Hi All-
I want to check my macbook pro (OSX) for rootkits i.e. make sure sniperspy or similar keylogger is not running on my computer.
The problem is I am not a programmer, but it appears that chkrootkit has to be installed using code and terminal.
Would anyone be able to share step-by-step instruction on how to install chkrootkit? http://www.chkrootkit.org/download/
Thank you
MacBook Pro, Mac OS X (10.7.5)
Unless you're willing to audit the source code — and while I have no reason to doubt the intent of the folks that created that tool, nor am I aware of any issues with that code — you probably don't generally want to download and run these sorts of tools. If you're not in a position to audit the code, then you'll want to get somebody that can audit it for you. (You're going to end up providing your administrative password to this tool, which means this tool can do anything to your system.)
You can very badly mess up your system with add-ons, performance- or security-enhancing tools, anti-virus and related packages. If the tool you've chosen and downloaded happens to hostile (or has been compromised by somebody that's hostile), then you could well be loading malware.
If you really want an anti-malware tool beyond the built-in XProtect detection mechanisms, there are reputable commercial choices.
There are available choices for tools that are newer than 2009, as well. Malware has changed since then, as has OS X. Again without knowing details of that tool, I'd expect it might miss some stuff, and it might also need to be reworked to operate with more recent versions of OS X — you're likely going to need to support it, not just run it...
In general...
If you're a target of attack or your Mac has been accessed by an untrusted privileged user, then you'll want to offload your personal files to backup, wipe the disk, and reinstall OS X. Backups and particularly off-line backups are a fundamental part of security in general, and you'll want to have multiple copies of those available.
If your likely adversary here somewhere between decently-skilled to advanced or better, or you're one of the proverbial "high-profile targets" for for security and your Mac has been exposed, then you'll want to replace your Mac. Yes, your whole Mac. You'll also want to engage some of the security folks around to help you both harden your system and particularly to help you learn how not to become compromised, and how to avoid having your communications compromised.
Etrecheck is a tool that can audit the usual sorts of problems and extensions, and its output is intended for posting here in the forums for review.
If you'd rather review some guidelines for operating and maintaining your systems, please see the (slightly older) Apple security guides and see the NSA security guides.
Why do you think you have a rootkit? And why do think you could trust the results of a rootkit test if the system was actually rooted?
chkrootkit actually has a good reputation among the security community. However:
a. It is designed to be used by security professionals who understand its output; and
b. Is a Linux utility that generates a lot of false positives and/or meaningless results unless configured by someone who understands both chkrootkit and OS X (eg, OS X doesn't store ssh config files in the same locations as Linux).
All of which is to say, even if the tool is good, its unlikely to be anything the OP is able to use effectively (otherwise he wouldn't need to be here asking about it).
Dear Wolfman: thanks for the reply. Although I'm afraid it's of little help, the OP has friends in the IT community or will hire someone to run the chrootkit. Actually, it sounds like you know what you are talking about. Would you like to earn some money by posting the instructions?
NSA security guides are useful, thanks
No, thanks. I last played with chkrootkit when I was a PG student in computer and network security. It was an academic exercise because I wanted to see what sort of tests would be done to reveal the presence of a rootkit. I have no desire to do it again.
Besides, it's really something that you have to run and adjust based on your (or someone's) knowledge of your system. The very high level instructions would go like this:
1. Run chkrootkit (preferably while booted from an external drive or partition where chkrootkit is installed);
2. See all the errors;
3. Research all the errors to determine which ones are false positives related to unique Apple issues. Modify the chkrootkit configuration file(s) so that those false positives won't be reported again. Note any errors that don't appear to be false positives and which you can't otherwise find solutions for in well-regarded security forums, etc;
4. Repeat steps 1-3 until you have no errors, or you find something unusual that you cannot eliminate;
5. Deal with the residual issue. If a rootkit, you will almost certainly be wiping your system and re-installing from scratch.
Oh, and one more rather important thing...chkrootkit hasn't been updated since 2009. The security landscape (and rootkit technology) has changed significantly since then. I'm not certain that chkrootkit has any utility without a major update.
chkrootkit
