arrividerci

Q: Recovery from unknown hack

Let me confess that while I've been dealing with PCs since their inception the Mac is something new.

 

The time has come to restore a MacBook to a state which can be trusted to be free from any possible unwanted software contamination.  My initial investigation reveals that Apple, like Windows, is using an approach where a recovery system, which I presume to be a separate partition, is provided for the purpose of dealing with certain problems where system restoration is desired.  While this might be effective in certain scenarios the situation confronting me is that I have good reason to believe that my system has been compromised.  This means it has been altered in a manner that is unknown.  This is presumed to have been done with malicious intention which certainly includes circumventing efforts to undo the alteration.  Therefore, the use of a recovery mechanism which depends on anything present on the computer at the time of contamination is unworthy of trust.  To do such must be considered bad practice.  Furthermore, if I understand things correctly the recovery system present on this computer actually wants to use the inherently untrustworthy Internet to affect a recovery.

 

Good practice requires the use of software that could not have been tampered with which is a basic characteristic of optical media (e.g., DVD).  Is it possible to use a bootable DVD to affect the restoration?  If so, how is such a DVD obtained?  If not, how can trustworthy media of some kind be obtained?  An important consideration should be that it is necessary to restore a reliable operating system without ever connecting the computer to any kind of network.

MacBook Air, OS X Mavericks (10.9)

Posted on Aug 24, 2015 1:46 PM

Close

Q: Recovery from unknown hack

  • All replies
  • Helpful answers

  • by Kappy,

    Kappy Kappy Aug 24, 2015 1:54 PM in response to arrividerci
    Level 10 (270,295 points)
    Desktops
    Aug 24, 2015 1:54 PM in response to arrividerci

    If your MBA is from 2011 or later then do this:

     

    Install OS X Using Internet Recovery

     

    Be sure you backup your files to an external drive or second internal drive because the following procedure will remove everything from the hard drive.

     

    Boot to the Internet Recovery HD:

     

    Restart the computer and after the chime press and hold down the COMMAND-OPTION- R keys until a globe appears on the screen. Wait patiently - 15-20 minutes - until the Recovery main menu appears.

     

    Partition and Format the hard drive:

     

    1. Select Disk Utility from the main menu and click on the Continue button.
    2. After DU loads select your newly installed hard drive (this is the out-dented entry with the mfgr.'s ID and size) from the left side list. Click on the Partition tab in the DU main window.
    3. Under the Volume Scheme heading set the number of partitions from the drop down menu to one. Click on the Options button, set the partition scheme to GUID then click on the OK button. Set the format type to Mac OS Extended (Journaled.) Click on the Partition button and wait until the process has completed. Quit DU and return to the main menu.

     

    Reinstall OS X: Select Reinstall OS X and click on the Install button. Be sure to select the correct drive to use if you have more than one.

     

    Note: You will need an active Internet connection. I suggest using Ethernet if possible because it is three times faster than wireless.

     

    This should restore the version of OS X originally pre-installed on the computer.

     

    If the MBA is pre-2011 it came with installation DVDs, so do this:

     

    Clean Install of Snow Leopard

     

    Be sure to make a backup first because the following procedure will erase

    the drive and everything on it.

     

         1. Boot the computer using the Snow Leopard Installer Disc or the Disc 1 that came

             with your computer.  Insert the disc into the optical drive and restart the computer.

             After the chime press and hold down the  "C" key.  Release the key when you see

             a small spinning gear appear below the dark gray Apple logo.

     

         2. After the installer loads select your language and click on the Continue

             button. When the menu bar appears select Disk Utility from the Utilities menu.

             After DU loads select the hard drive entry from the left side list (mfgr.'s ID and drive

             size.)  Click on the Partition tab in the DU main window.  Set the number of

             partitions to one (1) from the Partitions drop down menu, click on Options button

             and select GUID, click on OK, then set the format type to MacOS Extended

             (Journaled, if supported), then click on the Apply button.

     

         3. When the formatting has completed quit DU and return to the installer.  Proceed

             with the OS X installation and follow the directions included with the installer.

     

         4. When the installation has completed your computer will Restart into the Setup

             Assistant. After you finish Setup Assistant will complete the installation after which

             you will be running a fresh install of OS X.  You can now begin the update process

             by opening Software Update and installing all recommended updates to bring your

             installation current.

     

    Download and install Mac OS X 10.6.8 Update Combo v1.1.

  • by arrividerci,

    arrividerci arrividerci Aug 24, 2015 2:06 PM in response to Kappy
    Level 1 (0 points)
    Aug 24, 2015 2:06 PM in response to Kappy

    It is post 2011!

     

    Are you really saying there is no way to recover other than relying on the potentially contaminated software?  In that, there is no way to obtain reliable media?  What am I supposed to do when the SSD fails?

  • by Kurt Lang,

    Kurt Lang Kurt Lang Aug 24, 2015 2:07 PM in response to arrividerci
    Level 8 (37,696 points)
    Aug 24, 2015 2:07 PM in response to arrividerci

    The only OS it will install is directly from Apple's servers. If the drive fails, you replace it and follow the same procedure Kappy outlined above to install the OS the Mac came with.

  • by Kappy,

    Kappy Kappy Aug 24, 2015 2:32 PM in response to arrividerci
    Level 10 (270,295 points)
    Desktops
    Aug 24, 2015 2:32 PM in response to arrividerci

    Why is the software potentially contaminated? You obtain it by download from Apple's servers. If you prefer, thereafter, you can put the installation software on a bootable USB flash drive:

     

    Make Your Own Mavericks, Mountain/Lion Installer

     

    1. After downloading the installer you must first save the Install Mac OS X application. After the installer downloads DO NOT click on the Install button. Go to your Applications folder and make a copy of the installer. Move the copy into your Downloads folder. Now you can click on the Install button. You must do this because the installer deletes itself automatically when it finishes installing.

        

       2. Get a USB flash drive that is at least 8 GBs. Prep this flash drive as follows:

     

    1. Open Disk Utility in your Utilities folder.
    2. After DU loads select your flash drive (this is the entry with the mfgr.'s ID and size) from the leftside list. Under the Volume Scheme heading set the number of partitions from the drop down menu to one. Set the format type to Mac OS Extended (Journaled.) Click on the Options button, set the partition scheme to GUID then click on the OK button. Click on the Partition button and wait until the process has completed.
    3. Select the volume you just created (this is the sub-entry under the drive entry) from the left side list.
    4. Click on the Erase tab in the DU main window.
    5. Set the format type to Mac OS Extended (Journaled.) Click on the Options button, check the button for Zero Data and click on OK to return to the Erase window.
    6. Click on the Erase button. The format process can take up to an hour depending upon the flash drive size.

     

    Use DiskMaker X beta 5 to put your installer clone onto the USB flash drive.

     

    Alternatively, Make your own flash drive installer using the Yosemite tool:

     

    You can create a Yosemite flash drive installer via the Terminal. Yosemite has its own built-in installer maker you use via the Terminal:

     

    You will need a freshly partitioned and formatted USB flash drive with at least 8GBs. Leave the name of the flash drive at the system default, "Untitled." Do not change this name. Wait for the process to complete which will take quite some time.

     

    Open the Terminal in the Utilities folder. Copy and paste the following command line in its entirety into the Terminal window.

     

    sudo /Applications/Install\ OS\ X\ Yosemite.app/Contents/Resources/createinstallmedia --volume /Volumes/Untitled --applicationpath /Applications/Install\ OS\ X\ Yosemite.app

     

    Press RETURN, enter admin password (will not echo to the window) then press RETURN again.

     

    You need to have the installer in your Applications folder or change the paths in the above command line.

  • by arrividerci,

    arrividerci arrividerci Aug 24, 2015 7:53 PM in response to Kappy
    Level 1 (0 points)
    Aug 24, 2015 7:53 PM in response to Kappy

    To reliably download the proper software you have to be able to trust the software that is doing the download.  That isn't possible in the given scenario.

  • by Kappy,

    Kappy Kappy Aug 24, 2015 10:14 PM in response to arrividerci
    Level 10 (270,295 points)
    Desktops
    Aug 24, 2015 10:14 PM in response to arrividerci

    That isn't an answer, it simply repeats the question. Why is a download from Apple's servers potentially contaminated? In this and any other scenario?

  • by MrHoffman,

    MrHoffman MrHoffman Aug 25, 2015 5:19 AM in response to arrividerci
    Level 6 (15,612 points)
    Mac OS X
    Aug 25, 2015 5:19 AM in response to arrividerci

    "Good Practice" varies widely by your budget, and by your value as a target of security attacks.

     

    If you're a high-value target, then you'll want to shred the Mac per local hardware destruction policies, anonymously source a replacement Mac, and move on.  Yes. seriously.  If you're as unable or unwilling to trust a cryptographically checked download, then you've been hacked at the BIOS or lower level, the attack will be exceedingly persistent, and you should not reuse the configuration.

     

    If you do not have the budget to shred and replace (and particularly if you're not a high-value target), then you're going to have to trust that the BIOS and the increasingly-large multitude of other device firmware present in your configuration is intact and unaltered, and that the cryptographic verifications of the Apple downloads are sufficient, and that the cryptographic checks are correctly implemented.  

     

    You can download an installation kit from Apple via another Mac and generate an installer there, if you're inclined.   If you really want to go DVD or other write-locked media, you'll need a DL-capable configuration as AFAIK the installation is bigger than a single-layer DVD can provide.   See the createinstallmedia command, and there are purported DVD-creation sequences posted.   Boot from that and erase the disk, then reinstall.

     

    Then re-install your add-on software from known-good sources.  Whether you can or should recover data files from backup varies — some tools have macro languages, meaning — if you're worth the effort to specifically attack — a backdoor might be present in any post-breach backups.

     

    All that aside, most folks get corrupted by installing software and add-ons that they probably should not have (torrented software or adware-infested software from some of the "repository" web sites for instance), by choosing bad passwords or having their passwords exposed, by having Adobe Flash installed or having Oracle Java installed and web-accessible, or via insecure connections, or by somebody with direct hardware access.   Not by the sorts of attacks that modify hardware or disk or peripheral device firmware; more advanced and more persistent.   More than a few cases of "virus" reports around the forums are simply innocent software or hardware issues, too.

     

    Now if you're a target, you'll want to enlist rather more direct assistance than can be provided via forum postings.

     

    FWIW, if you're actually a target — and not to increase any paranoia — I would not expect you to see any particular symptoms.  If you're seeing problems, then it's probably either a software or configuration failure or corruption, some garden-varient adware, or failing hardware.

     

    In short... In the most likely case... Troubleshoot the problem — hardware and software — where Etrecheck and some other tools can spot the usual sorts of dreck that gets installed — and then repair or replace the hardware, or clean up the OS X environment manually or via what Kappy and Kurt Lang have provided and have described, and get on with your computing.   Adware and other dreck is fairly common of late, unfortunately.  Hardware errors, those have been being confused for infections and breaches since at least the 1970s with the then-common floppy disk read errors.

  • by arrividerci,

    arrividerci arrividerci Aug 25, 2015 8:46 AM in response to Kurt Lang
    Level 1 (0 points)
    Aug 25, 2015 8:46 AM in response to Kurt Lang

    Kurt Land says "The only OS it will install ...".  May I assume that "it" refers to what Apple is calling the Recovery System?  While an uncontaminated Recovery System will only download proper files from the proper Apple server, I'm thinking that the Recovery System itself is installed and operated from revisable storage that is vulnerable to being hacked.  Possibly it is installed into a secondary partition on the same storage device as the main OSX used to operate the computer.  Under this scenario the Recovery System is also vulnerable to being maliciously contaminated with software that will do what it wants which could include downloading files from anywhere it wants.

     

    My thinking is that a proper restoration of a maliciously contaminated system ought to include everything that could have been contaminated.  In this case, that at least includes a built in Recovery System.  My own policy has been to use offline media to maintain the files needed to recover a contaminated computer.  The idea is that hackers, at least via the Internet, cannot infect that media.

     

    It seems to me that wanting to do a complete recovery, meaning to recovery all of the software used to operate the computer, is a pretty normal approach to dealing with the kind of problem presented hear.  This would mean that any online and operational Recovery System also needs to be restored.

  • by Kurt Lang,

    Kurt Lang Kurt Lang Aug 25, 2015 9:09 AM in response to arrividerci
    Level 8 (37,696 points)
    Aug 25, 2015 9:09 AM in response to arrividerci

    You're letting your experience with the Swiss Cheese OS that is Windows affect how you look at OS X.

     

    The Recovery partition is hidden and highly unlikely to be affected by any malware since it's not a normally mounted partition.

     

    By "The only OS it will install is directly from Apple's servers.", I mean if you boot from the hidden Recovery partition and erase the normal visible partition OS X is currently on, it will start the installation of OS X from the hidden partition. There isn't much on that partition, so it's only a starting point. The rest gets installed from Apple's servers.

     

    If you want to clear the deck, restart and boot to Internet Recovery by holding down Command+Option+R. This boots to the Mac's firmware rather than the hidden partition on the hard drive, though the interface looks the same. Use Disk Utility to completely repartition the drive so it also wipes out the hidden Recovery partition. Do that by changing the default of Current to something else - anything else.

     

    Screen Shot.png

     

    If you don't, reinstalling OS X will install the same version of OS X as what the hidden partition is. With the drive fully repartitioned, Internet Recovery will be forced to install the version of OS X the Mac came with. It will also create a new hidden Recovery partition as the same OS level.

     

    Once you've reinstalled the original OS for your Mac, you can upgrade it to the level you want from your App Store purchases. Those are also directly from Apple's servers.

     

    As for any worry about recently covered firmware attacks, that is extremely unlikely. The original Thunderstrike requires direct access to your Mac by someone who both has a copy of the malware, and has the knowledge to apply it. It cannot be installed remotely or passively. Thunderstrike 2 only requires that an infected Thunderbolt device be connected to the Mac to infect it. However, the lab that developed the malware is the only place it exists and has reported it to Apple so they can devise a fix to block it. In other words, it's not in the wild.

     

    So the chances of Thunderstrike 2 being an issue is pretty much zero. The original Thunderstrike is almost nonexistent, unless you've let unknown people have direct access to your Mac? Also, if it's a 2014 model or newer, the original Thunderstrike can't be installed. If it's older, Apple has released firmware updates for a number of Macs that block Thunderstrike.

  • by arrividerci,

    arrividerci arrividerci Aug 25, 2015 9:25 AM in response to MrHoffman
    Level 1 (0 points)
    Aug 25, 2015 9:25 AM in response to MrHoffman

    Thanks!  This looks like the kind of response I was hoping for.

     

    The idea of using another computer that is trusted to download the files used for restoration fits within the budget contemplated for this job.  You refer to an Installation Kit as something that must be downloaded using another Mac.  It sounds like you are saying that the actual files that will be used to perform the installation, which includes being able to boot from the media, can be created by any (?) Mac.  I suspect the requirement for the Mac has to do with insuring the media is formatted with a suitable file system that is bootable.

     

    Can you provide a reference to the source for downloading the Installation Kit.

     

    Something I would contemplate doing after a successful recovery has been completed which will include restoring the user selected applications is to create the necessary media for reacting more expeditiously to the need to make a restoration.  Is there a way to create some kind of system image once a reliable and trusted system is operational that can be used to make a complete restoration?

     

    With respect to DVD, I only meant that as an example.  The unalterable property of certain DVD formats is desirable for such files.  Also, it tends to be an inexpensive way to store things you put in a drawer with the hope that you will never need to use them.  However, being able to store the media offline, as with any removable media, provides the kind of protection that I'm seeking.  The reference to the "createinstallmedia" command reads like part of the function performed by this software is to download the necessary files.  Might that be correct?  If so this is worth pursuing.

  • by arrividerci,

    arrividerci arrividerci Aug 25, 2015 9:53 AM in response to Kurt Lang
    Level 1 (0 points)
    Aug 25, 2015 9:53 AM in response to Kurt Lang

    Kurt, you are quite correct about my experience being heavily weighted toward Windows with a little bit on Unix (as in AIX) and Linux (as in Debian/Ubuntu) but just starting on OSX.

     

    The big problem we're dealing with hear is that we don't know what we don't know.  Therefore, my thinking is that we must assume that whatever is possible might have been done to us.  The idea of recovery is to say with a very high level of confidence that the system has been restored to a state that existed prior to any contamination.  I understand your point regarding the unlikelyhood of hacking into a hidden partition but I have a hard time understanding why it should be hard to replace it.  Windows now uses the concept of a Recovery System that is always online and while you don't have to it is real easy to rebuild the entire storage device when you get in the situation presented here.  The basic Windows Installer will do it.  Once you get to the point of doing what we're talking about hear, I'm of the mind "why not?".

     

    If Internet Recovery is something that is done exclusively by the BIOS, which I'd accept is something hackers cannot change without my noticing, then that would be different from the way Windows works (at least the versions I'm familiar with).  It is also a concept worthy of consideration, which is something I'll plan to do.

     

    Thanks for the lesson.

  • by Kurt Lang,

    Kurt Lang Kurt Lang Aug 25, 2015 10:55 AM in response to arrividerci
    Level 8 (37,696 points)
    Aug 25, 2015 10:55 AM in response to arrividerci

    Depending on how sensitive your data may be, I do understand your side of caution.

     

    Yes, an Internet Recovery startup is the way to fully wipe a drive, including the current hidden recovery partition. As with MS, the OS is also always online via Apple's servers and accessed by the recovery process, whether you're doing it from the hidden partition, or from the firmware.

     

    The OS that gets installed on a fully wiped, or new blank drive is the machine specific version of OS X that Mac came with. For instance, if your Mac came with Mountain Lion, you can only use the version of ML recovery will download and install. The App Store version of Mountain Lion will not install on that Mac because it doesn't include the hardware drivers for that model.

     

    Just to be technical, there is no BIOS on any Mac. Any Intel Mac, like newer PCs, use EFI. Older Macs used Open Firmware. The concept of course is mostly the same. The firmware starts the boot process and holds certain hardware configuration data.

     

    As mentioned above, the chances that anyone managed to install Thunderstrike on the Mac's firmware is extremely thin. Only thing is, I don't know how you'd check for it. But if you simply search for something like "how to tell if Thunderstrike has been installed", you'll find on any site discussing it that the odds are ridiculously low.

  • by Drew Reece,

    Drew Reece Drew Reece Aug 25, 2015 11:16 AM in response to arrividerci
    Level 5 (7,490 points)
    Notebooks
    Aug 25, 2015 11:16 AM in response to arrividerci

    Just download the OS from the App store. Quit the automatic 'Install helper' that opens. Use the createinstallermedia command that MrHoffman posted…

    Create a bootable installer for OS X Mavericks or Yosemite - Apple Support

    Or use diskmakerx.com if you want another way to make a bootable USB installer.

    Any OS from the store will install on any compatible Mac.

     

    For system imaging use Disk Utility or third party apps like Carbon Copy Cloner, SuperDuper! etc. You can save backups to a partition or to a disk image if you do not need it to be a bootable clone.

  • by MrHoffman,

    MrHoffman MrHoffman Aug 25, 2015 2:15 PM in response to arrividerci
    Level 6 (15,612 points)
    Mac OS X
    Aug 25, 2015 2:15 PM in response to arrividerci

    arrividerci wrote:

    You refer to an Installation Kit as something that must be downloaded using another Mac.  It sounds like you are saying that the actual files that will be used to perform the installation, which includes being able to boot from the media, can be created by any (?) Mac.  I suspect the requirement for the Mac has to do with insuring the media is formatted with a suitable file system that is bootable.


    Please do not carry across your assumptions of Windows, nor (most of) your experiences managing and maintaining Windows.

     

    That path quite often leads to confusion and frustration, as OS X is very different than Windows.

     

    As for the ability to swap disk around with OS X...   That works.   While there are some old installer DVD disks that were tied to specific systems and there were some retail DVD disks that can be installed on any Mac, but bootable disks and bootable USB flash disks will work across all Mac systems that are supported by the OS X version that's present on the disk you're booting.

     

    Contrast this with what you're likely familiar with from Windows: Microsoft ties a specific Windows installation to a specific x86, Alpha, PowerPC, MIPS R4000, or whatever other box was booting Windows.  Apple does not tie an OS X installation to a specific Mac, and the OS X software installations all contain all of the necessary drivers needed to boot and run, for any Mac supported by the specific version of OS X.


    You do need to watch your App Store purchases and limits and the Apple Terms and Conditions, but that's pretty much the limit here.

    Can you provide a reference to the source for downloading the Installation Kit.

     

    That's in the linked articles, and it's been discussed in various other replies here — launch the App Store.app and download the Yosemite installer.  This is the same kit that was referenced earlier as one of the paths to "nuke and pave" this system.

    Something I would contemplate doing after a successful recovery has been completed which will include restoring the user selected applications is to create the necessary media for reacting more expeditiously to the need to make a restoration.  Is there a way to create some kind of system image once a reliable and trusted system is operational that can be used to make a complete restoration?

     

    Backups via Time Machine or other tools.  Again, you are carrying over Windows.  Time Machine is built in, multiple targets are supported, and operations are transparent.   Could you spend your time creating a disk image and storing it somewhere else, and manually maintaining the sequencing and the rest of an "enterprise" backup — "enterprise" meaning awkward, expensive, buggy and problematic — sure.  But it'll be easier to do what was suggested — use createinstallmedia to generate bootable media — which creates what you are asking for, with the most current bits available from Apple.

    With respect to DVD, I only meant that as an example.  The unalterable property of certain DVD formats is desirable for such files.  Also, it tends to be an inexpensive way to store things you put in a drawer with the hope that you will never need to use them.  However, being able to store the media offline, as with any removable media, provides the kind of protection that I'm seeking.  The reference to the "createinstallmedia" command reads like part of the function performed by this software is to download the necessary files.  Might that be correct?  If so this is worth pursuing.


    My experience with DVD media and DVD drives is apparently far less rosy than yours.  I store a couple of bootable USB disks offline — created with createinstallmedia — and try to remember to update those as the new OS X versions and new releases are shipped.


    All that written, OS X is itself largely uninteresting here.  The Mac itself is also uninteresting here, too.   Why uninteresting?  Because it is your data and your local applications that are paramount.  You can download a new copy of Yosemite or of the upcoming El Capitan and install it using the sequences cited here.  Your data is far more difficult to replace and far more precious — which gets into off-line and off-site backups, device encryption, and related discussions.  Malware is secondary, and is far less of an issue than on Windows.  Absent the traditionally security-problematic Adobe Flash and Oracle Java tools and weak or exposed passwords, the "easiest" way for folks to get malware onto your system is to trick you into installing it.


    For more information...  I've written up the sequence used to recover a server from a breach, assuming that rolling in a pre-breach backup is not feasible.  US NSA and Apple have some guidelines, as well; when last I checked, the Apple guides were dated, and do not reflect newer changes to OS X, including Xprotect, file quarantines, and Gatekeeper, as well as the upcoming system integrity protection changes with El Capitan.