Res_Q
Level 1
(0 points)
Q: Mac boot ROM virus is real
WARNING:
If you are of the school that macs can't get viruses (despite Apple's security updates designed to protect against them) and do not wish to be disillusioned (yet...), please skip this post. For those of you on the frontlines: has ANYONE successfully overwritten the boot rom? Via a USB port, my computer was infected. A wipe with 7 pass zeroing and internet-only reinstall fails to erase virus, revealing that it is indeed at the boot rom level. Apple security updates and El Capitan securities, designed to protect EFI vulnerabilities, can supposedly close this barn door but, in my case, the horse has already escaped. My next step is trashing this now-bricked machine and repurchasing. I'd love to hear from anyone who has encountered this and has a boot rom fix or can do some brainstorming!
Recap: erased with 7-pass. Re-partioned. Clean, internet-only install (no peripherals). Security updates, upgraded to El Capitan. Hijacks persist.
<Edited By Host>
MrHoffman
Level 6
(15,637 points)
lsof is a command that can list open files and open network channels, and is not particularly related to with the non-volatile storage used for the system firmware, nor for the device firmware. When OS X or some other Unix system is running, there'll be more than a few channels open, too.
If you want to discuss those files you're seeing, then we'll need to know the specific commands used, and a brief sample of some of the files and particularly the directories that are visible. So long as OS X is booted, I'd expect those files and channels shown by lsof to be the booted operating system, too.
The following will list the devices present, and the second command will — when provided with the name of a disk device, with the complete name being /dev/disk0 or /dev/disk1, for instance — show the GPT partitioning structures for the device. This obviously assumes the disk is GPT partitioned. Most OS X boot disks are.
$ diskutil list
$ sudo gpt list /dev/disk{unit}
Depending on the exact commands used to erase the disks and the specific disk configuration — specific details matter here — you could well be looking at the UEFI partition or the recovery partition. That's not the system firmware.
The Internet recovery mechanisms do involve more than a few files, as does a local boot from an external bootable USB device — the latter is fairly common for erasing devices, but it's the other disks that get erased and not the local (usually external) boot device that's being used to perform the erasure.
