoteAnything-6

daily.cvd PUA.RAT.RemoteAnything-7

daily.cvd PUA.RAT.RemoteAnything-8

daily.cvd PUA.RAT.RemoteAnything-9

daily.cvd PUA.RAT.RemoteAnything-10

daily.cvd PUA.RAT.PsExec-1

daily.cvd PUA.RAT.Sysinternals.PsExec

daily.cvd PUA.RAT.TFTPServer

daily.cvd PUA.RAT.RAdmin-38

daily.cvd PUA.RAT.Perl

daily.cvd PUA.RAT.Perl.CGItelnet

daily.cvd PUA.RAT.Neteye

daily.cvd PUA.RAT.eSurveiller-1

Minty18522 Author

Level 1

11 points

Sep 19, 2013 12:37 PM in response to MadMacs0

Okay, a bit over my head, but thanks for taking the time to help me. Much appreciated!

g_wolfman

Level 4

2,194 points

Sep 20, 2013 8:09 PM in response to Minty18522

RAT stands for Remote Access Tool.

MadMacs0

Level 5

5,227 points

Sep 20, 2013 9:02 PM in response to g_wolfman

g_wolfman wrote:

RAT stands for Remote Access Tool.

Among other things.

It can also mean Remote Access Trojan, which is definitely malware or Remote Administration Tool which is commonly used by cell phone access providers, businesses, etc. that need to administer a "fleet" of cell phones, tablets or computers.

They all provide a means of remotely accessing a computer or device either with or without the users knowledge. Legitimate usage includes updating firmware. You can probably imagine what could be done for the purposes of spying on your device.

g_wolfman

Level 4

2,194 points

Sep 21, 2013 6:26 AM in response to MadMacs0

True, but there's a context to the thread as well...I doubt Remote Admin Tools used for fleet management are included in malware definition databases, for example.

MadMacs0

Level 5

5,227 points

Sep 21, 2013 2:08 PM in response to g_wolfman

g_wolfman wrote:

I doubt Remote Admin Tools used for fleet management are included in malware definition databases, for example.

Actually, that's exactly the type of RAT that qualifies as PUA. They are software that have legitimate uses but can be applied surreptitiously for other uses that the user isn't aware of. I could only locate two definitions for RATs that were classified as true malware.

May 7, 2016 9:47 AM in response to thomas_r.

I would disagree that they could both become infected. Safari is one of the major problems - and they are always connected, no matter what. It is coming out that there are so many vulnerabilities - many which they - Apple - have long known about. If you have a pre-2014 MacBookPro and let it go to sleep - root kit and bios overwritten - you have lost control. I have been telling them this - though didn't know reason just tons of proof - since 2011. They act like I'll crazy yet they can't fix any of the odd things that occur. I have had control taken from me while using! AT&T recently agreed - and opened a case on this. So unless you are sure of your facts, please don't talk down to someone experiencing problems. 🙂

kitokia

Level 1

4 points

May 21, 2016 8:53 AM in response to Minty18522

Hi Minty 18522, i didn't find any of your contacts so I'm writing here. I've got pretty much the same story of a boy spying on me. I'm sick of people telling me that this kind of a hack is impossible. I've counted 9 or 10 hacked devices in my environment including my Iphone 4s, 5s and my moms 6 and sister's 6s as well as many of my friends androids and my own tablet. Thanks God there's one thing he didn't hack - my PC running Windows 7 😀 The boy threw hints at me in associative nondirect way that he knows what I'm up to in my life, pretty much something in the same way as your girls as i imagine. He blackmailed me with hints and threatened and let me know that he wants me. I didn't obey his demands as I've hot a boyfriend so he started to send all those pictures of me naked, conversations and sounds to well known people of my country, so called stars. It's a huge scandal now and everybody thinks that I'm doing all this myself and no one wants to talk about this with me so I have no proves only clues about what was sent to them. It was all real and my personal life that no one could access except for hacking devices. He couldn't do this physically because he had no access. Me and my bf bought unsmart simple phones and pretty much threw all smarties away as nothing helped them (tried factory reset many times, changed passwords, changed devices and so on..) so no one listens nor hacks us at the moment. But he threatens me into spying and sending stuff of my whole family and I cannot prove anything for them, everytime I try to tell them about this spying horror they think I'm paranoid and delusional as I have no proves ( I mentioned). I wanted to ask if you knew and learned anything from your own story that would help me, how did it end up to you?

How to remove rootkits and malware?