Traveling Rootkit

The OP has yet to post anything that hasn't been proven to be a normal part of OS X. Until we see something, anything, to prove otherwise, there's nothing to go by that supports anything Scissortail76 has said.

For what it is worth I don't disagree with most of what you have posted nerdy nick. My problem is the same as Kurt Lang's (and others here) – very little evidence of anything has been posted here…

scissortail76, if you think it is a custom boot loader try booting whilst holding alt & photograph the things you see. Boot from each of the possible options & photograph any screens that have text or appear unusual. Please post the images here. If the screens flash up too fast try video recording & use Dropbox or some other online video hosting to upload the files.

I have used many different boot loaders, perhaps if one is evident it will give you a real place to start looking.

I have the exact same problem. I just can't prove it to apple. But just about every symptom you have described is happening to both of my macs, and its possible my iPhone has been cursed with this also. I don't have time at the moment, but I will write a full description of exactly whats been happening to me. It's been ruining my life, soaking up every bit of free time I have, and disabling me from getting anything done as I am afraid I will wake up with every account that I ever accessed from my computer, completely gone one day. So I can't check emails, bank accounts, software I own (for updates), or even log into the app store to get my purchases as that account has all of my info on it. I am using a new apple ID right now just incase it gets compromised. But yes, I will write more on this. Apple store has reformatted my drive 8 times now, and thats all they do. Then they just tell me that it's a "logic board problem". Well, guess what, it's not. They already replaced every chip in my macbook pro except the hard drive after the technician told me "I've NEVER seen anything like this before". Then he went into the back room, talked to the manager, and came back telling me they are going to replace everything for free even though I don't have apple care. That was at the end of July 2015. The computer worked for a week before it went nuts again, and then it infected my iMac, router, and possibly iPhone. I don't know what to do anymore, but it's pretty obvious that Apple is being very quiet about this unreported "rootlet" vulnerability, as If any had real evidence of it, i'm sure it would be grounds for one of the biggest class actions Apple has ever seen. I will report more soon and give you the full story. Maybe you can help me identify the problem or find evidence of this the way you did, and we can compare our results? One thing is for certain though, about 90% of the things you listed are happening to me, and more! It's a scary time, and my life seems to be getting worse every day as I spend all of my time on blogs, forums, and in the apple store begging them to look deeper into the problem. Talk soon!

I don't know what you're doing to totally screw up each computer in your possession, but the problem would have to be you.

Do you have and routinely install illegally obtained software?

Do you have and routinely install software that isn't illegal, but is obtained from garbage sites like C|NET's www.downloads.com, or www.softonic.com ?

After each instance of having the drive erased, and now with a completely new Mac, are you restoring old data each time from a Time Machine backup? If so, you're just dragging the problem back in every time you do that.

A rootkit cannot appear out of nowhere. It absolutely can't "jump" from the Mac the Apple Store took from you to the new device. Like anything else, a rootkit is software. You have to install it in some way. It also absolutely cannot infect your iPhone. Completely different and 100% incompatible CPU and OS. iOS and OS X have not one thing in common code wise, other than Apple wrote both of them.

More than anything, it sounds like you keep installing, or dragging malware from a backup back onto your Mac. Such as a keylogger (a great way for a crook to watch every single change you try to make).

Boot to Internet Recovery Mode - Command+Option+R. Use Disk Utility to completely repartition and reformat the drive, then reinstall OS X. DO NOT for any reason, restore a Time Machine backup. Reinstall LEGAL third party software ONLY obtained from the vendor. Meaning, if you picked up software from Softonic, do not reinstall that copy. Go to the web site of the vendor who actually writes the software and get it from them. While even that is not a 100% guarantee of clean software, it's a billion times better than anything obtained from Softonic or www.downloads.com .

Please oh please let me know who I can contact about this. I have the same problem. Have you found any solution? Apple blows me off everytime. Its been 4 months of trying to clean install the **** out of my computer and my life feels like its going down the tubes as both my macs are infected. I have to use a public computer for anything private. It's aweful. I have tons of screenshots, and a a decent amount of videos of this abnormally odd behavior. It has been so difficult to "catch this rootkit in action" so to speak, but I do have some video evidence. It is such an unpredictable virus, It's almost impossible to catch or prove. Please please help me. Contact info, or some direction as to who may be interested in looking into the depths of my macs would be greatly appreciated.

Hey Kurt, I do appreciate the answer and time you took to respond. I know you don't have to help me.

However,

this sounds like a very typical apple technician answer and series of questions. I appreciate your response, but it's not getting me anywhere, as all of these things have been considered long ago. You sound like you do know macs, but I think I'm looking more for a cyber-security, or computer forensics expert, expert software engineer, or all above at this point. Anyway, here are the answers to your questions...


"Do you have and routinely install illegally obtained software?
"

---No, all legal from trusted developers.

"Do you have and routinely install software that isn't illegal, but is obtained from garbage sites like C|NET's www.downloads.com, or www.softonic.com ?"

— Thats n00b talk. I wouldn’t touch those sites with a ten foot pole for a million bucks. once again, no illegal software.


“After each instance of having the drive erased, and now with a completely new Mac, are you restoring old data each time from a Time Machine backup? If so, you're just dragging the problem back in every time you do that.”

---No, Time machine is garbage with very limited functionality, and I NEVER use it. If I wanted to back up i would use super duper or carbon copy cloner.

“A rootkit cannot appear out of nowhere. It absolutely can't "jump" from the Mac the Apple Store took from you to the new device. Like anything else, a rootkit is software. You have to install it in some way. It also absolutely cannot infect your iPhone. Completely different and 100% incompatible CPU and OS. iOS and OS X have not one thing in common code wise, other than Apple wrote both of them.”


-—A rootkit infectin can happen to anyone. I’m learning the hard way, that Mac’s aren’t as obscure as they once were, and since they compute things with other things that compute things, they can be hacked just as easily as anything else that computes things. Here are some links:

http://securityaffairs.co/wordpress/37394/hacking/mac-zero-day-rootkit-infection .html

http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-m alware-that-jumps-airgaps/

http://www.securityweek.com/efi-zero-day-exposes-macs-rootkit-attacks-researcher

http://www.intego.com/mac-security-blog/rootkit-sleep/

http://www.washingtonexaminer.com/fbi-reminds-us-that-everything-can-be-hacked/a rticle/2572021

http://www.newsweek.com/china-hackers-fbi-346667?piano_d=1

http://www.cnn.com/2015/06/22/politics/opm-hack-18-milliion/

http://www.theguardian.com/commentisfree/2014/oct/29/fbi-hacking-press-internet- users

and for our supposed antihackable iPhone…….

http://www.intego.com/mac-security-blog/ingenious-attack-shows-how-siri-could-be -hijacked-silently-from-16-feet-away-but-dont-lose-any-sleep/

“More than anything, it sounds like you keep installing, or dragging malware from a backup back onto your Mac. Such as a keylogger (a great way for a crook to watch every single change you try to make).”


—I re-download all of my owned and lisenced software without connecting any backup or perepherials, directly from the developers page or the app store. And at that, the problem still arises before I even do that. Fresh after a clean install. I NEVER post on forums, as I’m stubborn and usually can figure everything out myself. But the fact that I’m here kind of says something to me. I’ve got something serious enough to actually reach out for non-apple store help.

“Boot to Internet Recovery Mode - Command+Option+R. Use Disk Utility to completely repartition and reformat the drive, then reinstall OS X. DO NOT for any reason, restore a Time Machine backup. Reinstall LEGAL third party software ONLY obtained from the vendor. Meaning, if you picked up software from Softonic, do not reinstall that copy. Go to the web site of the vendor who actually writes the software and get it from them. While even that is not a 100% guarantee of clean software, it's a billion times better than anything obtained from Softonic or www.downloads.com.”

—Once again, been there, done all of these things. Nothing an apple genius wouldn’t have told me in their primitive tongue after my 7th store visit. A firmware virus manages to infect and control the 1st instruction possible in your computer,So yeah, check and check. Problems still come back. I suspect when I boot to recovery mode, I am somehow being redirected to download a modified clone coming from china or something.

Sorry for the mild attitude. I’ve been up all night trying to reinstall everything again (such has been my daily routine for four months now) so naturally, I’m a little ******, and pretty tired of hearing n00bsauce apple fanboys (even though I used to be one) or techs tell me the same typical and standard apple solutions, while completely ignoring the reality that the problem needs to be looked at thoroughly from a top notch expert. Software engineers, programmers, cybersecurity experts would be ideal at the moment. This kind of stuff isn’t a typical fix. Also, apologies for grouping all genius’s together in a catagory. I suppose there was one apple genius who I have respect for as his words to me after doing 45 minutes of diagnostics and tests was “Officially, I have to tell you that a clean wipe will make it work just fine. But unnofficially, I will say, I have NEVER seen anything like this before. I would throw that thing away if I were you.” Thanks anonymous apple genius who actually is capable of thinking for himself.

Anyway, if you have any more advice or any resources that may be a bit more knowledgeable in dealing with this monster, it would be greatly appreciated.

However, this sounds like a very typical apple technician answer and series of questions. I appreciate your response, but it's not getting me anywhere, as all of these things have been considered long ago.

Just typical troubleshooting steps. Not knowing what you have and haven't tried, it's the easiest place to start.

Thats n00b talk. I wouldn’t touch those sites with a ten foot pole for a million bucks. once again, no illegal software.


I wouldn't call it that. Folks anywhere between novice and experienced use such sites to download software. It's kind of the same thing as very intelligent and high up business people admitting that they still managed to fall for the Nigerian type scams. You have to wonder what in the world they're thinking. But anyway, such sites don't normally host illegal software, but are known to be loaded with adware.

A rootkit infectin can happen to anyone.

Never said it couldn't. I noted it can't possibly move from the Mac Apple took from you to the new one they gave you in return. Not possible. As far as the two known firmware infections, that also cannot happen on the 2015 Mac you now have, or most 2014 models that Apple updated with new firmware that came along with software updates. The new firmware specifically was updated to block such hardware infections.

So, the only way a rootkit can keep re-occuring on your Mac is either you keep reinstalling it somehow, or someone else is. But the main point is, it can't keep reinstalling itself from a deep rooted firmware infection since that avenue has been blocked.

I re-download all of my owned and lisenced software without connecting any backup or perepherials, directly from the developers page or the app store.

Excellent. I wish more people would be that careful. Sites like Softonic should be shut down. However, it's also how they make money to stay in business. The advertisers pay them quite a bit of money to include those adware installers with the downloads. At least adware (so far) is only greatly annoying. Not dangerous.

Once again, been there, done all of these things. … Sorry for the mild attitude.

No problem. I can't be anything but frustrating.

Sounds like you've already looked into most possibilities, but here are a few more anyway:

1) Make sure your router has a secure password. Both the admin login for the router itself, and the wireless access password. The first is much more important than most people seem to realize. Older routers (like three or more years old in particular) still come with moronic setups like the admin name being "admin", and a blank password field. That means literally anyone can drive through a neighborhood with a laptop and look for an open network. They just type 192.168.0.1 into their browser and see what router with it's wireless signal enabled responds. Then they try the most common default admin/password settings and see if they can get in to your network.

2) Does anyone else, at any time, have access to your Mac when you aren't around? If so, put a firmware password on it to keep them out. Make sure you remember the password so you don't lock yourself out. It would require proof of ownership and a trip to an Apple Store to get the firmware password removed.

3) A simple one, but should still be checked. Make sure all Sharing items are off in the System Preferences.

I wrote:

No problem. I can't be anything but frustrating.

😁

There's a Freudian slip if there every was one! Should have been:

No problem. It can't be anything but frustrating.

You have arrived at this forum with your own 'diagnosis' that you appear to be unwilling to alter or even discuss that it could be incorrect, it is not how you should try to use this forum. If you want to use the regular process here you really need to explain the issue(s) & set aside your own diagnosis for now. You may be right in your diagnosis, but it can alter the process of troubleshooting if too much is assumed from the get-go.

The first steps are to describe what your issue actually is - what exact issues have you seen for this problem. We know you have done multiple wipes & reinstalls, but what exactly gives this 'rootkit' away? Images & videos may help. Also how do you know that other devices are being affected, could they all simply be suffering from the same issue (like an unreliable/ hacked/ malicious internet connection).

You could be better off creating your own topic to avoid contaminating your issue you see with the ideas & 'speculation' posted in this thread. Link to it if you want others to follow along from here. Good documentation will help if this does become a widespread occurrence on OS X.

I understand that rookits do exist & some of them may actually work on OS X, but I am unable to believe that you & scissortail76 have the same one simply from what you have both posted. We haven't heard of their widespread use on OS X yet, which is part of why you both face the scepticism.

italwaysbreaks, you have posted so little evidence - the list of links is worthless, we all know that vulnerabilities exist, big deal. Vulnerabilities have always existed in all software, simply reading about them does not mean you have them on your system. I'm reminded of 'Medical students disease' https://en.wikipedia.org/wiki/Medical_students%27_disease in this regard, reading about a possible attack can help you convince yourself you have it installed. Bugs have existed in all software, how are you sure that part of your issues are not just a bug (or several)?

Neither of you have posted any conclusive evidence & frankly it may be impossible for you to convince us here via this discussion board. To see a rook kit in action requires access to a system beyond what can be done easily via this forum, but known attacks or modifications may be detectable. Many hardware issues can manifest themselves as strange behaviours that can easily be misread too, add to that the potential for modification of local network traffic or even ISP's to be part of the issue it gets complex, fast.

If you are so certain that you have this rootkit or persistant hack you should follow your own common sense & that of the genius bar technician – return, sell it, throw it away, pass it on to security researchers (for a large fee) or consult your local law enforcement. Consider all the other devices on the network too & consider switching your ISP if it seems network related (or use another network when testing). If the Mac was repaired & is still 'not functioning' you should contact Apple again - they may be required to replace it or offer some recompense if it is unable to work as designed and it failed under the additional warranty that a repair may have given you (consult the terms & conditions of the repair), it really depends on the case history & your local consumer laws. Legal advice may be a reasonable course of action, but just be aware that Apple cannot be held to the words of one genius bar staff member who appears to have offered their opinion on your Mac.

To remove such a persistent piece of software that you seem to describe could take thousands of dollars & years of experience to unpick.

Scissortail 76, this has happened to me as well. It boggles my mind that serious Mac users could remain in denial. All anyone has to do is read current journals. And yes, the "geniuses" told me they are not trained to read system messages. No solution for you (or me), I'm afraid...but tame quasi-comfort in knowing others not only believe you, but are in your boat.😕

Italwaysbreaks: Malware can't jump? Read up on malware and airgapped machines. Start, if you like, here: http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-m alware-that-jumps-airgaps/

Ah, yes. The ol', "I have absolutely no proof of anything, but I'm right and everyone else is wrong."

What a load of crock in that link. The first two paragraphs only prove that someone had remote access to his Mac. It didn't say anything to you that wiping the drive fixed the problem? So what did this researcher install that allowed the open door? As a security researcher, they intentionally load rogue software daily to see how it works and then how to defend against it. This person either didn't then restore a clean backup before the next day's work, or they didn't completely uninstall malware they were working with.

Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed.

Absolutely, 100% impossible! No means to transmit anything, not even any power. Try explaining that. I suppose you also believe that if you disconnect the antenna or cable from your TV and unplug it, you'll somehow still be able to watch your shows.

And of course, if you bothered to read down far enough, the answer is right in the same article:

A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it.

So at some point, the researcher put a USB drive into a computer, where it picked up a rootkit virus from an already infected machine, and that rootkit was then able to somehow transfer over to any computer when that USB drive was plugged in. Nothing mysterious here. Such viruses that transfer from media to a computer, and then from an infected computer back to clean removable media go all the way back to DOS.

Everything this man is claiming is truth and its **** not to mention frustrating in probably gonna set my 2013 3000 dollar hacktop today everything will be compromised even if u think its off. Seen a clear channel radio station completely covered and compromised in a matter of 2 weeks. Thank the feds and white trash cia

Yeah. Right. Sure. Whatever you say.