Traveling Rootkit

The saddest thing to me in every single post like this is all the responses like yours telling people that there are parts of the OS they have no business messing with.

That's because, so far, that has been the correct answer. Drew's response was about as non-confrontational as a person can be. He did no more than describe that the folder in question was normal, and direct you to a supporting document. If his last paragraph was what you have a bit of umbrage with, he isn't the first person to suggest the same thoughts.

I can break it if I want to and then learn how it works by fixing it. You basically tell me not to mess with technology I don't understand, but that's exactly what I'm doing by using a computer that hides everything from me.

So you at least admit (in a sense) that the problems you're having are of your own doing. I'd love to help, but these continual trips down the rabbit hole of self-inflicted damage are getting old. Windows hides thousands of files, too. But I don't go rooting into the system folders and start deleting .dll and other files that sound "suspicious" to me.

AppleCare initially told me to contact law enforcement after they couldn't fix it, and now they won't answer my emails.

So did you contact law enforcement? Apple can only do so much to try and fix a user account. If the account was hacked and the password changed, privacy rules don't allow Apple to see what your original password was, or what it was changed to. Even it they look with your permission, it's encrypted. It's all for the user's safety that a company cannot enter anyone's account at will. Apple is far from the only company that does this. It's up to you to a) remember what your password is, and b) use a password that can't be easily guessed or cracked.

You asked for a breakdown that explained why you are misunderstanding these OS's, I did that but you still choose to ignore it. Apple told you to seek legal help, yet you keep ignoring our requests for the status of your legal assistance. There is no point in trying to help you.

Good luck explaining your feelings to the Police or to Apple. Your devices need forensic investigation to prove or remove any of the spurious things you claim to have found.

Feelings have no place in technical examinations of electronics.

I have no need to 'step back' for an overview, I have looked at all your posts here already, there is only evidence of your repeated mistakes & assumptions related to how all of these OS's work. The one constant factor here is you are making assumptions that are provably wrong.

I wish you luck, I hoped you would see sense, but you are clearly being deluded by your feelings.

Scissortail76, I believe you. I sincerely apologize for the conduct of some of the members of this community. I gather from your original comments that you have been struggling with this issue for over half a year now and have made numerous attempts seeking assistance to no avail. I'm going to go out on a limb here and also assume you've suffered the same sort of undue slights and dismissive skepticism on display in this thread at every turn for help, right?

The good news is you're (probably) not crazy. At the very least I believe you deserve the benefit of the doubt until all the facts are on the table. Good for you for respecting your own intuition and not being swayed by those unqualified to render an accurate verdict on your situation short of all the necessary facts. I admire your perseverance.

Unfortunately, this thread went down a predictable, almost formulaic path which has not only done you a disservice but the Mac and security minded community as a whole. The brightest, most active members of a forum community such as this occasionally succumb to their own knee-jerk biases and institutional fatigue with answering the same monotonous questions from the same drive by users who, most of the time, fail to grasp the nuance and complexities of their systems. An echo chamber of conventional wisdom combined with an almost impenetrable wall of skepticism and disinterest results in situations like yours having a high chance of getting shouted down. Then, trolls like Kurt forget they are responding to another human being that deserves respect and common decency, and inevitably they pile on.

The same thing happens when a user spots a legitimate, undocumented bug in a product or service for the first time. If you've ever tried to route a real bug up the chain as a normal consumer you'll know what I mean. If I was a betting man, I would admittedly place my bet against you being right about this improbable scenario of yours.

As a thought experiment, let's say you're wrong but your initial premise (that you've been using Macs for years and know enough to know when one of your systems is behaving in an extreme fashion, out of the ordinary) is true. Judged on how you've been treated, I don't see much incentive on your part to persist this long if you were making it all up. I think the experts on this forum would likely have been more attentive and inevitably flushed out whatever was actually going on if everyone had kept an open mind and remained civil. Worst case scenario is you're wrong, you finally get resolution to your issue and a healthy learning opportunity is shared by all. Instead, the onus was placed on you to demonstrate overwhelming proof, as well as demonstrate a flawless understanding of the inner workings of your operating system, networking technologies, programming, security etc. I must point out that this is not a prerequisite for you being right or wrong.

If I wasn't going through the same exact thing myself I might have been quick to judge as well. You aren't alone, however. What you are describing is rare, but real. I encourage you to reach out to me directly and I will do my best to put you in touch with those that can hopefully help. At the very least we can share notes.

The OP has yet to post anything that hasn't been proven to be a normal part of OS X. Until we see something, anything, to prove otherwise, there's nothing to go by that supports anything Scissortail76 has said.

For what it is worth I don't disagree with most of what you have posted nerdy nick. My problem is the same as Kurt Lang's (and others here) – very little evidence of anything has been posted here…

scissortail76, if you think it is a custom boot loader try booting whilst holding alt & photograph the things you see. Boot from each of the possible options & photograph any screens that have text or appear unusual. Please post the images here. If the screens flash up too fast try video recording & use Dropbox or some other online video hosting to upload the files.

I have used many different boot loaders, perhaps if one is evident it will give you a real place to start looking.

I have the exact same problem. I just can't prove it to apple. But just about every symptom you have described is happening to both of my macs, and its possible my iPhone has been cursed with this also. I don't have time at the moment, but I will write a full description of exactly whats been happening to me. It's been ruining my life, soaking up every bit of free time I have, and disabling me from getting anything done as I am afraid I will wake up with every account that I ever accessed from my computer, completely gone one day. So I can't check emails, bank accounts, software I own (for updates), or even log into the app store to get my purchases as that account has all of my info on it. I am using a new apple ID right now just incase it gets compromised. But yes, I will write more on this. Apple store has reformatted my drive 8 times now, and thats all they do. Then they just tell me that it's a "logic board problem". Well, guess what, it's not. They already replaced every chip in my macbook pro except the hard drive after the technician told me "I've NEVER seen anything like this before". Then he went into the back room, talked to the manager, and came back telling me they are going to replace everything for free even though I don't have apple care. That was at the end of July 2015. The computer worked for a week before it went nuts again, and then it infected my iMac, router, and possibly iPhone. I don't know what to do anymore, but it's pretty obvious that Apple is being very quiet about this unreported "rootlet" vulnerability, as If any had real evidence of it, i'm sure it would be grounds for one of the biggest class actions Apple has ever seen. I will report more soon and give you the full story. Maybe you can help me identify the problem or find evidence of this the way you did, and we can compare our results? One thing is for certain though, about 90% of the things you listed are happening to me, and more! It's a scary time, and my life seems to be getting worse every day as I spend all of my time on blogs, forums, and in the apple store begging them to look deeper into the problem. Talk soon!

I don't know what you're doing to totally screw up each computer in your possession, but the problem would have to be you.

Do you have and routinely install illegally obtained software?

Do you have and routinely install software that isn't illegal, but is obtained from garbage sites like C|NET's www.downloads.com, or www.softonic.com ?

After each instance of having the drive erased, and now with a completely new Mac, are you restoring old data each time from a Time Machine backup? If so, you're just dragging the problem back in every time you do that.

A rootkit cannot appear out of nowhere. It absolutely can't "jump" from the Mac the Apple Store took from you to the new device. Like anything else, a rootkit is software. You have to install it in some way. It also absolutely cannot infect your iPhone. Completely different and 100% incompatible CPU and OS. iOS and OS X have not one thing in common code wise, other than Apple wrote both of them.

More than anything, it sounds like you keep installing, or dragging malware from a backup back onto your Mac. Such as a keylogger (a great way for a crook to watch every single change you try to make).

Boot to Internet Recovery Mode - Command+Option+R. Use Disk Utility to completely repartition and reformat the drive, then reinstall OS X. DO NOT for any reason, restore a Time Machine backup. Reinstall LEGAL third party software ONLY obtained from the vendor. Meaning, if you picked up software from Softonic, do not reinstall that copy. Go to the web site of the vendor who actually writes the software and get it from them. While even that is not a 100% guarantee of clean software, it's a billion times better than anything obtained from Softonic or www.downloads.com .

Please oh please let me know who I can contact about this. I have the same problem. Have you found any solution? Apple blows me off everytime. Its been 4 months of trying to clean install the **** out of my computer and my life feels like its going down the tubes as both my macs are infected. I have to use a public computer for anything private. It's aweful. I have tons of screenshots, and a a decent amount of videos of this abnormally odd behavior. It has been so difficult to "catch this rootkit in action" so to speak, but I do have some video evidence. It is such an unpredictable virus, It's almost impossible to catch or prove. Please please help me. Contact info, or some direction as to who may be interested in looking into the depths of my macs would be greatly appreciated.

Hey Kurt, I do appreciate the answer and time you took to respond. I know you don't have to help me.

However,

this sounds like a very typical apple technician answer and series of questions. I appreciate your response, but it's not getting me anywhere, as all of these things have been considered long ago. You sound like you do know macs, but I think I'm looking more for a cyber-security, or computer forensics expert, expert software engineer, or all above at this point. Anyway, here are the answers to your questions...


"Do you have and routinely install illegally obtained software?
"

---No, all legal from trusted developers.

"Do you have and routinely install software that isn't illegal, but is obtained from garbage sites like C|NET's www.downloads.com, or www.softonic.com ?"

— Thats n00b talk. I wouldn’t touch those sites with a ten foot pole for a million bucks. once again, no illegal software.


“After each instance of having the drive erased, and now with a completely new Mac, are you restoring old data each time from a Time Machine backup? If so, you're just dragging the problem back in every time you do that.”

---No, Time machine is garbage with very limited functionality, and I NEVER use it. If I wanted to back up i would use super duper or carbon copy cloner.

“A rootkit cannot appear out of nowhere. It absolutely can't "jump" from the Mac the Apple Store took from you to the new device. Like anything else, a rootkit is software. You have to install it in some way. It also absolutely cannot infect your iPhone. Completely different and 100% incompatible CPU and OS. iOS and OS X have not one thing in common code wise, other than Apple wrote both of them.”


-—A rootkit infectin can happen to anyone. I’m learning the hard way, that Mac’s aren’t as obscure as they once were, and since they compute things with other things that compute things, they can be hacked just as easily as anything else that computes things. Here are some links:

http://securityaffairs.co/wordpress/37394/hacking/mac-zero-day-rootkit-infection .html

http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-m alware-that-jumps-airgaps/

http://www.securityweek.com/efi-zero-day-exposes-macs-rootkit-attacks-researcher

http://www.intego.com/mac-security-blog/rootkit-sleep/

http://www.washingtonexaminer.com/fbi-reminds-us-that-everything-can-be-hacked/a rticle/2572021

http://www.newsweek.com/china-hackers-fbi-346667?piano_d=1

http://www.cnn.com/2015/06/22/politics/opm-hack-18-milliion/

http://www.theguardian.com/commentisfree/2014/oct/29/fbi-hacking-press-internet- users

and for our supposed antihackable iPhone…….

http://www.intego.com/mac-security-blog/ingenious-attack-shows-how-siri-could-be -hijacked-silently-from-16-feet-away-but-dont-lose-any-sleep/

“More than anything, it sounds like you keep installing, or dragging malware from a backup back onto your Mac. Such as a keylogger (a great way for a crook to watch every single change you try to make).”


—I re-download all of my owned and lisenced software without connecting any backup or perepherials, directly from the developers page or the app store. And at that, the problem still arises before I even do that. Fresh after a clean install. I NEVER post on forums, as I’m stubborn and usually can figure everything out myself. But the fact that I’m here kind of says something to me. I’ve got something serious enough to actually reach out for non-apple store help.

“Boot to Internet Recovery Mode - Command+Option+R. Use Disk Utility to completely repartition and reformat the drive, then reinstall OS X. DO NOT for any reason, restore a Time Machine backup. Reinstall LEGAL third party software ONLY obtained from the vendor. Meaning, if you picked up software from Softonic, do not reinstall that copy. Go to the web site of the vendor who actually writes the software and get it from them. While even that is not a 100% guarantee of clean software, it's a billion times better than anything obtained from Softonic or www.downloads.com.”

—Once again, been there, done all of these things. Nothing an apple genius wouldn’t have told me in their primitive tongue after my 7th store visit. A firmware virus manages to infect and control the 1st instruction possible in your computer,So yeah, check and check. Problems still come back. I suspect when I boot to recovery mode, I am somehow being redirected to download a modified clone coming from china or something.

Sorry for the mild attitude. I’ve been up all night trying to reinstall everything again (such has been my daily routine for four months now) so naturally, I’m a little ******, and pretty tired of hearing n00bsauce apple fanboys (even though I used to be one) or techs tell me the same typical and standard apple solutions, while completely ignoring the reality that the problem needs to be looked at thoroughly from a top notch expert. Software engineers, programmers, cybersecurity experts would be ideal at the moment. This kind of stuff isn’t a typical fix. Also, apologies for grouping all genius’s together in a catagory. I suppose there was one apple genius who I have respect for as his words to me after doing 45 minutes of diagnostics and tests was “Officially, I have to tell you that a clean wipe will make it work just fine. But unnofficially, I will say, I have NEVER seen anything like this before. I would throw that thing away if I were you.” Thanks anonymous apple genius who actually is capable of thinking for himself.

Anyway, if you have any more advice or any resources that may be a bit more knowledgeable in dealing with this monster, it would be greatly appreciated.

However, this sounds like a very typical apple technician answer and series of questions. I appreciate your response, but it's not getting me anywhere, as all of these things have been considered long ago.

Just typical troubleshooting steps. Not knowing what you have and haven't tried, it's the easiest place to start.

Thats n00b talk. I wouldn’t touch those sites with a ten foot pole for a million bucks. once again, no illegal software.


I wouldn't call it that. Folks anywhere between novice and experienced use such sites to download software. It's kind of the same thing as very intelligent and high up business people admitting that they still managed to fall for the Nigerian type scams. You have to wonder what in the world they're thinking. But anyway, such sites don't normally host illegal software, but are known to be loaded with adware.

A rootkit infectin can happen to anyone.

Never said it couldn't. I noted it can't possibly move from the Mac Apple took from you to the new one they gave you in return. Not possible. As far as the two known firmware infections, that also cannot happen on the 2015 Mac you now have, or most 2014 models that Apple updated with new firmware that came along with software updates. The new firmware specifically was updated to block such hardware infections.

So, the only way a rootkit can keep re-occuring on your Mac is either you keep reinstalling it somehow, or someone else is. But the main point is, it can't keep reinstalling itself from a deep rooted firmware infection since that avenue has been blocked.

I re-download all of my owned and lisenced software without connecting any backup or perepherials, directly from the developers page or the app store.

Excellent. I wish more people would be that careful. Sites like Softonic should be shut down. However, it's also how they make money to stay in business. The advertisers pay them quite a bit of money to include those adware installers with the downloads. At least adware (so far) is only greatly annoying. Not dangerous.

Once again, been there, done all of these things. … Sorry for the mild attitude.

No problem. I can't be anything but frustrating.

Sounds like you've already looked into most possibilities, but here are a few more anyway:

1) Make sure your router has a secure password. Both the admin login for the router itself, and the wireless access password. The first is much more important than most people seem to realize. Older routers (like three or more years old in particular) still come with moronic setups like the admin name being "admin", and a blank password field. That means literally anyone can drive through a neighborhood with a laptop and look for an open network. They just type 192.168.0.1 into their browser and see what router with it's wireless signal enabled responds. Then they try the most common default admin/password settings and see if they can get in to your network.

2) Does anyone else, at any time, have access to your Mac when you aren't around? If so, put a firmware password on it to keep them out. Make sure you remember the password so you don't lock yourself out. It would require proof of ownership and a trip to an Apple Store to get the firmware password removed.

3) A simple one, but should still be checked. Make sure all Sharing items are off in the System Preferences.

You have arrived at this forum with your own 'diagnosis' that you appear to be unwilling to alter or even discuss that it could be incorrect, it is not how you should try to use this forum. If you want to use the regular process here you really need to explain the issue(s) & set aside your own diagnosis for now. You may be right in your diagnosis, but it can alter the process of troubleshooting if too much is assumed from the get-go.

The first steps are to describe what your issue actually is - what exact issues have you seen for this problem. We know you have done multiple wipes & reinstalls, but what exactly gives this 'rootkit' away? Images & videos may help. Also how do you know that other devices are being affected, could they all simply be suffering from the same issue (like an unreliable/ hacked/ malicious internet connection).

You could be better off creating your own topic to avoid contaminating your issue you see with the ideas & 'speculation' posted in this thread. Link to it if you want others to follow along from here. Good documentation will help if this does become a widespread occurrence on OS X.

I understand that rookits do exist & some of them may actually work on OS X, but I am unable to believe that you & scissortail76 have the same one simply from what you have both posted. We haven't heard of their widespread use on OS X yet, which is part of why you both face the scepticism.

italwaysbreaks, you have posted so little evidence - the list of links is worthless, we all know that vulnerabilities exist, big deal. Vulnerabilities have always existed in all software, simply reading about them does not mean you have them on your system. I'm reminded of 'Medical students disease' https://en.wikipedia.org/wiki/Medical_students%27_disease in this regard, reading about a possible attack can help you convince yourself you have it installed. Bugs have existed in all software, how are you sure that part of your issues are not just a bug (or several)?

Neither of you have posted any conclusive evidence & frankly it may be impossible for you to convince us here via this discussion board. To see a rook kit in action requires access to a system beyond what can be done easily via this forum, but known attacks or modifications may be detectable. Many hardware issues can manifest themselves as strange behaviours that can easily be misread too, add to that the potential for modification of local network traffic or even ISP's to be part of the issue it gets complex, fast.

If you are so certain that you have this rootkit or persistant hack you should follow your own common sense & that of the genius bar technician – return, sell it, throw it away, pass it on to security researchers (for a large fee) or consult your local law enforcement. Consider all the other devices on the network too & consider switching your ISP if it seems network related (or use another network when testing). If the Mac was repaired & is still 'not functioning' you should contact Apple again - they may be required to replace it or offer some recompense if it is unable to work as designed and it failed under the additional warranty that a repair may have given you (consult the terms & conditions of the repair), it really depends on the case history & your local consumer laws. Legal advice may be a reasonable course of action, but just be aware that Apple cannot be held to the words of one genius bar staff member who appears to have offered their opinion on your Mac.

To remove such a persistent piece of software that you seem to describe could take thousands of dollars & years of experience to unpick.

Scissortail 76, this has happened to me as well. It boggles my mind that serious Mac users could remain in denial. All anyone has to do is read current journals. And yes, the "geniuses" told me they are not trained to read system messages. No solution for you (or me), I'm afraid...but tame quasi-comfort in knowing others not only believe you, but are in your boat.😕

Italwaysbreaks: Malware can't jump? Read up on malware and airgapped machines. Start, if you like, here: http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-m alware-that-jumps-airgaps/

Ah, yes. The ol', "I have absolutely no proof of anything, but I'm right and everyone else is wrong."

What a load of crock in that link. The first two paragraphs only prove that someone had remote access to his Mac. It didn't say anything to you that wiping the drive fixed the problem? So what did this researcher install that allowed the open door? As a security researcher, they intentionally load rogue software daily to see how it works and then how to defend against it. This person either didn't then restore a clean backup before the next day's work, or they didn't completely uninstall malware they were working with.

Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.

Absolutely, 100% impossible! No means to transmit anything, not even any power. Try explaining that. I suppose you also believe that if you disconnect the antenna or cable from your TV and unplug it, you'll somehow still be able to watch your shows.