Traveling Rootkit

Question

Traveling Rootkit

II've been dealing with a Rootkit issue for almost six months now. The Apple Store even said nothing was wrong but did a "clean install" just in case while I waited. I'm not sure they touched the EFI partition or Recovery Drive though. Booting from the Recovery Drive gives a very subtley altered version of the real thing and functions in a way that seems normal, but reading the install logs shows webooks and additional packages in tow including Asian Language Support and an update for Gatekeeper. I also called a friend on an uninflected Mac and compared fingerprints for Apples root certificate and they didn't match.

Reading dmesg shows ACPI turning over half of my processors to use elsewhere, Bluetooth daemons run even though Bluetooth is disabled, Postfix is always installed along with other components and config files that are clearly not from Apple, and if I poke around too much I suddenly get removed from the admin group and lose connection control of my system. Sometimes it just shuts down and the entire /sys folder is gone meaning I have to reinstall from scratch.

iI've got a MacBook Pro 10,2 but the firmware shown doesn't match the one Apple says is the most recent. It's a higher version that doesn't exist and I somewhere found a config file or polish file that denies downgrading firmware. Same with the SMC file. Since there's no CD drive and no printed media for Yosemite or even Maverick, I have to use internet recovery which is worthless since my DNS is hijacked. And anything installed or downloaded is injected with self-protecting and/or self perpetuating code. Image files and text files have executable tags on them. Even icons and color profiles. So just loading the desktop opens who knows what code just by displaying the background image, folder icons, and colorsync settings.

I had to start using terminal commands for everything because the gui interface apps were altered to remove important settings, but then I realized aliases and symlinks were being used to alter everything I do. I even wiped the drive completely including EFI partition and Recovery Drive but it still comes back even if I'm offline and unplugged. I've seen some rogue code ,entitling handoff and like I said before Bluetooth is running without being activated. I have a screenshot of the setting saying my Bluetooth interface is active next to the window showing it being turned off. And only half of my processors are being used. The other half are remapped during the boot process. By the way, resetting NVRAM and SMC did nothing.

It uses Migration Assistant to prevent a clean install. I can see the packages listed in the list file and they include EFI and SMC payloads. I just don't know how to edit the scripts without breaking the authentication. And installing XCode or Homebrew or anything that installs compilers and Python is like opening Pandoras Box. Not an option Since I'm not fast enough to keep up with the mess of new code files spewed forth that results.

Booting a Linux install CD from a USB drive will get me to a whole separate mess basically the same. i did manage to get into TAILS which slowed things down and downloaded SystemRescueCD and was able to zero out my drive. And Midnight Commander was able to parse some of the previously illegible code. But I still see a tftpboot folder that shows up on Mac or Linux even when the network is unplugged and offline. And no matter what there are always at least 60 entries in the /den folder for tty devices from tty1 all the way to ttyz89. And sometimes a list of pty devices too along with several loop devices, vcsa, vhost-net, etc. again this is on an offline computer. However, if I try to install Linux from the SystemRescueCD the initrd and kernel instructions point the installer to corrupted versions and APCI still runs even using the apci=off command in Grub. It then makes a copy of the CD somewhere so it can alter it and future boots are pointed there instead of to the actual disk. I verified this by unplugging the drive and it continued to function with new commands in directories I hadn't accessed..and it was not booted into RAM.

My favorite was when I tried to download Kali Linux and installed it. It had been modified to show every single app in every single category as ncat. Cheeky b@$t@rd$. I managed to download some files at the library but as soon as I copy them over they get altered.. Which reminds me... I need to try mounting as read only and run from the drive directly. But another weird thing.... Even on other networks it will rear its ugly head if my phone is around. I downloaded. Apps at a friends house and got one spurned to disk but by the second one I saw the same language encoding files and a css file with the same evil code getting burned to the disk.

IM pretty sure Subversion is being used to keep the whole apparatus up and complete. Deleting files does nothing because on reboot everything is back in place. I just can't figure out where the source is that's deploying these files is. Assuming there's an option ROM installed that is making it possible to repurpose my PCI devices to run the installers and other processes, could a host drive with the master disk image be hosted in a device too? Like someone else mentioned elsewhere, the Apple folks are useless. The "Genius Bar" guy cut me off when I tried to show him blatant entries in the logs and said they aren't trained to read code. Only engineers can do that. And I've been through three senior AppleCare techs. The first two basically laughed and called me paranoid, and the third keeps getting disconnected when I try to call. Which reminds me of another point, my phone data usage has more than doubled since this all started and there are all sorts of scripts involving VT100 commands. But even with all phones off and batteries removed It finds a way. I'm about to turn my closet into a Faraday cage but then I can't download software from Apples "Secure" Server.

ONe thing that would be useful... Oooooohhhhhh so useful... Is a repository of the files that make up the OS so I can see what is right and wrong. There's the open source stuff on the developers site but it's not easy to figure out what's what and it's not the latest version. ive been trying to use the Linux From Scratch site for a Linux version but since my certificates are forged I don't know if anything I read online is accurate. For all I know this post may never see the light of day. But the bottom line is this thing is big and sneaky and if we don't figure out how to kill it easily it's going to bring this entire world to its knees. I know several people who have it and don't even realize it. It only gets nasty and fights back when you start poking it.

MacBook Pro with Retina display, OS X Yosemite (10.10.2)

Posted on Jun 23, 2015 5:27 PM

Reply

Answer 1

Jun 24, 2015 10:33 PM in response to James Brickley

Kurt, you have no idea what you're talking about and your solution sounds like a stock tech support answer. I didnt say the phones continued to work after removing the battery... I said it uses my phone to connect but still functions when the phones are off. So there is some other means besides phone or ethernet or wifi that it can use to transmit. Yeah, it still sounds like fiction, but you're in for a rude awakening if you think I'm making this all up. Anyone who doubts me feel free to send me your email abd I'll gladly pass along some files for you to test that squeaky clean method.

James, thank you for your helpful response. I thought it might be Thunderstrike and I know of several times someone would have had the opportunity to execute something like that. However, the same code is on another Macbook Pro 1,1 that I have which I thought was immune for some reason. It's also a 32 bit machine so I was hoping that might be a limitation too. It has also infected my mother's Macbook which I only plugged my iPhone into once. I read a proof of concept, I think written by the same guy that exposed Thunderstrike, explaining how it would be possible for malware to spread through trust settings, and it seems that that's what's happening here.

I hadn't thought about swapping out the hard drive altogether though. I don't have access to a clean Mac but I've got plenty of Linux distros I know are clean. I'll give that a try.

Incidentally, the senior AppleCare tech had never heard of Thunderstrike. Or even the possibility of rooting a Mac like that. And another side note... My mom ordered a Macbook from an organization that sells donated computers to non-profits. It showed up and had the same issue without ever being connected to their network. Someone else must have decided a tax write-off was easier than fighting this thing.

Reply

Answer 2

Jul 24, 2015 8:30 AM in response to scissortail76

hey,

first i want to apologize for any typing issues, or pictures I may attach being in poor quality I am using my iPad (and taking screenshots via camera since I am reinstalling osx).

I Do believe you, and honestly am a but hesitant to even think you really exist lol. That's how frustrating this has been for me also, I figure I have also had this for several months. I have been an IT person since 2000 and worked at an exclusively mac studio for a few years. in addition I am pretty observant but not always up to date on new things that get changed on new OS updates. That being said... The first thing I noticed was an EFI partition, that seemed to appear out of no where. But at the same time I was updating to Yosemite, so I figure it was something new. The EFI partition tho was msdos format, which made me suspicious, why would mac add a partition that I dos based

2. my mac would randomly start rubbing the fan on high, and things would grind to a halt, when I had nothing really powerful open (web browsing vs Final Cut Pro or photoshop). The activity monitor would show windows server is using all the processes...and if I force quit it it would shut down and restart... I have force quit almost every item at one point in activity monitor and can't remember that happening slowdowns, errors with opening apps but nothing that completely restarts it. Leads me to...

3. Console, I checked it but found no items on windows server no mention at all, well not at first, one time it was happening and I was in console already, only to see it show up and disappear shortly after....

4. So my console was being changed but what was doing it, so I checked info and User, and noticed wheel... Again I never seen wheel before but it showed up everywhere all of a sudden. I looked it up and online said its been standard for macs since 2005. I worked with OS X server and OS X and I never remember seeing wheel as a ssystem user. But this wheel user would show up not on everything but alot of items... Things like iWork garage band wouldn't have it, but chrome, Safari, skype iTunes iPhoto, I installed Firefox and for a week it didn't then bam it showed up. Anything that I noticed started acting up, would have wheel in it.

SO, sorry for being so verbose but it's some of the things I noticed and checked.... there a things I noticed that bother the program and things that hinder it but haven't yet stopped it... it connects to wifi before u even know that being said it's tough to deactivate wifi on ur mac without opening it and unplugging it from logic board...but it only knows what you know, so if you delete a wifi from ur list it doesn't have it either. i say this cause booting ur computer in an area you don't have access to Internet is gonna be key to getting rid of it. I shut my wifi right off, then boot into recovery, ya its hacked but it works enough. Run disk util, do a pram reset, and boot into single user mode, which I haven't been able to get into for months. From here, if ur issue is like mine, go into directory utility, (may want to backup just in case) and remember the wheel user... I deleted it... And well... At that point, things started to make sense for me, console blew up with issues happening, even tho I had hidden files to be shown, tons of files appeared, Automator, apple scripts, extensions for skype chrome safari that never showed up before.

but that's where I am I don't have a solution yet I do have a reason why it's an issue reinstalling. Attached picture

tthis is a screen shot of a harddrive infected but completely wiped, i am booted to a USB Yosemite drive I made sevral months ago, which unfortunatly is now compromised.

disk2, eso is a additional group of files to install... It only shows when I boot to USB otherwise those disk don't show up. The files they contain specifically set up certain keychain access, remote view, and control.... I have an idea to beat it, but want to try it before I say anything....

FInally, it seems to comprimise applications but maybe you might still have luck at using things that worked at first, but after reinstalling osx now find them compromised also,

little snitch, super great against this, but lock it down dont let access to anyone but you.... What happened to me is second time I downloaded, it appended a ibstall file, so any new rules I create had the option of being owned by "system" "myself" or "anyone" the third option anyone now greyed out... Key for preventing updates to ur bin files it seems to do a lot, but by blocking its access to DNS, and having mac default to a known DNS I used google, the web stopped sending me garbage and fake sites.

either way find a firewall and keep it up block all access if things go bad the system firewall seems compromised

onyx also seemed to work pretty well but at one point something happened and admin access was deleted on my account, so I had no admin which I eventualily fixed.

I Could go on and on about things but recently that seems to be helping, every time I seem to be regain control and breaking free something happens and get knocked back. I do want to say it doesn't seem to be firmware based if I remove all my hard drives and plug in a bootable USB unaffected it doesn't get it. Stays clean.... Also, until I got ride of that wheel user, that kept me in the dark with false info, you don't really have admin control, you just have the illusion of it.

Reply

Answer 3

Jul 1, 2015 6:17 PM in response to Kurt Lang

Here's a screen shot of the Hardware Info. Maybe you can also tell me why the spacing is bugged out too?

Another anomaly: the Automator scripts in my System Folder. I haven't touched Automator on this installation, and that's one of those fishy updates that happens at the tail end of every fresh Apple Recovery Drive reinstalls. I can't open them to see what they do, but there are libraries installed in Script Editor that I know aren't standard.

And an image from my root folder... I have added none of these files and have no access to /home or /net. And can't get rid of Remote Disc either.

You'll notice some of the dates are 9/9/2014 which is the most frequently used date for things that are created. All I could find that seemed relevant-ish was that it's Talk Like A Pirate Day. Arrrrrr! And I noticed all of this began about the time that I had installed something involving the R programming language.

But back to the idea of removing the drive...

I completely removed the hard drive, reset NVRAM, and restarted. It still booted up. Somehow the logging disabler got zapped too, though, and I was able to figure out that my computer and all of its components are being used as part of a RAID server... I'm guessing across the local network here which I share with two other people, all Mac users, which would explain how it can keep itself alive if it's not a rootkit. Some sort of pass-the-hash scheme.

Using GParted on a DVD I was able to boot from, and with the drive back in, I could see an unallocated partition that I was unable to delete or reformat. And every time I tried to rewrite the partition table it was still there. But then I figured out that even though I booted from the DVD which I know is a clean image, Grub was ignoring my command to load the DVD image and was booting it's own modified version. It seems like every time I insert a new DVD it catalogs it and sends it to its database to scrub and insert its own Linux kernel and apps.

So at this point, I can't even gain control of my own computer because the boot process directs it to the remote site. I have done a hard reset and factory reinstall on the modem and router a million times, but it's been added to a Class A subnet I don't recognize and reconnects every time. But even if I boot with no internet access, it boots from a preserved master image on that untouchable partition. Even in Single User Mode as root it gives me permissions errors if I try to edit system files, but even if I could it would just restore back to the master image every time I rebooted.

Is that enough proof? I'll concede that it might not be a rootkit, but semantics are not really helpful in solving the problem. What I need to figure out now is how to get rid of that secret partition. Any ideas?

Reply

Answer 4

Jun 24, 2015 8:01 PM in response to scissortail76

First of all, I believe you! Do you have any idea how the Mac became infected? It sounds like you contracted one of the new extremely rare firmware attacks. That means it's re-written your firmware to inject the rootkit every time you boot. If that is what happened, unfortunately you cannot remove it. You cannot overwrite the firmware. You would have to ship it back to Apple and have the system board replaced. This isn't just an Apple problem, there are PC rootkits capable of similar attacks. Another possible item is the root kit could be installed in the hard drive firmware. Attacks of this nature have been witnessed in the last 3-4 years and until recently were likely state sponsored groups behind them. This is not a run of the mill infection, it's quite advanced.

Final option to truly confirm the rootkit is in the firmware would be to do the following:

1. Buy a new thumb drive 8gb+ (preferably one with a write protect hardware switch or external forensics write blocker device)

2. Plug it ONLY into a known clean Mac and download Yosemite and burn to the thumb drive

3. Replace the internal Mac hard disk

4. Boot only from the write protected thumb drive and install Yosemite

5. If the rootkit shows up then it has to be coming from the Mac firmware

6. Sorry... You have a brick...

There really is no way around this, the firmware is used to boot and will always re-install the rootkit as you have noticed. Apple may be able to overwrite the firmware or replace the chip at their factory.

You might try to find a security researcher who would be willing to buy the Mac purely for the forensics and reverse engineering of this attack.

http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-m alware-that-jumps-airgaps/

http://arstechnica.com/security/2015/06/new-remote-exploit-leaves-most-macs-vuln erable-to-permanent-backdooring/

At some point malicious software was run as root or admin privileges that allowed the firmware to be overwritten. As a precaution in future, set a firmware password and ensure root account remains disabled and that you do not run a primary account as admin. Be extremely careful installing software. Avoid pirated software as many contain malicious payloads. Avoid the dangerous underbelly of the Internet / darknet, etc.

Reply

Answer 5

Jul 7, 2015 1:41 AM in response to scissortail76

i don't recall there being hundreds of scripts preloaded in that folder. And please don't talk down to me like I have no idea what I'm doing. I've been using a Mac for 20 years and while I'm no hacker, I've spent over a decade using code to script Photoshop and Flash and whatever else I've needed to streamline. So when you tell me things like "stop using Linux" or "quit poking around" you make yourself sound condescending and close minded. Admittedly I am running around throwing out random examples that may or may not be evident on their own, but look at the big picture. Little anomalies all over the place are exactly how you would design something to go unnoticed. You dismiss the bugged out text as just a glitch... But it isn't a glitch. That's consistent behavior.

Do me a favor and tell me how many files are in your /System/Library/LaunchAgents and LaunchDaemons folders. I have over 400 combined after a clean install. Why does my hard drive have 447MB of data on it when I format it with Disk Utility? Why does cloudd ask me for my password when I'm not logged in to anything and have Wifi off? Why does my router use a class A address for the gateway on a simple home network and why is the MAC address for the AP not one that exists for any device I can find in the house?

And why does DarwinDumper show VooDooHD as the audio driver and Q77 as a driver for my processor? Why does an ICC color profile have a fake dmesg type bootup script in it?

BUt you're right about the lack of evidence. for the sake of the Scientific Method I will start from baseline and follow your instructions exactly so that we are all on the same page. And I promise not to poke around or do bad things with Linux.

Back in a few...

Reply

Answer 6

Drew Reece

Level 6

10,684 points

Dec 24, 2017 9:11 PM in response to bbcash

Underlying errors reported (indicates the disk media may be faulty)

The screenshot has "Disk IO errors" (potential disk issues)

Looks like your internal disk is damaged/ failed/ unreliable. Disks do not last forever, has it ever been replaced, I assume it is for the 17" Macbook Pro (from around 2012)?

Take it to an Apple store ask for a test or a quote to replace it. Or find someone to do it for you. ifixit.com will have a guide for a HD replacement. Apple hardware test will do some basic tests & may verify if the disk is having issues…

How to use Apple Hardware Test on your Mac - Apple Support

I think some models also had bad SATA drive cables that can fail, so a store may advise you on that.

As for the rest of your issues – sorry life is too short to try to parse and process everything you wrote.

TLDR: Almost 1000 words…

Wi-Fi issue
2 factor issue
Screenshot issue
Display port issue
Black screen issue
'Magical' HP printer issue
3-4 routers
Installer issue
EFI issue
Autosave cannot save (seems OK as the disk appears to be an installer DVD, no idea how that situation arose)
Whatever else I missed… and this is about 5% of your issues

You will probably get better answers if you explain each issue concisely in your own topic without the references to other devices. There is little point hijacking this old thread, nothing appears to have fixed the OP's issue. This thread also assumes an unlikely & rare occurrence is the answer to all the issues (a rootkit) - how about ruling out all of the simpler explanations first.

All of these issues in one device could indicate you have a 'lemon', a device that is plagued by issues & needs an expert to diagnose and/or repair, with all respect, you don't seem to talk like a computer expert, seek help from someone else.

Also perhaps you are just bad with technology, nothing is wrong with that but you should seek help from a third party. There are many things I cannot do (plumbing, brain surgery…) so paying someone else is the only option I have, otherwise I cause bigger problems.

[P.S. above is 370 words & is probably considered to long by some, I shall not be adding more to this thread]

Reply

Answer 7

Kurt Lang

Level 9

68,262 points

Jul 24, 2015 9:04 AM in response to bentleyonthego

Sorry, but there's a heaping pile of nonsense and misunderstanding of what is on your Mac. Actually, as an IT person for Macs since 2000, it's rather amazing you don't appear to know any of the following.

The first thing I noticed was an EFI partition

Every physical drive that has been partitioned as GUID for the Mac will have an EFI table at the top of the drive, such as below. I set up Disk Utility to show the developer menu, which enables you to show all partitions, including normally hidden ones, such as the EFI tables. They also have no format to speak of. I highlighted one of them so you can see what information is shown for an EFI partition. Anyway, it's completely normal.

my mac would randomly start rubbing the fan on high, and things would grind to a halt,

And why do you believe that automatically equates to malware? It could be a number of reasons, such as a corrupt OS installation, an issue with the logic board, bad RAM, etc. On our 2008 Mac Pro, we installed 8 extra GB of RAM from Other World Computing. Every time we used it for anything that taxed it even a little, the fans would ramp up to full blast until the process finished (like encoding a video). Finally, the Mac came on one day showing 4 GB less RAM than was installed. It turned out one of the 4 GB sticks we put in from OWC was bad from the day we got it and it finally croaked. They replaced it, and now the Mac is always quiet, no matter what it's doing. That bad stick was overheating every time it was being accessed.

and noticed wheel

The user wheel is completely normal. It belongs to the OS, as in "the big wheel". It's an account that allows the OS to do things that Unix permissions would otherwise stop a normal account from doing. It needs to be there so the OS can do its job.

and remember the wheel user... I deleted it...

Congratulations. You succeeded in completely destroying the OS by removing a required account. Now you get to erase the drive and start over. I wouldn't even attempt to just reinstall the OS over what exists given the sledge hammer approach you've taken to what are all normal processes.

There isn't a point to continue examining the rest of your content. You've butchered your system beyond repair by looking for things you think are there, and then proceeding to entirely ruin the system.

Reply

Answer 8

Kurt Lang

Level 9

68,262 points

Jul 2, 2015 11:49 AM in response to scissortail76

An extra note. Apple released firmware updates for many Mac models that came with Mountain Lion (like yours). Your current firmware version is:

MBP102.0106.B07

The new firmware, released June 30, brings it to:

MBP102.0106.B08

Mac EFI Security Update 2015-001

It's specifically to block Thunderstrike. The above should be the correct firmware for your Mac since that's the entry in Apple's list that also has your SMC version. If not, it won't allow you to install it.

According to Apple's firmware update page:

Most firmware updates are automatically installed when you update or upgrade OS X. Some firmware updates are also available as downloads you can install manually. If your Mac needs a firmware update and it isn't installed automatically, check to see if a manual updater is listed below.

So if you've already updated to 10.10.4, then it may have already been applied. Check System Information again. If it hasn't, it should show in Software Update.

Reply

Answer 9

Drew Reece

Level 6

10,684 points

Aug 2, 2015 11:02 AM in response to scissortail76

scissortail76 wrote:

Lately I've unearthed a ".MobileBackups" folder that seems to be created as a mtmfs disk by Time Machine. Every day something new shows up. Please keep me posted on your progress and I'll do the same.

The .MobileBackups folder is also normal, it is used on laptops to allow backups to happen when a Time Machine disk is unavailable. It is automatically emptied as free space becomes an issue.

You can read the manual and disable the local backups if you don't want them…

https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/ man8/tmutil.8.html

sudo tmutil disablelocal

Those backups will be removed whenever Time Machine decides to clear them out.

As ever Pondini explains how Time Machine works…

http://www.pondini.org/OSX/DiskSpace.html

Frankly you appear to be digging for a problem where non exist or you are failing to explain the problem succinctly enough to get real help. The major problem here is that there are parts of the OS you do not understand & you assume they are attacks, hacks, spies or evidence of something equally malicious. If you want help here explain the actual problem, not what you think might cause it.

Dust off & nuke your computer(s) from orbit if you want to rid yourself of the problem, it is the only way to be sure…

Reply

Answer 10

Drew Reece

Level 6

10,684 points

Aug 6, 2015 4:10 PM in response to scissortail76b

Did you contact law enforcement as advised by Apple?

If an iCloud account compromised it can lead to the Mac been controlled but it only has the same features as are available in the Find my Mac service. Back To my Mac can allow remote access if it was enabled (erasing the OS should stop that).

The Mac may contain evidence if it is actually compromised. Reinstalling OS's will obliterate that if it is stored on the disk, think about how you want to proceed.

scissortail76b wrote:

Thank you Drew for clearing that up. Now please explain everything else I already mentioned as well before telling me I don't know what I'm talking about.

Many of the points you raise can be explained by means that do not need you to be hacked. Here are just a few reposts to your posts, I've tried to keep it in order…

Gatekeeper is part of OS X. Asian language support is too, having them listed in install logs is normal. Webooks is unusual but it could be from a third party app, I really don't know at what state the OS was when that appeared.

The packages contained in the OS X installer can show the files to be installed if you really want to see how much is installed by default. I have a clean 10.10 install with over 350,000 files, it's more than I could keep track of.

Here is how OS X tells you what package installed one of those Automator actions, in Terminal…

pkgutil --file-info /System/Library/Automator/Activate\ Fonts.action/

volume: /

path: /System/Library/Automator/Activate Fonts.action/

pkgid: com.apple.pkg.Essentials

pkg-version: 10.9.0.1.1.1306847324

install-time: 1399430468

uid: 0

gid: 0

mode: 755

pkgid: com.apple.pkg.update.os.10.9.3.13D65.delta

pkg-version: 1.0.0.0.1.1306847324

install-time: 1400212681

uid: 0

gid: 0

mode: 755

It is installed via the 'Essentials' package & updated via the 10.9.3 delta update (yes this is a 10.9 Mac). It is part of a legitimate installer, you can go back & verify the install package certificate too if you still have the OS installer, it should be signed by Apple nowadays.

Certificates can vary across Macs if they are not using the same OS X version (& minor updates). It is also likely that a migrated Mac will have some legacy certificates in addition to the default ones. Apple have this list for verification…

List of available trusted root certificates in OS X Yosemite - Apple Support

The OS X installer includes Python by default, so avoiding Xcode does nothing to protect you from that or many of the other scripting environments, finding it is not a bad sign in itself.

Linux (and OS X) creates many devices, character devices & tty's in /dev. That is just how it operates. Have you ever heard the saying 'everything is a file in Linux or Unix'?

/dev is where hardware devices are turned into 'files' that can include files just for the status LED's of attached hardware etc, it is normal to see many entries, unless you have built the OS yourself & know how it all operates it can be difficult to unpick.

You found TAILS OS was slow. That is what happens when you run an OS that avoids writing to permanent storage. Also running from an external disk is slower than internal disks - did you full install it or USB boot it? TAILS tries to use TOR for all internet traffic, so it makes the internet many times slower, but you view it as a sign that the Mac is hacked.

You found a tftpboot folder in OS X, I assume you mean /private/tftpboot ?

That is normal even when networking is off. It is for OS X to host a server with a tftp share for other devices - it is nothing to do with how the OS is booting. OS X has many servers built in, most are disabled by default. Config files are installed for non-Apple services (such as the Apache web server), supporting files & folders are also created.

You installed Kali & then found the "Cheeky b@$t@rd$" had hacked your machine again & 'revealed' all the 'hacker tools' like netcat. Unfortunately Kali linux is a 'penetration testing & security' distribution. That is how it is designed. It is normal for those tools to appear in menus - it is a selling point of that OS. It is intended for security professionals.

Sorry but this isn't a sign of an elaborate EFI hack - it is a user jumping to conclusions because they don't understand the OS.

You tell us your DNS is hacked. If that is the case you can try to work out where the hack is & avoid it (it is either on your network or external to it). Start by using another network. Reset your router if you think it is compromised (or replace it). There is some good starting info at …

http://www.thesafemac.com/how-to-manage-a-hacked-wireless-router/

Have you contacted your ISP? They may explain why you are assigned the IP. A 'class A' range does not have to be a public address, the 10.x.x.x range is a class A, but is only available as a private network. If you don't trust the ISP change the supplier.

Get the OS X installer via a connection that you do not think is 'hacked' & it should create a clean, secure installation. Ask at an Applestore if they will download it for you if you trust them.

Reduced numbers of processors may show up if you have failing hardware. Have you run Apple hardware test?

Using Apple Hardware Test - Apple Support

Your 500GB hard disk showing around 450G is normal if it is using Gibibytes instead of Gigabytes - it really depends on the method used to view it, linux distros show it using different units, 465GiB seems about right …

http://www.wolframalpha.com/input/?i=500+gigabytes+in+gibibytes

You found EFI & SMC payloads in the OS X installer - once again normal. OS X can require firmware updates so it bundles them to make the upgrade process easier.

netstat shows many internal connections - even when the Mac is not networking. OS X opens sockets to itself, again I see this on a clean Mac with no networking enabled.

/home & /net are normal hidden folders on OS X, those Automator actions are also in a standard install.

On a clean 10.10.3 here is a count of the System launchd jobs…

ls -l /System Library/LaunchAgents | wc -l

211

ls -l /System Library/LaunchDaemons | wc -l

261

I do think that tearing into a system is a good way to learn, but you are not tweaking & learning, you are hunting for things that look scary & assuming they are bad. Many many of the things you find look scary to untrained eyes, which is why Apple told you to seek help from law enforcement. They are trained to forensically break down compromised machines whilst preserving evidence. Dig into the OS, break it, reinstall it, break it again, it is a fun way to learn, but that is different to hunting for signs of a compromise.

I don't doubt that it is possible for Thunderstrike or any of the other historically known 'DMA attacks' to cause some of what you claim (the potential has been known since before Firewire was invented). It just seems unlikely, I haven't seen reports of these attacks used 'in the wild' & these complex persistent attacks seem to have been the reserve of nation states who don't generally target just anyone. You don't say if you work for a government or related agency so I doubt you are a target and if you are their target they have failed since you have discovered so much!

Many of your claims here are not signs of an attack, they are just mistakes you made. It makes it practically impossible to distinguish what is fact & what is you misunderstanding the internals of these OS's. Your descriptions of 'it' jumping around from Mac to Mac & to iOS devices also make it sound beyond what we have seen, not impossible, but very implausible. You haven't defined what 'it' is either beyond a fuzzy feeling that something is wrong.

It sounds drastic, but if you have the rootkit that you think you have then it would be a permanent fixture of these devices - unremovable. Apple patched Thunderstrike in newer OS's so your only option would be to stop using the devices (hand them all to the police) & acquire new ones. If you have any Apple warranty, return them.

P.S.

I'm not trying to discredit everything you said, I'm just suggesting that you are missing many nuances & features of several complex systems.

Reply

Answer 11

Jun 24, 2015 6:03 PM in response to Allan Eckert

My answer was not sarcastic. There is indeed a question complete with a question mark. And many implied questions including the obvious "What the **** do I do???" that should go without saying. But here are some bullet points since I'd rather have a productive discussion than fill up a thread with unhelpful ctiricism of forum etiquette.

Rootkit on a Macbook Pro 13" Retina Early 2013.
Persists through complete wipe of drive including EFI and Recovery Partition.
Uses version control to keep config files in place and invilves a tftpboot device.
Only 2 processors show up as online and running.
Booting from Internet Recovery is rerouted to spoofed recovery system
Downloads and file transfers are altered to include malicious code.
Apps include EFI Payload and SMC Payload installers.
Serial devices are in use even though I have none.
Bluetooth is active even though it's turned off.
PCI devices all have option ROMs installed and I didnt install them.
Keychain adds countless permissions for things I never authorized.
Netstat shows active connections when the modem and router are turned off and unplugged.
My 500GB hard drive has been wiped of all partitions and partition maps and verified with fsck, fdisk, and gparted using an external DVD boot of Linux and shows about 450GB free.
However, even booting from external sources routes through Grub and launches altered versions of the Linux kernel, apps, and bin/sbin commands.

Questions:

How do I boot without the option ROMs or disable them?
Is it possible to create network connections theough other protocols such as Handoff or AirPlay?
How do you reveal and access hidden areas of the hard drive?
How do I download files securely without the system altering them intransit or while being copied from a disk?

Reply

Answer 12

Kurt Lang

Level 9

68,262 points

Jun 24, 2015 6:20 PM in response to scissortail76

I see nothing here but a work of fiction. Especially phones with no power source of any kind (you removed the batteries) still magically continuing to be infected with - something.

Restart the Mac and hold down the Command+Option+R keys to boot into Internet Recovery Mode. The Mac boots to its firmware this way, bypassing anything on the drive completely. Launch Disk Utility and click on the physical drive name at the far left. Choose the Partition tab. Change the default of "Current" to something else. If the drive is one partition now, and that's all you want, choose 1 Partition. Click Apply.

This will entirely wipe out the drive, including the current hidden Recovery partition. When it's done, exit Disk Utility and choose to install OS X. The version your Mac shipped with will be installed and all will be squeaky clean.

Reply

Answer 13

Jun 24, 2015 10:45 PM in response to James Brickley

I just read the second link you listed... That sounds right on and also explains why my computers go to sleep randomly when I'm using then and a lot of unintelligible code involving sleep commands. I hadn't heard about that one... Thanks again for the info. And a huge thank you for including a link with a way to test for it. That's something I never could find for Thunderstrike.

Reply

Answer 14

Kurt Lang

Level 9

68,262 points

Jun 25, 2015 6:00 AM in response to scissortail76

Okay, I see why Apple's staff called you paranoid. There's just way too much crazy going on here to even attempt continuing to try and help. It's time to put the fishing gear away. You've already pulled in more red herrings than you could ever use in a lifetime.

And yes, I have read up on the things you mention. The odds of any of them ever happening is just short of zero. Thunderstrike requires physical access to your computer. The chances that someone would take your computer, just happen to have the means to infect it, and give it back to you is laughably slim. 99.99999999999999% of the people who would takes someone else's Mac have no intention of ever giving it back.

And who's the only other person in this topic you'll listen to? Well, the person who agrees with you, of course! Even Apple's response that nothing was wrong didn't phase you. Please go away and bother someone else.

Reply

Answer 15

Jun 25, 2015 7:25 AM in response to Kurt Lang

Yes it's crazy. But it's possible. Not sure what purpose I'd have making this up, and I've got screenshots and logs and if you wanna come iver for supper I'll give you a live demonstration. And you can also show me the credentials that make you all knowing. You dont know who I am or who I know or what I know so until you have more to offer than "Nuh uhhh!" your comments are only making this thread more active and more likely to be seen. So thanks at least for that. But even if my posts are exaggerated, which they're not, then you still haven't offered any helpful suggestion for solving the rootkit issue itself. I dont deny that it could just be a really clever scripting job and I'm not versed in Python and Ruby and Mac kernel lingo to figure it out. Considering that 99.9999999...% of search results I've found didnt work, MAYBE it's possible that this is one if those freaky ones that you do admit exist.

Reply