Apple Event: May 7th at 7 am PT

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Traveling Rootkit

II've been dealing with a Rootkit issue for almost six months now. The Apple Store even said nothing was wrong but did a "clean install" just in case while I waited. I'm not sure they touched the EFI partition or Recovery Drive though. Booting from the Recovery Drive gives a very subtley altered version of the real thing and functions in a way that seems normal, but reading the install logs shows webooks and additional packages in tow including Asian Language Support and an update for Gatekeeper. I also called a friend on an uninflected Mac and compared fingerprints for Apples root certificate and they didn't match.

Reading dmesg shows ACPI turning over half of my processors to use elsewhere, Bluetooth daemons run even though Bluetooth is disabled, Postfix is always installed along with other components and config files that are clearly not from Apple, and if I poke around too much I suddenly get removed from the admin group and lose connection control of my system. Sometimes it just shuts down and the entire /sys folder is gone meaning I have to reinstall from scratch.

iI've got a MacBook Pro 10,2 but the firmware shown doesn't match the one Apple says is the most recent. It's a higher version that doesn't exist and I somewhere found a config file or polish file that denies downgrading firmware. Same with the SMC file. Since there's no CD drive and no printed media for Yosemite or even Maverick, I have to use internet recovery which is worthless since my DNS is hijacked. And anything installed or downloaded is injected with self-protecting and/or self perpetuating code. Image files and text files have executable tags on them. Even icons and color profiles. So just loading the desktop opens who knows what code just by displaying the background image, folder icons, and colorsync settings.

I had to start using terminal commands for everything because the gui interface apps were altered to remove important settings, but then I realized aliases and symlinks were being used to alter everything I do. I even wiped the drive completely including EFI partition and Recovery Drive but it still comes back even if I'm offline and unplugged. I've seen some rogue code ,entitling handoff and like I said before Bluetooth is running without being activated. I have a screenshot of the setting saying my Bluetooth interface is active next to the window showing it being turned off. And only half of my processors are being used. The other half are remapped during the boot process. By the way, resetting NVRAM and SMC did nothing.

It uses Migration Assistant to prevent a clean install. I can see the packages listed in the list file and they include EFI and SMC payloads. I just don't know how to edit the scripts without breaking the authentication. And installing XCode or Homebrew or anything that installs compilers and Python is like opening Pandoras Box. Not an option Since I'm not fast enough to keep up with the mess of new code files spewed forth that results.

Booting a Linux install CD from a USB drive will get me to a whole separate mess basically the same. i did manage to get into TAILS which slowed things down and downloaded SystemRescueCD and was able to zero out my drive. And Midnight Commander was able to parse some of the previously illegible code. But I still see a tftpboot folder that shows up on Mac or Linux even when the network is unplugged and offline. And no matter what there are always at least 60 entries in the /den folder for tty devices from tty1 all the way to ttyz89. And sometimes a list of pty devices too along with several loop devices, vcsa, vhost-net, etc. again this is on an offline computer. However, if I try to install Linux from the SystemRescueCD the initrd and kernel instructions point the installer to corrupted versions and APCI still runs even using the apci=off command in Grub. It then makes a copy of the CD somewhere so it can alter it and future boots are pointed there instead of to the actual disk. I verified this by unplugging the drive and it continued to function with new commands in directories I hadn't accessed..and it was not booted into RAM.

My favorite was when I tried to download Kali Linux and installed it. It had been modified to show every single app in every single category as ncat. Cheeky b@$t@rd$. I managed to download some files at the library but as soon as I copy them over they get altered.. Which reminds me... I need to try mounting as read only and run from the drive directly. But another weird thing.... Even on other networks it will rear its ugly head if my phone is around. I downloaded. Apps at a friends house and got one spurned to disk but by the second one I saw the same language encoding files and a css file with the same evil code getting burned to the disk.

IM pretty sure Subversion is being used to keep the whole apparatus up and complete. Deleting files does nothing because on reboot everything is back in place. I just can't figure out where the source is that's deploying these files is. Assuming there's an option ROM installed that is making it possible to repurpose my PCI devices to run the installers and other processes, could a host drive with the master disk image be hosted in a device too? Like someone else mentioned elsewhere, the Apple folks are useless. The "Genius Bar" guy cut me off when I tried to show him blatant entries in the logs and said they aren't trained to read code. Only engineers can do that. And I've been through three senior AppleCare techs. The first two basically laughed and called me paranoid, and the third keeps getting disconnected when I try to call. Which reminds me of another point, my phone data usage has more than doubled since this all started and there are all sorts of scripts involving VT100 commands. But even with all phones off and batteries removed It finds a way. I'm about to turn my closet into a Faraday cage but then I can't download software from Apples "Secure" Server.

ONe thing that would be useful... Oooooohhhhhh so useful... Is a repository of the files that make up the OS so I can see what is right and wrong. There's the open source stuff on the developers site but it's not easy to figure out what's what and it's not the latest version. ive been trying to use the Linux From Scratch site for a Linux version but since my certificates are forged I don't know if anything I read online is accurate. For all I know this post may never see the light of day. But the bottom line is this thing is big and sneaky and if we don't figure out how to kill it easily it's going to bring this entire world to its knees. I know several people who have it and don't even realize it. It only gets nasty and fights back when you start poking it.

MacBook Pro with Retina display, OS X Yosemite (10.10.2)

Posted on Jun 23, 2015 5:27 PM

Best reply

James Brickley

Level 5

4,636 points

Posted on Jun 24, 2015 8:01 PM

First of all, I believe you! Do you have any idea how the Mac became infected? It sounds like you contracted one of the new extremely rare firmware attacks. That means it's re-written your firmware to inject the rootkit every time you boot. If that is what happened, unfortunately you cannot remove it. You cannot overwrite the firmware. You would have to ship it back to Apple and have the system board replaced. This isn't just an Apple problem, there are PC rootkits capable of similar attacks. Another possible item is the root kit could be installed in the hard drive firmware. Attacks of this nature have been witnessed in the last 3-4 years and until recently were likely state sponsored groups behind them. This is not a run of the mill infection, it's quite advanced.

Final option to truly confirm the rootkit is in the firmware would be to do the following:

1. Buy a new thumb drive 8gb+ (preferably one with a write protect hardware switch or external forensics write blocker device)

2. Plug it ONLY into a known clean Mac and download Yosemite and burn to the thumb drive

3. Replace the internal Mac hard disk

4. Boot only from the write protected thumb drive and install Yosemite

5. If the rootkit shows up then it has to be coming from the Mac firmware

6. Sorry... You have a brick...

There really is no way around this, the firmware is used to boot and will always re-install the rootkit as you have noticed. Apple may be able to overwrite the firmware or replace the chip at their factory.

You might try to find a security researcher who would be willing to buy the Mac purely for the forensics and reverse engineering of this attack.

http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-m alware-that-jumps-airgaps/

http://arstechnica.com/security/2015/06/new-remote-exploit-leaves-most-macs-vuln erable-to-permanent-backdooring/

At some point malicious software was run as root or admin privileges that allowed the firmware to be overwritten. As a precaution in future, set a firmware password and ensure root account remains disabled and that you do not run a primary account as admin. Be extremely careful installing software. Avoid pirated software as many contain malicious payloads. Avoid the dangerous underbelly of the Internet / darknet, etc.

View in context

60 replies

Kurt Lang

Level 9

58,296 points

Jun 25, 2015 6:00 AM in response to scissortail76

Okay, I see why Apple's staff called you paranoid. There's just way too much crazy going on here to even attempt continuing to try and help. It's time to put the fishing gear away. You've already pulled in more red herrings than you could ever use in a lifetime.

And yes, I have read up on the things you mention. The odds of any of them ever happening is just short of zero. Thunderstrike requires physical access to your computer. The chances that someone would take your computer, just happen to have the means to infect it, and give it back to you is laughably slim. 99.99999999999999% of the people who would takes someone else's Mac have no intention of ever giving it back.

And who's the only other person in this topic you'll listen to? Well, the person who agrees with you, of course! Even Apple's response that nothing was wrong didn't phase you. Please go away and bother someone else.

Jun 25, 2015 7:25 AM in response to Kurt Lang

Yes it's crazy. But it's possible. Not sure what purpose I'd have making this up, and I've got screenshots and logs and if you wanna come iver for supper I'll give you a live demonstration. And you can also show me the credentials that make you all knowing. You dont know who I am or who I know or what I know so until you have more to offer than "Nuh uhhh!" your comments are only making this thread more active and more likely to be seen. So thanks at least for that. But even if my posts are exaggerated, which they're not, then you still haven't offered any helpful suggestion for solving the rootkit issue itself. I dont deny that it could just be a really clever scripting job and I'm not versed in Python and Ruby and Mac kernel lingo to figure it out. Considering that 99.9999999...% of search results I've found didnt work, MAYBE it's possible that this is one if those freaky ones that you do admit exist.

Kurt Lang

Level 9

58,296 points

Jun 25, 2015 7:53 AM in response to scissortail76

Then prove it by following the steps I outlined above, which will completely replace everything on your drive with a fresh install of the OS and nothing else. Then without connecting to the Internet or mounting any other drives, prove to me that any of these symptoms return. Until then, you're wasting your time, and everyone else's.

As I said, yes, I have read about these firmware threats before. But physical access is required by the very, VERY few people who even have a copy of Thunderstrike and have the knowledge to apply it. It also requires a Mac that was built before mid 2014. Any newer firmware cannot be infected. You haven't said how old your Mac is, so I will say there is an extremely thin possibility that what you say is true. But it would take an extraordinary set of circumstances to have been fulfilled.

Hold the shift key and click on the Apple at the upper left. Choose System Information. Post here what model Mac you have, which is the second line. It would be something like MacPro5,1. Also note the Boot ROM version here, which is your firmware release, which you say doesn't exist.

Jul 1, 2015 6:17 PM in response to Kurt Lang

Here's a screen shot of the Hardware Info. Maybe you can also tell me why the spacing is bugged out too?

Another anomaly: the Automator scripts in my System Folder. I haven't touched Automator on this installation, and that's one of those fishy updates that happens at the tail end of every fresh Apple Recovery Drive reinstalls. I can't open them to see what they do, but there are libraries installed in Script Editor that I know aren't standard.

And an image from my root folder... I have added none of these files and have no access to /home or /net. And can't get rid of Remote Disc either.

You'll notice some of the dates are 9/9/2014 which is the most frequently used date for things that are created. All I could find that seemed relevant-ish was that it's Talk Like A Pirate Day. Arrrrrr! And I noticed all of this began about the time that I had installed something involving the R programming language.

But back to the idea of removing the drive...

I completely removed the hard drive, reset NVRAM, and restarted. It still booted up. Somehow the logging disabler got zapped too, though, and I was able to figure out that my computer and all of its components are being used as part of a RAID server... I'm guessing across the local network here which I share with two other people, all Mac users, which would explain how it can keep itself alive if it's not a rootkit. Some sort of pass-the-hash scheme.

Using GParted on a DVD I was able to boot from, and with the drive back in, I could see an unallocated partition that I was unable to delete or reformat. And every time I tried to rewrite the partition table it was still there. But then I figured out that even though I booted from the DVD which I know is a clean image, Grub was ignoring my command to load the DVD image and was booting it's own modified version. It seems like every time I insert a new DVD it catalogs it and sends it to its database to scrub and insert its own Linux kernel and apps.

So at this point, I can't even gain control of my own computer because the boot process directs it to the remote site. I have done a hard reset and factory reinstall on the modem and router a million times, but it's been added to a Class A subnet I don't recognize and reconnects every time. But even if I boot with no internet access, it boots from a preserved master image on that untouchable partition. Even in Single User Mode as root it gives me permissions errors if I try to edit system files, but even if I could it would just restore back to the master image every time I rebooted.

Is that enough proof? I'll concede that it might not be a rootkit, but semantics are not really helpful in solving the problem. What I need to figure out now is how to get rid of that secret partition. Any ideas?

Barney-15E

Level 10

112,770 points

Jul 1, 2015 6:42 PM in response to scissortail76

Besides the clipped text in System Information, all of those screen shots look like a completely normal system.

All of those Automator things are Actions. That's how automator works, but implementing a sequence of Actions. You can't open them because there is nothing to open. They may launch Automator, but they are not documents. You'll find them in the Library in Automator.

That shot of SystemAdditions Library looks exactly like it has for all versions of OS X that I can remember, except for the recent addition of support for Open Scripting Architecture (OSA) languages. Hence the change from Applescript Editor to ScriptEditor.

You have all the hidden files showing, but other than that, those are all normal.

net and home are standard mount points, I think for net booting, but I'm not sure.

My dates are the same, because thats when they were created for the install image.

Kurt Lang

Level 9

58,296 points

Jul 1, 2015 7:04 PM in response to scissortail76

There isn't a single thing you show that isn't a normal part of every installation of OS X. As far as the weird display of text in System Information's right hand pane, that's also nothing new. It's been like that since at least Mavericks. Pull the window out to the right and it will fix itself. Reduce the window size in to the left and text will go screwy again.

Basically, you're spending an awful lot of time looking for nothing out of the ordinary.

cdhw

Level 4

3,588 points

Jul 1, 2015 7:24 PM in response to scissortail76

The remote site is provided by Apple to allow Macs that have no usable disk to boot. It's called 'Internet Recovery'

https://support.apple.com/en-gb/HT201314

It's normal behaviour for a Mac.

Jul 1, 2015 8:05 PM in response to scissortail76

Things look normal to me, even those Sept 9 2014 dates as they are the same on my system. Time to go to square one and start over again. This time, do ONLY WHAT YOU SEE BELOW and stop running down the rabbit hole reaching for Linux tools that are only going to confuse you. Do not use GParted or any other Linux tools you don't need them. Besides they won't recognize OS X core storage and will display weirdly as a result. Also stop messing with Single User Mode, etc.

1. Build a bootable Yosemite thumb drive using one of the other Macs you mentioned

http://www.macworld.com/article/2367748/how-to-make-a-bootable-os-x-10-10-yosemi te-install-drive.html

2. Boot with it by holding OPT on your Mac

3. Go to Disk Utility on the menu

4. Re-partition to 1 partition GUID under options button and with Extended Journaled HFS+

5. Install Yosemite (it should be 10.10.4)

6. Do not connect to WiFi nor Ethernet. Everything you need is on that thumb drive (for now)

7. Do not encrypt with FileVault2

Do not make any other changes to the system, keep it entirely plain vanilla. Do not enable root, do not modify Preference files to display hidden files, etc.

At this point you will have a squeaky clean system as intended. When 10.11 is released all those system files you have been poking with a stick will likely be locked down using the new "rootless" security mode so don't mess with that stuff. Touch NOTHING under root that is in system file locations. User data belongs in /Home/UserName and nowhere else. This is not FreeBSD nor Linux you are not meant to monkey around in those system locations. OS X uses ACL (Access Control Lists) on top of traditional Unix permissions and there are even some very special file flags so that could explain why root wasn't able to modify protected system files. When rootless is turned on with 10.11 it will be even harder to mess with those files.

Now if you find you have Postfix installed or anything else weird we are going to need screen shots as proof. The evidence provided so far has been rather lacking and your illogical statements are peppered with incorrect or impossible scenarios. All your screenshots look perfectly normal, the files are in order and proper by all accounts. Those hidden files are hidden for a reason, you don't need to touch them at all.

Do these simple things and report back. Do not dig deeper do not make changes. Locate the problems you see and collect evidence, report back.

Kurt Lang

Level 9

58,296 points

Jul 2, 2015 11:49 AM in response to scissortail76

An extra note. Apple released firmware updates for many Mac models that came with Mountain Lion (like yours). Your current firmware version is:

MBP102.0106.B07

The new firmware, released June 30, brings it to:

MBP102.0106.B08

Mac EFI Security Update 2015-001

It's specifically to block Thunderstrike. The above should be the correct firmware for your Mac since that's the entry in Apple's list that also has your SMC version. If not, it won't allow you to install it.

According to Apple's firmware update page:

Most firmware updates are automatically installed when you update or upgrade OS X. Some firmware updates are also available as downloads you can install manually. If your Mac needs a firmware update and it isn't installed automatically, check to see if a manual updater is listed below.

So if you've already updated to 10.10.4, then it may have already been applied. Check System Information again. If it hasn't, it should show in Software Update.

cdhw

Level 4

3,588 points

Jul 7, 2015 2:03 AM in response to scissortail76

In fact, 'more than 400' is normal. Here's a clean install of OS X 10.10.3, setup and rebooted :

mac-98:~ admin$ ls -l /Volumes/Macintosh\ HD/System/Library/LaunchAgents | wc -l

213

mac-98:~ admin$ ls -l /Volumes/Macintosh\ HD/System/Library/LaunchDaemons/ | wc -l

264

Why does my hard drive have 447MB of data on it when I format it with Disk Utility?

Because the OS X Journal 'format' includes several hidden files and directory structure. The size of these scale with the disk capacity.

Jul 7, 2015 3:15 AM in response to scissortail76

We are all just users like you, none of us work for Apple, our time on these forums is purely voluntary. We need you to provide us logical responses and not a flurry of findings after hours of work on your part where many things have been done. Keep it simple and go slow. Provide us the details before you start making many changes. One step at a time, slow and steady. So far we haven't seen anything suspicious in your postings. So starting over and going slow will help us confirm wether or not you actually have an infection.

I apologize for the tone...

Jul 7, 2015 3:34 AM in response to scissortail76

These professional tools are extremely helpful in seeing what is really going on with OS X.

http://rixstep.com/4/0/buy/

The author has blogged about using his tools to examine malware, unnecessary bloat, etc.

Jul 7, 2015 5:02 AM in response to scissortail76

LoL ok that's fair. I apologize for the flurry. It's just that there are so many things that are wacko I don't even know where to start, so When asked to explain what's wrong I just pick random things based on what I've most trecently seen. And I swear part of the strategy here is throwing a million wild goose chases into the mix to mask the real issue which may be very simple. So you're absolutely right to suggest a formulaic slow and steady procedure and to tell me to calm down and be a little less Chicken Little. Thank you.

USB Installer created and currently installing on wiped newly formatted drive. As Kurt pointed out, the new EFI update is out as of a few days ago. The previous version was 06. That's why I said my version 07 didn't exist. Thankfully they skipped their own 07 and I'm hoping this 08 version will solve part of the problem. And yes, I'm looking forward to 10.11 which would wipe out a huge portion of this mess.

I'll upload screenshots when the installer is finished. No settings changed, no network connection, no logins, and no updates. Just the latest Yosemite installer from the App Store created on a separate computer.

Jul 9, 2015 4:07 AM in response to scissortail76

Everything came back even with the clean reinstall... I've got screenshots if you want but not sure it's useful now. After all of the hullaballoo, I've figured out the whole thing seems to be just a boot loader and a bunch of firmware and kext patches. It all looks exactly like mods from InsanelyMac.com or TonyMacX86.com. Surprisingly simple but completely transparent. Fooled 4 AppleCare senior techs even! I'll follow up if I'm wrong... posting on InsanelyMac forums for guidance though but seems like a simple matter of installing a mod app like MacPois0n and flipping some switches there. Just can't believe no one in my months of troubleshooting pointed this out to me before.

Thanks for the help guys... I really do appreciate it in spite of my snarky attitude. You can imagine the frustration behind all of this though and how much it ***** when you know something is wrong but it's so subversive and subtle that no one believes you. And my own lack of knowledge about OS X underpinnings doesn't help my case at all when it comes to trying to describe the anomalies.

Jul 9, 2015 7:52 AM in response to scissortail76

I would like to see your findings. It must have infected your Yosemite installer so it bootstrapped itself from the thumb drive. Since Hackintosh methods modify the thumb drive image to get around Mac restrictions that block an install on non-Mac hardware It must have added a payload as well.

Traveling Rootkit