Mac OS X Kernel Connecting to Internet, backdoor/trojan/malware?

snuffy10 wrote:

Hello, I have noticed that Mac OS X Kernel (mach_kernel) is connecting to the Internet. I have little snitch and I saw it reported there. It connected to sites I visited in my browser.

I've googled it, and other users have reported the same thing since 2009. But there's never been any explanation.

Some people say it's connections from torrenting, but I'm not using any torrents.

Could it be a backdoor or mitm thing? Mac kernel rootkits exist don't they? And couldn't the rootkit communicate through another app?

Any information would be appreciated.

macbook pro v.10.9.5

I found the apple support option by just entering mach_kernal in ASK.COM -- first reply - so its okay -- suppose to be invisible and you can change back to hidden

OS X: mach_kernel visible in the Finder - Apple Support

snuffy10 wrote:

Thank you for the reply!

I wasn't clear in the first post.

I installed Little Snitch. LS reports that mach_kernel is connecting to websites I visited in my browser. I'm pretty sure this shouldn't happen.

If you are using Safari - top sites refresh themselves - and for an added bonus if you visit a site regularly at least in snow leopard it gets added.

At some point in snow - a Fix? was put in to do the refresh and the add (as I had cleaned out tops sites) - amazingly when I realized thats what was making a mess - I had over 30 sites added by Apple including an RSS page I visited.

RSS pages may also be a problem - as you can have them load through safari or email.

When you delete a top site - it goes into a list of sites to not add to top sites -- if you just use the safari option to clear it it adds some defaults and starts all over again adding top sites.

snuffy10 wrote:

Thank you for replying!

Now I understand why Safari makes so many connections when I start it up.

But I think you're responding to a different problem I had a month ago. I had noticed that firefox was making hundreds of connections to cloudfront.net, an amazon service. I think I found the firefox addon that was causing the problem. Now, no more connections to cloudfront. It only connects when I'm using specific sites that I think legitimately use that service.

But, the problem now isn't the number of connections. And I mainly use Firefox. The problem is that if I connect to www.google.com on Firefox, Little Snitch shows that mach_kernel connects to the same site.

That doesn't make sense. Mac OS X kernel shouldn't be connecting to the internet or random ip addresses.

I've asked the LS developers, sent information about the connections/memory/etc, and the only thing we've concluded is that LS is working just fine. mach_kernel is making connections, but we don't know why.

And finally, I've found discussion topics (on here and other places) where users have seen the same thing: mach_kernel making network connections. Sometimes it's dismissed as the result of a p2p client. But most of the users aren't downloading torrents. Most of the time this issue just goes unsolved.

I know that there are kernel rootkits, but I don't know how a rootkit could be detected by something like Little Snitch.

I don't really know what's up with this computer.

Wikipedia has a bunch of articles on this being used on various operating systems.

As the apple support article says its suppose to be hidden in finder -- and never delete it - it is probably normal.

Keep in mind when you open apple applications - if you are on the internet - the application does connect to the mother ship for extended help. Also, if you have automatic software update checking that will happen in background - so you may not know its running or downloading.

snuffy10 wrote:

Thank you for all your help notcloudy! I think it's all probably just normal stuff, and this is what I get for being bad with computers and then peering too closely at a network monitor. But I do still have some questions about it.

Ok: I was thinking that the kernel doesn't have any role in networking, and so this behavior was abnormal. But I'm not quite sure yet why mach_kernel for this OS would need to make its own, separate connection to a website I'm visiting.

I looked up kernels in general and saw that they act as an inbetween for applications and memory/cpu/etc. I also saw that kernels handle the network stacks and that applications 'call' to 'use the library' and send/receive packets. So I guess it's just a normal thing: kernel is where the source port/destination is processed and where address resolution takes place. But a network monitor would just report the application, since it's the one making the request. Have i got that right?

The thing I still don't understand is that in apple's overview of mach_kernel https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/KernelPr ogramming/Mach/Mach.html#//apple_ref/doc… I don't see any information about networking, and i think that there's a different kernel that handles all of the above stuff.

It possibly is the program that actually does the connection -- and is called by another program in a call stack).

As its a hidden file = based on apple documentation - it means they don't want you deleting it - and its not to worry about it.

Sounds suspicious. I have Little Snitch and I have never seen mach_kernel making outbound connections. I would register here, where you may get a more informed answer.

Also try

https://forums.malwarebytes.org/forum/165-malware-removal-help-for-mac/

EDIT: I'm also seeing it was asked already, with no definitive answer, at Stack Exchange. I'd try again.

http://apple.stackexchange.com/questions/167411/little-snitch-reports-outgoing-c onnections-from-mach-kernel-am-i-infecte…

Another place to ask here at ASC is Mac OS X Technologies and see if you can make this to the attention of MrHoffman who is pretty good on OS X security.

I would also recommend running all the open port checks in https://www.grc.com/x/ne.dll?bh0bkyd2

And while you're at it, might not be a bad idea to run https://www.malwarebytes.org/antimalware/mac/ which will scan for known trojans. However, getting a negative won't be conclusive, since, if it's some kind of infection, it might not be a trojan, known or otherwise.

Okay... I don't know what's causing these connections.

The mach kernel is a central part of the core of the XNU, the operating system kernel of OS X. Mach is entirely built on communications, too. If you want to see how XNU is structured including the mach bits, Apple has provided the Darwin open source package — that's the XNU kernel, packaged as open source.

OS X 10.9 is comparatively old, and I'd encourage a move forward from there. If you're particularly concerned about security, please don't stay on older versions, and particularly on versions that have largely or entirely fallen off support.

As for root kits and UEFI malware and firmware hacks, sure, but are you really worth using the top-shelf stuff? No offense intended here, but — if you're asking this sort of question here in these forums — you're probably not worth using those sorts of tools. (And I'd tend to expect the better stuff around would either detect and unhook Little Snitch, or would otherwise bury its traffic.)

As for connections to the Internet, all sorts of stuff does that — legitimately or otherwise — and mach is at the core of the entire operating system. Which ports are the network connections going to? TCP 80 and/or 443, as I'd expect? If you're particularly interested, use some of the available tcpdump or TLS MITM tools to dump out the network traffic. But here, I'd suspect that this is either checking for web data or generating a Safari thumbnail or related, or there's something local running that's checking (RSS, etc).

If you suspect the operating system has been compromised, wipe the disk and reinstall. Based on what you're describing here — if this network access is secondary to a breach (and which I'd tend to doubt, at least for now) — then wipe-and-reload-from-distro is the recovery path. Don't load anything from the old system, other than (maybe) documents. Now if you're an bona fide target for somebody with a budget to be interested in you and thus for root kits and the worst of the rest of the dreck, then physically destroy the system hardware and buy a new computer, preferably from a random Apple store or Apple vendor. Then get help from folks that specialize in higher-level security. (Not kidding here, either.)

As for Little Snitch and the rest (and not intending to disparage — they do have their uses), I'd usually just remove those tools for most folks — they're often effectively providing the same Paranoia as a Service (PaaS) as implemented via antivirus with popups, and — when certain connections are incorrectly blocked — both sorts of tools can provide flaky app or system behavior.