scissortail76

Q: Traveling Rootkit

II've been dealing with a Rootkit issue for almost six months now. The Apple Store even said nothing was wrong but did a "clean install" just in case while I waited. I'm not sure they touched the EFI partition or Recovery Drive though. Booting from the Recovery Drive gives a very subtley altered version of the real thing and functions in a way that seems normal, but reading the install logs shows webooks and additional packages in tow including Asian Language Support and an update for Gatekeeper. I also called a friend on an uninflected Mac and compared fingerprints for Apples root certificate and they didn't match.

 

Reading dmesg shows ACPI turning over half of my processors to use elsewhere, Bluetooth daemons run even though Bluetooth is disabled, Postfix is always installed along with other components and config files that are clearly not from Apple, and if I poke around too much I suddenly get removed from the admin group and lose connection control of my system. Sometimes it just shuts down and the entire /sys folder is gone meaning I have to reinstall from scratch.

 

iI've got a MacBook Pro 10,2 but the firmware shown doesn't match the one Apple says is the most recent. It's a higher version that doesn't exist and I somewhere found a config file or polish file that denies downgrading firmware. Same with the SMC file. Since there's no CD drive and no printed media for Yosemite or even Maverick, I have to use internet recovery which is worthless since my DNS is hijacked. And anything installed or downloaded is injected with self-protecting and/or self perpetuating code. Image files and text files have executable tags on them. Even icons and color profiles. So just loading the desktop opens who knows what code just by displaying the background image, folder icons, and colorsync settings.

 

I had to start using terminal commands for everything because the gui interface apps were altered to remove important settings, but then I realized aliases and symlinks were being used to alter everything I do. I even wiped the drive completely including EFI partition and Recovery Drive but it still comes back even if I'm offline and unplugged. I've seen some rogue code ,entitling handoff and like I said before Bluetooth is running without  being activated. I have a screenshot of the setting saying my Bluetooth interface is active next to the window showing it being turned off. And only half of my processors are being used. The other half are remapped during the boot process. By the way, resetting NVRAM and SMC did nothing.

 

It uses Migration Assistant to prevent a clean install. I can see the packages listed in the list file and they include EFI and SMC payloads. I just don't know how to edit the scripts without breaking the authentication. And installing XCode or Homebrew or anything that installs compilers and Python is like opening Pandoras Box. Not an option Since I'm not fast enough to keep up with the mess of new code files spewed forth that results.

 

Booting a Linux install CD from a USB drive will get me to a whole separate mess basically the same. i did manage to get into TAILS which slowed things down and downloaded SystemRescueCD and was able to zero out my drive. And Midnight Commander was able to parse some of the previously illegible code. But I still see a tftpboot folder that shows up on Mac or Linux even when the network is unplugged and offline. And no matter what there are always at least 60 entries in the /den folder for tty devices from tty1 all the way to ttyz89. And sometimes a list of pty devices too along with several loop devices, vcsa, vhost-net, etc. again this is on an offline computer. However, if I try to install Linux from the SystemRescueCD the initrd and kernel instructions point the installer to corrupted versions and APCI still runs even using the apci=off command in Grub. It then makes a copy of the CD somewhere so it can alter it and future boots are pointed there instead of to the actual disk. I verified this by unplugging the drive and it continued to function with new commands in directories I hadn't accessed..and it was not booted into RAM.

 

My favorite was when I tried to download Kali Linux and installed it. It had been modified to show every single app in every single category as ncat.  Cheeky b@$t@rd$. I managed to download some files at the library but as soon as I copy them over they get altered.. Which reminds me... I need to try mounting as read only and run from the drive directly. But another weird thing.... Even on other networks it will rear its ugly head if my phone is around. I downloaded. Apps at a friends house and got one spurned to disk but by the second one I saw the same language encoding files and a css file with the same evil code getting burned to the disk.

 

IM pretty sure Subversion is being used to keep the whole apparatus up and complete. Deleting files does nothing because on reboot everything is back in place. I just can't figure out where the source is that's deploying these files is. Assuming there's an option ROM installed that is making it possible to repurpose my PCI devices to run the installers and other processes, could a host drive with the master disk image be hosted in a device too? Like someone else mentioned elsewhere, the Apple folks are useless. The "Genius Bar" guy cut me off when I tried to show him blatant entries in the logs and said they aren't trained to read code. Only engineers can do that. And I've been through three senior AppleCare techs. The first two basically laughed and called me paranoid, and the third keeps getting disconnected when I try to call. Which reminds me of another point, my phone data usage has more than doubled since this all started and there are all sorts of scripts involving VT100 commands. But even with all phones off and batteries removed It finds a way. I'm about to turn my closet into a Faraday cage but then I can't download software from Apples "Secure" Server.

 

ONe thing that would be useful... Oooooohhhhhh so useful... Is a repository of the files that make up the OS so I can see what is right and wrong. There's the open source stuff on the developers site but it's not easy to figure out what's what and it's not the latest version. ive been trying to use the Linux From Scratch site for a Linux version but since my certificates are forged I don't know if anything I read online is accurate. For all I know this post may never see the light of day. But the bottom line is this thing is big and sneaky and if we don't figure out how to kill it easily it's going to bring this entire world to its knees. I know several people who have it and don't even realize it. It only gets nasty and fights back when you start poking it.

MacBook Pro with Retina display, OS X Yosemite (10.10.2)

Posted on Jun 23, 2015 5:27 PM

Close

Q: Traveling Rootkit

  • All replies
  • Helpful answers

Previous Page 2 of 4 last Next
  • by cdhw,

    cdhw cdhw Jul 1, 2015 7:24 PM in response to scissortail76
    Level 4 (2,653 points)
    Servers Enterprise
    Jul 1, 2015 7:24 PM in response to scissortail76

    The remote site is provided by Apple to allow Macs that have no usable disk to boot. It's called 'Internet Recovery'

     

    https://support.apple.com/en-gb/HT201314

     

    It's normal behaviour for a Mac.

     

    C.

  • by James Brickley,

    James Brickley James Brickley Jul 1, 2015 8:05 PM in response to scissortail76
    Level 2 (259 points)
    Jul 1, 2015 8:05 PM in response to scissortail76

    Things look normal to me, even those Sept 9 2014 dates as they are the same on my system.  Time to go to square one and start over again.  This time, do ONLY WHAT YOU SEE BELOW and stop running down the rabbit hole reaching for Linux tools that are only going to confuse you.  Do not use GParted or any other Linux tools you don't need them. Besides they won't recognize OS X core storage and will display weirdly as a result.  Also stop messing with Single User Mode, etc. 

     

    1. Build a bootable Yosemite thumb drive using one of the other Macs you mentioned

    2. Boot with it by holding OPT on your Mac

    3. Go to Disk Utility on the menu

    4. Re-partition to 1 partition GUID under options button and with Extended Journaled HFS+

    5. Install Yosemite (it should be 10.10.4)

    6. Do not connect to WiFi nor Ethernet. Everything you need is on that thumb drive (for now)

    7. Do not encrypt with FileVault2

     

    Do not make any other changes to the system, keep it entirely plain vanilla. Do not enable root, do not modify Preference files to display hidden files, etc.

     

    At this point you will have a squeaky clean system as intended.  When 10.11 is released all those system files you have been poking with a stick will likely be locked down using the new "rootless" security mode so don't mess with that stuff.  Touch NOTHING under root that is in system file locations.  User data belongs in /Home/UserName and nowhere else.  This is not FreeBSD nor Linux you are not meant to monkey around in those system locations. OS X uses ACL (Access Control Lists) on top of traditional Unix permissions and there are even some very special file flags so that could explain why root wasn't able to modify protected system files.  When rootless is turned on with 10.11 it will be even harder to mess with those files. 

     

    Now if you find you have Postfix installed or anything else weird we are going to need screen shots as proof.  The evidence provided so far has been rather lacking and your illogical statements are peppered with incorrect or impossible scenarios.  All your screenshots look perfectly normal, the files are in order and proper by all accounts.  Those hidden files are hidden for a reason, you don't need to touch them at all. 

     

    Do these simple things and report back.  Do not dig deeper do not make changes.  Locate the problems you see and collect evidence, report back.

  • by Kurt Lang,

    Kurt Lang Kurt Lang Jul 2, 2015 11:49 AM in response to scissortail76
    Level 8 (37,820 points)
    Mac OS X
    Jul 2, 2015 11:49 AM in response to scissortail76

    An extra note. Apple released firmware updates for many Mac models that came with Mountain Lion (like yours). Your current firmware version is:

     

    MBP102.0106.B07

     

    The new firmware, released June 30, brings it to:

     

    MBP102.0106.B08

     

    Mac EFI Security Update 2015-001

     

    It's specifically to block Thunderstrike. The above should be the correct firmware for your Mac since that's the entry in Apple's list that also has your SMC version. If not, it won't allow you to install it.

     

    According to Apple's firmware update page:

     

    Most firmware updates are automatically installed when you update or upgrade OS X. Some firmware updates are also available as downloads you can install manually. If your Mac needs a firmware update and it isn't installed automatically, check to see if a manual updater is listed below.

     

    So if you've already updated to 10.10.4, then it may have already been applied. Check System Information again. If it hasn't, it should show in Software Update.

  • by scissortail76,

    scissortail76 scissortail76 Jul 7, 2015 1:41 AM in response to scissortail76
    Level 1 (5 points)
    Jul 7, 2015 1:41 AM in response to scissortail76

    i don't recall there being hundreds of scripts preloaded in that folder. And please don't talk down to me like I have no idea what I'm doing. I've been using a Mac for 20 years and while I'm no hacker, I've spent over a decade using code to script Photoshop and Flash and whatever else I've needed to streamline. So when you tell me things like "stop using Linux" or "quit poking around" you make yourself sound condescending and close minded. Admittedly I am running around throwing out random examples that may or may not be evident on their own, but look at the big picture. Little anomalies all over the place are exactly how you would design something to go unnoticed. You dismiss the bugged out text as just a glitch... But it isn't a glitch. That's consistent behavior.

     

    Do me a favor and tell me how many files are in your /System/Library/LaunchAgents and LaunchDaemons folders. I have over 400 combined after a clean install. Why does my hard drive have 447MB of data on it when I format it with Disk Utility? Why does cloudd ask me for my password when I'm not logged in to anything and have Wifi off? Why does my router use a class A address for the gateway on a simple home network and why is the MAC address for the AP not one that exists for any device I can find in the house?

     

    And why does DarwinDumper show VooDooHD as the audio driver and Q77 as a driver for my processor? Why does an ICC color profile have a fake dmesg type bootup script in it?

     

    BUt you're right about the lack of evidence. for the sake of the Scientific Method I will start from baseline and follow your instructions exactly so that we are all on the same page. And I promise not to poke around or do bad things with Linux.

     

    Back in a few...

  • by cdhw,

    cdhw cdhw Jul 7, 2015 2:03 AM in response to scissortail76
    Level 4 (2,653 points)
    Servers Enterprise
    Jul 7, 2015 2:03 AM in response to scissortail76

    In fact, 'more than 400' is normal. Here's a clean install of OS X 10.10.3, setup and rebooted :

     

    mac-98:~ admin$ ls -l /Volumes/Macintosh\ HD/System/Library/LaunchAgents | wc -l

         213

    mac-98:~ admin$ ls -l /Volumes/Macintosh\ HD/System/Library/LaunchDaemons/ | wc -l

         264

         Why does my hard drive have 447MB of data on it when I format it with Disk Utility?

    Because the OS X Journal 'format' includes several hidden files and directory structure. The size of these scale with the disk capacity.

     

    C.

  • by James Brickley,

    James Brickley James Brickley Jul 7, 2015 3:15 AM in response to scissortail76
    Level 2 (259 points)
    Jul 7, 2015 3:15 AM in response to scissortail76

    We are all just users like you, none of us work for Apple, our time on these forums is purely voluntary.  We need you to provide us logical responses and not a flurry of findings after hours of work on your part where many things have been done.  Keep it simple and go slow.  Provide us the details before you start making many changes.  One step at a time, slow and steady.  So far we haven't seen anything suspicious in your postings.  So starting over and going slow will help us confirm wether or not you actually have an infection.

     

    I apologize for the tone...

  • by James Brickley,

    James Brickley James Brickley Jul 7, 2015 3:34 AM in response to scissortail76
    Level 2 (259 points)
    Jul 7, 2015 3:34 AM in response to scissortail76

    These professional tools are extremely helpful in seeing what is really going on with OS X. 

    http://rixstep.com/4/0/buy/

     

    The author has blogged about using his tools to examine malware, unnecessary bloat, etc.

  • by scissortail76,

    scissortail76 scissortail76 Jul 7, 2015 5:02 AM in response to scissortail76
    Level 1 (5 points)
    Jul 7, 2015 5:02 AM in response to scissortail76

    LoL ok that's fair. I apologize for the flurry. It's just that there are so many things that are wacko I don't even know where to start, so When asked to explain what's wrong I just pick random things based on what I've most trecently seen. And I swear part of the strategy here is throwing a million wild goose chases into the mix to mask the real issue which may be very simple. So you're absolutely right to suggest a formulaic slow and steady procedure and to tell me to calm down and be a little less Chicken Little. Thank you.

     

    USB Installer created and currently installing on wiped newly formatted drive. As Kurt pointed out, the new EFI update is out as of a few days ago. The previous version was 06. That's why I said my version 07 didn't exist. Thankfully they skipped their own 07 and I'm hoping this 08 version will solve part of the problem. And yes, I'm looking forward to 10.11 which would wipe out a huge portion of this mess.

     

    I'll upload screenshots when the installer is finished. No settings changed, no network connection, no logins, and no updates. Just the latest Yosemite installer from the App Store created on a separate computer. 

  • by scissortail76,

    scissortail76 scissortail76 Jul 9, 2015 4:07 AM in response to scissortail76
    Level 1 (5 points)
    Jul 9, 2015 4:07 AM in response to scissortail76

    Everything came back even with the clean reinstall... I've got screenshots if you want but not sure it's useful now. After all of the hullaballoo, I've figured out the whole thing seems to be just a boot loader and a bunch of firmware and kext patches. It all looks exactly like mods from InsanelyMac.com or TonyMacX86.com. Surprisingly simple but completely transparent. Fooled 4 AppleCare senior techs even! I'll follow up if I'm wrong... posting on InsanelyMac forums for guidance though but seems like a simple matter of installing a mod app like MacPois0n and flipping some switches there. Just can't believe no one in my months of troubleshooting pointed this out to me before.

     

    Thanks for the help guys... I really do appreciate it in spite of my snarky attitude. You can imagine the frustration behind all of this though and how much it ***** when you know something is wrong but it's so subversive and subtle that no one believes you. And my own lack of knowledge about OS X underpinnings doesn't help my case at all when it comes to trying to describe the anomalies.

  • by James Brickley,

    James Brickley James Brickley Jul 9, 2015 7:52 AM in response to scissortail76
    Level 2 (259 points)
    Jul 9, 2015 7:52 AM in response to scissortail76

    I would like to see your findings. It must have infected your Yosemite installer so it bootstrapped itself from the thumb drive. Since Hackintosh methods modify the thumb drive image to get around Mac restrictions that block an install on non-Mac hardware It must have added a payload as well.

  • by Kurt Lang,

    Kurt Lang Kurt Lang Jul 9, 2015 8:31 AM in response to scissortail76
    Level 8 (37,820 points)
    Mac OS X
    Jul 9, 2015 8:31 AM in response to scissortail76

    I know you've stated that you're a long time computer users, but I gotta' ask just for clarification since not everyone uses the term "clean install" to mean the same thing.

     

    So, by clean install, did you fully erase the drive and reinstall the OS, or did you only install the OS over what was already on the drive?

  • by bentleyonthego,

    bentleyonthego bentleyonthego Jul 24, 2015 8:30 AM in response to scissortail76
    Level 1 (0 points)
    Jul 24, 2015 8:30 AM in response to scissortail76

    hey, 

     

    first i want to apologize for any typing issues, or pictures I may attach being in poor quality I am using my iPad (and taking screenshots via camera since I am reinstalling osx).

     

    I Do believe you, and honestly am a but hesitant to even think you really exist lol.  That's how frustrating this has been for me also, I figure I have also had this for several months.  I have been an IT person since 2000 and worked at an exclusively mac studio for a few years.  in addition I am pretty observant but not always up to date on new things that get changed on new OS updates.   That being said... The first thing I noticed was an EFI partition, that seemed to appear out of no where.  But at the same time I was updating to Yosemite, so I figure it was something new.  The EFI partition tho was msdos format, which made me suspicious, why would mac add a partition that I dos based

    2. my mac would randomly start rubbing the fan on high, and things would grind to a halt, when I had nothing really powerful open (web browsing vs Final Cut Pro or photoshop). The activity monitor would show windows server is using all the processes...and if I force quit it it would shut down and restart... I have force quit almost every item at one point in activity monitor and can't remember that happening slowdowns, errors with opening apps but nothing that completely restarts it. Leads me to...

    3. Console, I checked it but found no items on windows server no mention at all, well not at first, one time it was happening and I was in console already, only to see it show up and disappear shortly after....

    4. So my console was being changed but what was doing it, so I checked info and User, and noticed wheel... Again I never seen wheel before but it showed up everywhere all of a sudden.  I looked it up and online said its been standard for macs since 2005.   I worked with OS X server and OS X and I never remember seeing wheel as a ssystem user.  But this wheel user would show up not on everything but alot of items... Things like iWork garage band wouldn't have it, but chrome, Safari, skype iTunes iPhoto, I installed Firefox and for a week it didn't then bam it showed up.  Anything that I noticed started acting up, would have wheel in it. 

     

    SO, sorry for being so verbose but it's some of the things I noticed and checked.... there a things I noticed that bother the program and things that hinder it but haven't yet stopped it... it connects to wifi before u even know that being said it's tough to deactivate wifi on ur mac without opening it and unplugging it from logic board...but it only knows what you know, so if you delete a wifi from ur list it doesn't have it either.  i say this cause booting ur computer in an area you don't have access to Internet is gonna be key to getting rid of it.  I shut my wifi right off, then boot into recovery, ya its hacked but it works enough.  Run disk util, do a pram reset, and boot into single user mode, which I haven't been able to get into for months.  From here, if ur issue is like mine, go into directory utility, (may want to backup just in case) and remember the wheel user... I deleted it... And well... At that point, things started to make sense for me, console blew up with issues happening, even tho I had hidden files to be shown, tons of files appeared, Automator, apple scripts, extensions for skype chrome safari that never showed up before.

    but that's where I am I don't have a solution yet I do have a reason why it's an issue reinstalling. Attached picture image.jpg

    tthis is a screen shot of a harddrive infected but completely wiped, i am booted to a USB Yosemite drive I made sevral months ago, which unfortunatly is now compromised.

    disk2, eso is a additional group of files to install... It only shows when I boot to USB otherwise those disk don't show up.  The files they contain specifically set up certain keychain access, remote view, and control.... I have an idea to beat it, but want to try it before I say anything....

     

    FInally, it seems to comprimise applications but maybe you might still have luck at using things that worked at first, but after reinstalling osx now find them compromised also,

     

    little snitch, super great against this, but lock it down dont let access to anyone but you.... What happened to me is second time I downloaded, it appended a ibstall file, so any new rules I create had the option of being owned by "system" "myself" or "anyone" the third option anyone now greyed out... Key for preventing updates to ur bin files it seems to do a lot, but by blocking its access to DNS, and having mac default to a known DNS I used google, the web stopped sending me garbage and fake sites. 

    either way find a firewall and keep it up block all access if things go bad the system firewall seems compromised

     

    onyx also seemed to work pretty well but at one point something happened and admin access was deleted on my account, so I had no admin which I eventualily fixed. 

    I Could go on and on about things but recently that seems to be helping, every time I seem to be regain control and breaking free something happens and get knocked back.  I do want to say it doesn't seem to be firmware based if I remove all my hard drives and plug in a bootable USB unaffected it doesn't get it.   Stays clean.... Also, until I got ride of that wheel user, that kept me in the dark with false info, you don't really have admin control, you just have the illusion of it. 

  • by bentleyonthego,

    bentleyonthego bentleyonthego Jul 24, 2015 8:36 AM in response to bentleyonthego
    Level 1 (0 points)
    Jul 24, 2015 8:36 AM in response to bentleyonthego

    OH also it seems to have a screen logger and key logger, which i caughit early on, I removed the key logger program by downloading it and running uninstaller.  the key logger will log every pw u change, so when I changed one it would change it back.  After removal issues with pw stopped... TThe keylogger program I can't recall the name but it was "key" something lol hope a portion of anything I said helps

  • by James Brickley,

    James Brickley James Brickley Jul 24, 2015 8:54 AM in response to bentleyonthego
    Level 2 (259 points)
    Jul 24, 2015 8:54 AM in response to bentleyonthego

    Ok, clearly you got hacked.  Don't play around, backup your data (target disk mode would be preferred), and start from scratch.  Do not restore your Apps from backup, just your data and then re-install everything.  This isn't just malware it's hacker tools and there is a malicious someone fighting for control of your Mac.  Unless you really want to honeypot him for security research you should just start over and be done with it. 

  • by Kurt Lang,

    Kurt Lang Kurt Lang Jul 24, 2015 9:04 AM in response to bentleyonthego
    Level 8 (37,820 points)
    Mac OS X
    Jul 24, 2015 9:04 AM in response to bentleyonthego

    Sorry, but there's a heaping pile of nonsense and misunderstanding of what is on your Mac. Actually, as an IT person for Macs since 2000, it's rather amazing you don't appear to know any of the following.

    The first thing I noticed was an EFI partition

    Every physical drive that has been partitioned as GUID for the Mac will have an EFI table at the top of the drive, such as below. I set up Disk Utility to show the developer menu, which enables you to show all partitions, including normally hidden ones, such as the EFI tables. They also have no format to speak of. I highlighted one of them so you can see what information is shown for an EFI partition. Anyway, it's completely normal.

     

    Screen Shot 1.png

     

    my mac would randomly start rubbing the fan on high, and things would grind to a halt,

    And why do you believe that automatically equates to malware? It could be a number of reasons, such as a corrupt OS installation, an issue with the logic board, bad RAM, etc. On our 2008 Mac Pro, we installed 8 extra GB of RAM from Other World Computing. Every time we used it for anything that taxed it even a little, the fans would ramp up to full blast until the process finished (like encoding a video). Finally, the Mac came on one day showing 4 GB less RAM than was installed. It turned out one of the 4 GB sticks we put in from OWC was bad from the day we got it and it finally croaked. They replaced it, and now the Mac is always quiet, no matter what it's doing. That bad stick was overheating every time it was being accessed.

    and noticed wheel

    The user wheel is completely normal. It belongs to the OS, as in "the big wheel". It's an account that allows the OS to do things that Unix permissions would otherwise stop a normal account from doing. It needs to be there so the OS can do its job.

    and remember the wheel user... I deleted it...

    Congratulations. You succeeded in completely destroying the OS by removing a required account. Now you get to erase the drive and start over. I wouldn't even attempt to just reinstall the OS over what exists given the sledge hammer approach you've taken to what are all normal processes.

     

    There isn't a point to continue examining the rest of your content. You've butchered your system beyond repair by looking for things you think are there, and then proceeding to entirely ruin the system.

Previous Page 2 of 4 last Next