User profile for user: .ellelle
.ellelle Author
User level: Level 1
8 points

System Integrity Protection

Months later and I'm still dealing with this. Apple Care, Genius Bar local service providers et. al have all worked on 3 of 4 machines(4th is under a month old).


Short story: MacBook Pro, two MacBook Airs and iMac all compromised. All have been clean installed, securely wiped and no data transferred.

The first "attack" I observed on December 10, 2015 as Bluetooth File transfer opened and files from my library were moved. Next

Automator opened and crashed my machine. I disconnected wifi the moment I realized what was happening.

After weeks of bad advice, no help and a small fortune I found a hidden partition on the starup disk containing the malicious files. They are similar to normal OS X recovery files.

I attempted a reset in terminal but I am not the administrator of my machine. No wifi turned on yet the machine is connected to a local network.

Is there anyway to restore SIP and regain control of my system?

--most of the disk-utility menu for starup disk are gryed out. If I search for image, there are several connected devices that appear,


Apole suggested the yellow pages, My area has one service provider who "fixed" the problem. They recommended selling them.

For Clarification:

YES I tried a clean install via Apples instructions; new usb, made from a different machine away from my network.

My network is currently secure with non-default passwords, new modem, access point, and an enterprise level external firewall.

I was originally using java script/ chrome a requirement for school.

No dark web, pornographic shady websites were visited.

All software was purchased via the App Store minus 3 professional programs that were installed via usb.


weeks of absolute ****!

MacBook Pro

Posted on Jan 29, 2016 8:28 PM

Reply
17 replies
User profile for user: Leopardus
Leopardus
User level: Level 4
1,303 points

Jan 31, 2016 1:07 AM in response to MrHoffman

MrHoffman wrote:


it's possible to disable system integrity protection dynamically, if you have kernel access.


But again — if SIP has been disabled via the recovery boot or otherwise — none of what is installed can be trusted.

Which implies installation of something which changed the kernel (addons). That occurs when allowing installation from doubtful sources, which means changing the security preferences by the Admin or Remote Admin. But, I concur.


Leo

Reply
User profile for user: EcoGreg
EcoGreg
User level: Level 3
894 points

Jan 31, 2016 6:09 AM in response to .ellelle

Hi Ellelle

Wow what a nightmare! What I suspect may make it even worse, but there is absolutely no way for me know for sure other than some high-level snooping.

First "Who is the Administrator" on your computers? You have 4 computers, someone has to have admin privileges. It it remotely done?


Given all you have tried, OS erase re-installs, Apple support etc… I fear your computers maybe victims of a new breed of Malware that is rare, but unfortunately now in the wild.(Since at least 2014) While it could be one of several, I suspect you may have been infected by "BadUSB" a malware that rewrites the USB firmware. It is largely undetectable, survives OS wipes/reinstalls and almost everything. It can affect Macs, Linux, Windows, and any device that has USB controllers.


USB is ubiquitous. use mostly Intel chips, and the chips contain enough space to allow malicious code to raise major Hxxx on your computers. This code can also be set to replicate itself to any USB device that comes installed in your computer or any device that attaches to your USB port.

You say you have found unknown "files for detachable drives" and this could also be an indicator.


About the only way to know for sure would be examine the USB firmware code to known original code. This is something Apple could do and would be in their best interests to do so.

Not sure if there is any security software that will detect BADUSB, but there is some for other Malware.


There are now other versions of Malware that are exploiting hardware/firmware files. These are very vicious. They are "low level" exploits and SIP may not be able to protect you from them.


Sorry dear Mac users, the days of Macs not being vulnerable are unfortunately over. We just need to be glad they are still rare.


See these articles or search for "badusb+mac" "thunderstrike+mac" "mac+malware"

http://arstechnica.com/security/2015/06/new-remote-exploit-leaves-most-macs-vuln erable-to-permanent-backdooring/

http://www.imore.com/usb-c-and-badusb-attacks-what-you-need-know

http://www.wired.com/2014/07/usb-security/

https://tidbits.com/article/15505


Sorry,

Hope this helps, Greg

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

System Integrity Protection

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up