Traveling Rootkit

I know you've stated that you're a long time computer users, but I gotta' ask just for clarification since not everyone uses the term "clean install" to mean the same thing.

So, by clean install, did you fully erase the drive and reinstall the OS, or did you only install the OS over what was already on the drive?

hey,

first i want to apologize for any typing issues, or pictures I may attach being in poor quality I am using my iPad (and taking screenshots via camera since I am reinstalling osx).

I Do believe you, and honestly am a but hesitant to even think you really exist lol. That's how frustrating this has been for me also, I figure I have also had this for several months. I have been an IT person since 2000 and worked at an exclusively mac studio for a few years. in addition I am pretty observant but not always up to date on new things that get changed on new OS updates. That being said... The first thing I noticed was an EFI partition, that seemed to appear out of no where. But at the same time I was updating to Yosemite, so I figure it was something new. The EFI partition tho was msdos format, which made me suspicious, why would mac add a partition that I dos based

2. my mac would randomly start rubbing the fan on high, and things would grind to a halt, when I had nothing really powerful open (web browsing vs Final Cut Pro or photoshop). The activity monitor would show windows server is using all the processes...and if I force quit it it would shut down and restart... I have force quit almost every item at one point in activity monitor and can't remember that happening slowdowns, errors with opening apps but nothing that completely restarts it. Leads me to...

3. Console, I checked it but found no items on windows server no mention at all, well not at first, one time it was happening and I was in console already, only to see it show up and disappear shortly after....

4. So my console was being changed but what was doing it, so I checked info and User, and noticed wheel... Again I never seen wheel before but it showed up everywhere all of a sudden. I looked it up and online said its been standard for macs since 2005. I worked with OS X server and OS X and I never remember seeing wheel as a ssystem user. But this wheel user would show up not on everything but alot of items... Things like iWork garage band wouldn't have it, but chrome, Safari, skype iTunes iPhoto, I installed Firefox and for a week it didn't then bam it showed up. Anything that I noticed started acting up, would have wheel in it.

SO, sorry for being so verbose but it's some of the things I noticed and checked.... there a things I noticed that bother the program and things that hinder it but haven't yet stopped it... it connects to wifi before u even know that being said it's tough to deactivate wifi on ur mac without opening it and unplugging it from logic board...but it only knows what you know, so if you delete a wifi from ur list it doesn't have it either. i say this cause booting ur computer in an area you don't have access to Internet is gonna be key to getting rid of it. I shut my wifi right off, then boot into recovery, ya its hacked but it works enough. Run disk util, do a pram reset, and boot into single user mode, which I haven't been able to get into for months. From here, if ur issue is like mine, go into directory utility, (may want to backup just in case) and remember the wheel user... I deleted it... And well... At that point, things started to make sense for me, console blew up with issues happening, even tho I had hidden files to be shown, tons of files appeared, Automator, apple scripts, extensions for skype chrome safari that never showed up before.

but that's where I am I don't have a solution yet I do have a reason why it's an issue reinstalling. Attached picture

tthis is a screen shot of a harddrive infected but completely wiped, i am booted to a USB Yosemite drive I made sevral months ago, which unfortunatly is now compromised.

disk2, eso is a additional group of files to install... It only shows when I boot to USB otherwise those disk don't show up. The files they contain specifically set up certain keychain access, remote view, and control.... I have an idea to beat it, but want to try it before I say anything....

FInally, it seems to comprimise applications but maybe you might still have luck at using things that worked at first, but after reinstalling osx now find them compromised also,

little snitch, super great against this, but lock it down dont let access to anyone but you.... What happened to me is second time I downloaded, it appended a ibstall file, so any new rules I create had the option of being owned by "system" "myself" or "anyone" the third option anyone now greyed out... Key for preventing updates to ur bin files it seems to do a lot, but by blocking its access to DNS, and having mac default to a known DNS I used google, the web stopped sending me garbage and fake sites.

either way find a firewall and keep it up block all access if things go bad the system firewall seems compromised

onyx also seemed to work pretty well but at one point something happened and admin access was deleted on my account, so I had no admin which I eventualily fixed.

I Could go on and on about things but recently that seems to be helping, every time I seem to be regain control and breaking free something happens and get knocked back. I do want to say it doesn't seem to be firmware based if I remove all my hard drives and plug in a bootable USB unaffected it doesn't get it. Stays clean.... Also, until I got ride of that wheel user, that kept me in the dark with false info, you don't really have admin control, you just have the illusion of it.

OH also it seems to have a screen logger and key logger, which i caughit early on, I removed the key logger program by downloading it and running uninstaller. the key logger will log every pw u change, so when I changed one it would change it back. After removal issues with pw stopped... TThe keylogger program I can't recall the name but it was "key" something lol hope a portion of anything I said helps

Ok, clearly you got hacked. Don't play around, backup your data (target disk mode would be preferred), and start from scratch. Do not restore your Apps from backup, just your data and then re-install everything. This isn't just malware it's hacker tools and there is a malicious someone fighting for control of your Mac. Unless you really want to honeypot him for security research you should just start over and be done with it.

Sorry, but there's a heaping pile of nonsense and misunderstanding of what is on your Mac. Actually, as an IT person for Macs since 2000, it's rather amazing you don't appear to know any of the following.

The first thing I noticed was an EFI partition

Every physical drive that has been partitioned as GUID for the Mac will have an EFI table at the top of the drive, such as below. I set up Disk Utility to show the developer menu, which enables you to show all partitions, including normally hidden ones, such as the EFI tables. They also have no format to speak of. I highlighted one of them so you can see what information is shown for an EFI partition. Anyway, it's completely normal.

my mac would randomly start rubbing the fan on high, and things would grind to a halt,

And why do you believe that automatically equates to malware? It could be a number of reasons, such as a corrupt OS installation, an issue with the logic board, bad RAM, etc. On our 2008 Mac Pro, we installed 8 extra GB of RAM from Other World Computing. Every time we used it for anything that taxed it even a little, the fans would ramp up to full blast until the process finished (like encoding a video). Finally, the Mac came on one day showing 4 GB less RAM than was installed. It turned out one of the 4 GB sticks we put in from OWC was bad from the day we got it and it finally croaked. They replaced it, and now the Mac is always quiet, no matter what it's doing. That bad stick was overheating every time it was being accessed.

and noticed wheel

The user wheel is completely normal. It belongs to the OS, as in "the big wheel". It's an account that allows the OS to do things that Unix permissions would otherwise stop a normal account from doing. It needs to be there so the OS can do its job.

and remember the wheel user... I deleted it...

Congratulations. You succeeded in completely destroying the OS by removing a required account. Now you get to erase the drive and start over. I wouldn't even attempt to just reinstall the OS over what exists given the sledge hammer approach you've taken to what are all normal processes.

There isn't a point to continue examining the rest of your content. You've butchered your system beyond repair by looking for things you think are there, and then proceeding to entirely ruin the system.

Ok, clearly you got hacked.

No, he didn't.

scissortail76 wrote:

Lately I've unearthed a ".MobileBackups" folder that seems to be created as a mtmfs disk by Time Machine. Every day something new shows up. Please keep me posted on your progress and I'll do the same.

The .MobileBackups folder is also normal, it is used on laptops to allow backups to happen when a Time Machine disk is unavailable. It is automatically emptied as free space becomes an issue.

You can read the manual and disable the local backups if you don't want them…

https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/ man8/tmutil.8.html

sudo tmutil disablelocal

Those backups will be removed whenever Time Machine decides to clear them out.

As ever Pondini explains how Time Machine works…

http://www.pondini.org/OSX/DiskSpace.html

Frankly you appear to be digging for a problem where non exist or you are failing to explain the problem succinctly enough to get real help. The major problem here is that there are parts of the OS you do not understand & you assume they are attacks, hacks, spies or evidence of something equally malicious. If you want help here explain the actual problem, not what you think might cause it.

Dust off & nuke your computer(s) from orbit if you want to rid yourself of the problem, it is the only way to be sure…

Thank you Drew for clearing that up. Now please explain everything else I already mentioned as well before telling me I don't know what I'm talking about.

The saddest thing to me in every single post like this is all the responses like yours telling people that there are parts of the OS they have no business messing with. Telling people to just shut up and keep it hidden and don't question it. I'm not running a nuclear power plant here... It's a personal computer. I can break it if I want to and then learn how it works by fixing it. You basically tell me not to mess with technology I don't understand, but that's exactly what I'm doing by using a computer that hides everything from me.

My AppleID stopped working... can't reset the password, AppleCare initially told me to contact law enforcement after they couldn't fix it, and now they won't answer my emails. So yeah, you're probably right. It's all in my head. Silly me.

The saddest thing to me in every single post like this is all the responses like yours telling people that there are parts of the OS they have no business messing with.

That's because, so far, that has been the correct answer. Drew's response was about as non-confrontational as a person can be. He did no more than describe that the folder in question was normal, and direct you to a supporting document. If his last paragraph was what you have a bit of umbrage with, he isn't the first person to suggest the same thoughts.

I can break it if I want to and then learn how it works by fixing it. You basically tell me not to mess with technology I don't understand, but that's exactly what I'm doing by using a computer that hides everything from me.

So you at least admit (in a sense) that the problems you're having are of your own doing. I'd love to help, but these continual trips down the rabbit hole of self-inflicted damage are getting old. Windows hides thousands of files, too. But I don't go rooting into the system folders and start deleting .dll and other files that sound "suspicious" to me.

AppleCare initially told me to contact law enforcement after they couldn't fix it, and now they won't answer my emails.

So did you contact law enforcement? Apple can only do so much to try and fix a user account. If the account was hacked and the password changed, privacy rules don't allow Apple to see what your original password was, or what it was changed to. Even it they look with your permission, it's encrypted. It's all for the user's safety that a company cannot enter anyone's account at will. Apple is far from the only company that does this. It's up to you to a) remember what your password is, and b) use a password that can't be easily guessed or cracked.

Did you contact law enforcement as advised by Apple?

If an iCloud account compromised it can lead to the Mac been controlled but it only has the same features as are available in the Find my Mac service. Back To my Mac can allow remote access if it was enabled (erasing the OS should stop that).

The Mac may contain evidence if it is actually compromised. Reinstalling OS's will obliterate that if it is stored on the disk, think about how you want to proceed.

scissortail76b wrote:

Thank you Drew for clearing that up. Now please explain everything else I already mentioned as well before telling me I don't know what I'm talking about.

Many of the points you raise can be explained by means that do not need you to be hacked. Here are just a few reposts to your posts, I've tried to keep it in order…

Gatekeeper is part of OS X. Asian language support is too, having them listed in install logs is normal. Webooks is unusual but it could be from a third party app, I really don't know at what state the OS was when that appeared.

The packages contained in the OS X installer can show the files to be installed if you really want to see how much is installed by default. I have a clean 10.10 install with over 350,000 files, it's more than I could keep track of.

Here is how OS X tells you what package installed one of those Automator actions, in Terminal…

pkgutil --file-info /System/Library/Automator/Activate\ Fonts.action/

volume: /

path: /System/Library/Automator/Activate Fonts.action/

pkgid: com.apple.pkg.Essentials

pkg-version: 10.9.0.1.1.1306847324

install-time: 1399430468

uid: 0

gid: 0

mode: 755

pkgid: com.apple.pkg.update.os.10.9.3.13D65.delta

pkg-version: 1.0.0.0.1.1306847324

install-time: 1400212681

uid: 0

gid: 0

mode: 755

It is installed via the 'Essentials' package & updated via the 10.9.3 delta update (yes this is a 10.9 Mac). It is part of a legitimate installer, you can go back & verify the install package certificate too if you still have the OS installer, it should be signed by Apple nowadays.

Certificates can vary across Macs if they are not using the same OS X version (& minor updates). It is also likely that a migrated Mac will have some legacy certificates in addition to the default ones. Apple have this list for verification…

List of available trusted root certificates in OS X Yosemite - Apple Support

The OS X installer includes Python by default, so avoiding Xcode does nothing to protect you from that or many of the other scripting environments, finding it is not a bad sign in itself.

Linux (and OS X) creates many devices, character devices & tty's in /dev. That is just how it operates. Have you ever heard the saying 'everything is a file in Linux or Unix'?

/dev is where hardware devices are turned into 'files' that can include files just for the status LED's of attached hardware etc, it is normal to see many entries, unless you have built the OS yourself & know how it all operates it can be difficult to unpick.

You found TAILS OS was slow. That is what happens when you run an OS that avoids writing to permanent storage. Also running from an external disk is slower than internal disks - did you full install it or USB boot it? TAILS tries to use TOR for all internet traffic, so it makes the internet many times slower, but you view it as a sign that the Mac is hacked.

You found a tftpboot folder in OS X, I assume you mean /private/tftpboot ?

That is normal even when networking is off. It is for OS X to host a server with a tftp share for other devices - it is nothing to do with how the OS is booting. OS X has many servers built in, most are disabled by default. Config files are installed for non-Apple services (such as the Apache web server), supporting files & folders are also created.

You installed Kali & then found the "Cheeky b@$t@rd$" had hacked your machine again & 'revealed' all the 'hacker tools' like netcat. Unfortunately Kali linux is a 'penetration testing & security' distribution. That is how it is designed. It is normal for those tools to appear in menus - it is a selling point of that OS. It is intended for security professionals.

Sorry but this isn't a sign of an elaborate EFI hack - it is a user jumping to conclusions because they don't understand the OS.

You tell us your DNS is hacked. If that is the case you can try to work out where the hack is & avoid it (it is either on your network or external to it). Start by using another network. Reset your router if you think it is compromised (or replace it). There is some good starting info at …

http://www.thesafemac.com/how-to-manage-a-hacked-wireless-router/

Have you contacted your ISP? They may explain why you are assigned the IP. A 'class A' range does not have to be a public address, the 10.x.x.x range is a class A, but is only available as a private network. If you don't trust the ISP change the supplier.

Get the OS X installer via a connection that you do not think is 'hacked' & it should create a clean, secure installation. Ask at an Applestore if they will download it for you if you trust them.

Reduced numbers of processors may show up if you have failing hardware. Have you run Apple hardware test?

Using Apple Hardware Test - Apple Support

Your 500GB hard disk showing around 450G is normal if it is using Gibibytes instead of Gigabytes - it really depends on the method used to view it, linux distros show it using different units, 465GiB seems about right …

http://www.wolframalpha.com/input/?i=500+gigabytes+in+gibibytes

You found EFI & SMC payloads in the OS X installer - once again normal. OS X can require firmware updates so it bundles them to make the upgrade process easier.

netstat shows many internal connections - even when the Mac is not networking. OS X opens sockets to itself, again I see this on a clean Mac with no networking enabled.

/home & /net are normal hidden folders on OS X, those Automator actions are also in a standard install.

On a clean 10.10.3 here is a count of the System launchd jobs…

ls -l /System Library/LaunchAgents | wc -l

211

ls -l /System Library/LaunchDaemons | wc -l

261

I do think that tearing into a system is a good way to learn, but you are not tweaking & learning, you are hunting for things that look scary & assuming they are bad. Many many of the things you find look scary to untrained eyes, which is why Apple told you to seek help from law enforcement. They are trained to forensically break down compromised machines whilst preserving evidence. Dig into the OS, break it, reinstall it, break it again, it is a fun way to learn, but that is different to hunting for signs of a compromise.

I don't doubt that it is possible for Thunderstrike or any of the other historically known 'DMA attacks' to cause some of what you claim (the potential has been known since before Firewire was invented). It just seems unlikely, I haven't seen reports of these attacks used 'in the wild' & these complex persistent attacks seem to have been the reserve of nation states who don't generally target just anyone. You don't say if you work for a government or related agency so I doubt you are a target and if you are their target they have failed since you have discovered so much!

Many of your claims here are not signs of an attack, they are just mistakes you made. It makes it practically impossible to distinguish what is fact & what is you misunderstanding the internals of these OS's. Your descriptions of 'it' jumping around from Mac to Mac & to iOS devices also make it sound beyond what we have seen, not impossible, but very implausible. You haven't defined what 'it' is either beyond a fuzzy feeling that something is wrong.

It sounds drastic, but if you have the rootkit that you think you have then it would be a permanent fixture of these devices - unremovable. Apple patched Thunderstrike in newer OS's so your only option would be to stop using the devices (hand them all to the police) & acquire new ones. If you have any Apple warranty, return them.

P.S.

I'm not trying to discredit everything you said, I'm just suggesting that you are missing many nuances & features of several complex systems.

You asked for a breakdown that explained why you are misunderstanding these OS's, I did that but you still choose to ignore it. Apple told you to seek legal help, yet you keep ignoring our requests for the status of your legal assistance. There is no point in trying to help you.

Good luck explaining your feelings to the Police or to Apple. Your devices need forensic investigation to prove or remove any of the spurious things you claim to have found.

Feelings have no place in technical examinations of electronics.

I have no need to 'step back' for an overview, I have looked at all your posts here already, there is only evidence of your repeated mistakes & assumptions related to how all of these OS's work. The one constant factor here is you are making assumptions that are provably wrong.

I wish you luck, I hoped you would see sense, but you are clearly being deluded by your feelings.

For goodness sake, STOP FEEDING THE TROLL!

C.

Scissortail76, I believe you. I sincerely apologize for the conduct of some of the members of this community. I gather from your original comments that you have been struggling with this issue for over half a year now and have made numerous attempts seeking assistance to no avail. I'm going to go out on a limb here and also assume you've suffered the same sort of undue slights and dismissive skepticism on display in this thread at every turn for help, right?

The good news is you're (probably) not crazy. At the very least I believe you deserve the benefit of the doubt until all the facts are on the table. Good for you for respecting your own intuition and not being swayed by those unqualified to render an accurate verdict on your situation short of all the necessary facts. I admire your perseverance.

Unfortunately, this thread went down a predictable, almost formulaic path which has not only done you a disservice but the Mac and security minded community as a whole. The brightest, most active members of a forum community such as this occasionally succumb to their own knee-jerk biases and institutional fatigue with answering the same monotonous questions from the same drive by users who, most of the time, fail to grasp the nuance and complexities of their systems. An echo chamber of conventional wisdom combined with an almost impenetrable wall of skepticism and disinterest results in situations like yours having a high chance of getting shouted down. Then, trolls like Kurt forget they are responding to another human being that deserves respect and common decency, and inevitably they pile on.

The same thing happens when a user spots a legitimate, undocumented bug in a product or service for the first time. If you've ever tried to route a real bug up the chain as a normal consumer you'll know what I mean. If I was a betting man, I would admittedly place my bet against you being right about this improbable scenario of yours.

As a thought experiment, let's say you're wrong but your initial premise (that you've been using Macs for years and know enough to know when one of your systems is behaving in an extreme fashion, out of the ordinary) is true. Judged on how you've been treated, I don't see much incentive on your part to persist this long if you were making it all up. I think the experts on this forum would likely have been more attentive and inevitably flushed out whatever was actually going on if everyone had kept an open mind and remained civil. Worst case scenario is you're wrong, you finally get resolution to your issue and a healthy learning opportunity is shared by all. Instead, the onus was placed on you to demonstrate overwhelming proof, as well as demonstrate a flawless understanding of the inner workings of your operating system, networking technologies, programming, security etc. I must point out that this is not a prerequisite for you being right or wrong.

If I wasn't going through the same exact thing myself I might have been quick to judge as well. You aren't alone, however. What you are describing is rare, but real. I encourage you to reach out to me directly and I will do my best to put you in touch with those that can hopefully help. At the very least we can share notes.