User profile for user: scissortail76
scissortail76 Author
User level: Level 1
20 points

Traveling Rootkit

II've been dealing with a Rootkit issue for almost six months now. The Apple Store even said nothing was wrong but did a "clean install" just in case while I waited. I'm not sure they touched the EFI partition or Recovery Drive though. Booting from the Recovery Drive gives a very subtley altered version of the real thing and functions in a way that seems normal, but reading the install logs shows webooks and additional packages in tow including Asian Language Support and an update for Gatekeeper. I also called a friend on an uninflected Mac and compared fingerprints for Apples root certificate and they didn't match.


Reading dmesg shows ACPI turning over half of my processors to use elsewhere, Bluetooth daemons run even though Bluetooth is disabled, Postfix is always installed along with other components and config files that are clearly not from Apple, and if I poke around too much I suddenly get removed from the admin group and lose connection control of my system. Sometimes it just shuts down and the entire /sys folder is gone meaning I have to reinstall from scratch.


iI've got a MacBook Pro 10,2 but the firmware shown doesn't match the one Apple says is the most recent. It's a higher version that doesn't exist and I somewhere found a config file or polish file that denies downgrading firmware. Same with the SMC file. Since there's no CD drive and no printed media for Yosemite or even Maverick, I have to use internet recovery which is worthless since my DNS is hijacked. And anything installed or downloaded is injected with self-protecting and/or self perpetuating code. Image files and text files have executable tags on them. Even icons and color profiles. So just loading the desktop opens who knows what code just by displaying the background image, folder icons, and colorsync settings.


I had to start using terminal commands for everything because the gui interface apps were altered to remove important settings, but then I realized aliases and symlinks were being used to alter everything I do. I even wiped the drive completely including EFI partition and Recovery Drive but it still comes back even if I'm offline and unplugged. I've seen some rogue code ,entitling handoff and like I said before Bluetooth is running without being activated. I have a screenshot of the setting saying my Bluetooth interface is active next to the window showing it being turned off. And only half of my processors are being used. The other half are remapped during the boot process. By the way, resetting NVRAM and SMC did nothing.


It uses Migration Assistant to prevent a clean install. I can see the packages listed in the list file and they include EFI and SMC payloads. I just don't know how to edit the scripts without breaking the authentication. And installing XCode or Homebrew or anything that installs compilers and Python is like opening Pandoras Box. Not an option Since I'm not fast enough to keep up with the mess of new code files spewed forth that results.


Booting a Linux install CD from a USB drive will get me to a whole separate mess basically the same. i did manage to get into TAILS which slowed things down and downloaded SystemRescueCD and was able to zero out my drive. And Midnight Commander was able to parse some of the previously illegible code. But I still see a tftpboot folder that shows up on Mac or Linux even when the network is unplugged and offline. And no matter what there are always at least 60 entries in the /den folder for tty devices from tty1 all the way to ttyz89. And sometimes a list of pty devices too along with several loop devices, vcsa, vhost-net, etc. again this is on an offline computer. However, if I try to install Linux from the SystemRescueCD the initrd and kernel instructions point the installer to corrupted versions and APCI still runs even using the apci=off command in Grub. It then makes a copy of the CD somewhere so it can alter it and future boots are pointed there instead of to the actual disk. I verified this by unplugging the drive and it continued to function with new commands in directories I hadn't accessed..and it was not booted into RAM.


My favorite was when I tried to download Kali Linux and installed it. It had been modified to show every single app in every single category as ncat. Cheeky b@$t@rd$. I managed to download some files at the library but as soon as I copy them over they get altered.. Which reminds me... I need to try mounting as read only and run from the drive directly. But another weird thing.... Even on other networks it will rear its ugly head if my phone is around. I downloaded. Apps at a friends house and got one spurned to disk but by the second one I saw the same language encoding files and a css file with the same evil code getting burned to the disk.


IM pretty sure Subversion is being used to keep the whole apparatus up and complete. Deleting files does nothing because on reboot everything is back in place. I just can't figure out where the source is that's deploying these files is. Assuming there's an option ROM installed that is making it possible to repurpose my PCI devices to run the installers and other processes, could a host drive with the master disk image be hosted in a device too? Like someone else mentioned elsewhere, the Apple folks are useless. The "Genius Bar" guy cut me off when I tried to show him blatant entries in the logs and said they aren't trained to read code. Only engineers can do that. And I've been through three senior AppleCare techs. The first two basically laughed and called me paranoid, and the third keeps getting disconnected when I try to call. Which reminds me of another point, my phone data usage has more than doubled since this all started and there are all sorts of scripts involving VT100 commands. But even with all phones off and batteries removed It finds a way. I'm about to turn my closet into a Faraday cage but then I can't download software from Apples "Secure" Server.


ONe thing that would be useful... Oooooohhhhhh so useful... Is a repository of the files that make up the OS so I can see what is right and wrong. There's the open source stuff on the developers site but it's not easy to figure out what's what and it's not the latest version. ive been trying to use the Linux From Scratch site for a Linux version but since my certificates are forged I don't know if anything I read online is accurate. For all I know this post may never see the light of day. But the bottom line is this thing is big and sneaky and if we don't figure out how to kill it easily it's going to bring this entire world to its knees. I know several people who have it and don't even realize it. It only gets nasty and fights back when you start poking it.

MacBook Pro with Retina display, OS X Yosemite (10.10.2)

Posted on Jun 23, 2015 5:27 PM

Reply
60 replies
User profile for user: Kurt Lang
Kurt Lang
User level: Level 9
68,502 points

Nov 16, 2015 6:57 AM in response to Kurt Lang

And of course, if you bothered to read down far enough, the answer is right in the same article:


A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it.


So at some point, the researcher put a USB drive into a computer, where it picked up a rootkit virus from an already infected machine, and that rootkit was then able to somehow transfer over to any computer when that USB drive was plugged in. Nothing mysterious here. Such viruses that transfer from media to a computer, and then from an infected computer back to clean removable media go all the way back to DOS.

Reply
User profile for user: GTBoss10
GTBoss10
User level: Level 1
4 points

Jun 19, 2017 9:24 PM in response to scissortail76

Newly leaked documents 3/23/17, Networkworld.com, Wikileaks confirms low-level intelligence hacks on iphone and Macbookpro using Sonic Screwdriver and Der Starke rootkit,malware. Using Extensible Firmware Interface-EFI and will infect firmware to the the kernel and beyond. Many don't understand what and why this affects their iPhones and MacBooks at the same time! Look on Networkworkworld.com/Newly leaked documents show low level, etc.Definitely a firmware install in most cases as the article states. Sorry for your trouble,maybe this is it.. It may work with thunderbolt 2 as well.

Reply
User profile for user: Kurt Lang
Kurt Lang
User level: Level 9
68,502 points

Jun 20, 2017 6:26 AM in response to GTBoss10

Sonic Screwdriver

An interesting find, but old news. Apple has a patch that's been in effect for that for quite a while. Macs built after 2013 cannot be affected. Der Starke is also from about 2013. As one of the few the articles that even came up in a Google search that discusses it, they're not sure it even works anymore. This PDF talks about it at a bit more length. Once again, affected Macs (that they know of) are those built before 2013. So, it would appear this is also a dead threat already patched against.

Reply
User profile for user: bbcash
bbcash
User level: Level 1
8 points

Dec 24, 2017 7:03 AM in response to scissortail76

I’m not quite certain where to begin. It took me at least 10 minutes trying to log in to the board in order to post this.


Scissor, how unbeliably relieving it was to read your post. People have been asking about my “foil hat” for some time - I’ve finally gotten to the point where I just don’t talk about all the “anomalies” I’ve experienced.


I’m posting this (or attempting to) from my phone that obviously has some issues. In just logging in with my two factor authentication, no text received...at least no pop-up. My secondary line which I have never connected to WiFi, did receive it. Clicking the 6 digit empty boxes to input that code, the bottom of my screen created a white area about 1/3 of an inch wide - where the keyboard should have been.


I took a video from another device as screen shots from this one didn’t seem to work. Where the keyboard should have been, pressing the area would actually input numbers - and then after about 15 seconds...black screen with the white scrolling circle. Likely some very odd glitch or “anomaly”, which I’ve just come accustomed to at this point. Finally a hard reset I was able to see the keypad and login.


That being said - I completely believe everything you’re saying. I’d love to actually reach out to someone who has experience in dealing with this sort of thing - I’m at my wits end.


My “issues” started about 4 years ago. I won’t bother getting into what those issues are- I will say that perhaps much of them are simply just bugs and glitches that are expected in devices and such.


I’ll just say that I can more or less pinpoint when and how these almost exact anomalies you experience started for me.


I have one of the last MacBook Pro 17” models made. I have 3 or 4 Mini DisplayPort adapters, as they would malfunction and I’d buy another - using that laptop on an external monitor. I can even pinpoint where and when I bought those adapters.


I could write a novel, I won’t. I’m hoping an expert here might put my mind at ease on this one issue (with this laptop).


Fast forward 3.5 years of these “issues” I’ve gotten to the point where I do my best to ignore them.


So, this computer I wouldn’t dare power on. Until recently. I found the original box, and Snow Leopard install disk, along with the hardware disk that came with the laptop. (Countless internet recoveries and also bringing into the Apple store for the same - well...I’ll say I’ve had the same issues as you).


I had found the disk I suppose well over two years ago, and this particular laptop obviously has a built in drive. In recovering from this disk, the computer scratched it up badly. I’m sure the drive just had some debris or something that causes it, who’s to say. (Sorry if I jump all over the place...trying to get this posted before my “battery goes dead”).


There has always been an HP printer broadcasting WiFi where I ended up leaving the laptop (family home). It’s a rural area and on the property a $300+ router, you’re lucky if you get 1 bar sitting outside. Yet always that HP printer was here, full bars just about anywhere you’d go. Must have been a neighbor with an amplified WiFi antenna on their roof. Ha.


I cut the power to the entire home at one point, the only signal was yep, an HP printer. I let it go and left the laptop in a drawer (thinking I had disconnected the battery).


6 months ago, that computer had been in the drawer for a year+. I turned it on and it booted right up, I had forgotten to disconnect the battery. I pulled it out because these anomalies seemed to have subside and I just thought well - maybe they were indeed just glitches and bugs that were worked through (and I’m just paranoid). The HP printer broadcast had disappeared. And granted I have been through 3-4 routers (all of which when I connect them to the network, the manual reset / factory reset button(s) cease to function. (Perhaps my paperclips are faulty). I wanted to try fixing that laptop anyway.


I bought a device that removes scratches from CD’s, a high end one. Polished it right up. Popped that puppy in the laptop (I disconnected the WiFi and Bluetooth from the board...the antennas anyway)...and started the recovery mode.


I’m hoping this screenshot posts...someone tell me this is completely normal so I can relax. “Error downloading photo from iCloud library”...another glitch and normal - im sure. Tried duplicating it “an error occurred while trying to duplicate this photo”. Thought that might work. It will not let me post a screenshot of this log file. Once I post this I’ll call do my best to figure a workaround.


The first thing the log says is...well, I can’t get this photo attached, and now have posted by mistake.

Anyone on why I can’t attach a photo? It will take me some type to type it all as it is. I’d never have transferred it to a USB (this was six months ago anyway).

The first thing the log file more or less does in the OSX installation is to install printer drivers, nearby printers, and it would hang first thing on an HP printer driver installation.

It halted at NSCocoaDomain Code=642 UserInfo=0x120411680 “You can’t save the file “Autosave information” because the volume “Mac OS Install DVD is read-only.” (Underlying error=.....etc it goes on and on.

I’m willing do donate this along with so many other devices for no other reason that someone telling me I’m not completely crazy.

Oh, and I might mention I had the same error trying to upload images to apples engineering department (over a different device and different situation all together - and also from a different computer) - and the images wouldn’t upload. The senior advisor couldn’t figure it our. I ended up having to email them, and he relayed them - but initially had told me uploading through the website was the only way.

This issue is but about 5% of all the anomalies I’ve run into. I’m surprised I finally was able to post anything here.

Just hoping someone has some feedback and info on how to get a screenshot on here so you guys Sam see this log file.

And one more thing on that laptop, I had tried years ago installing the EFI update, it always failed upon restart. At the time I never thought anything if it.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Traveling Rootkit

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up