Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown 'back-door' or "root-kit" on both laptop and iPhone


  • Please log in to reply
12 replies to this topic

#1 Nmdtime

Nmdtime

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 23 January 2014 - 08:04 AM

Due to several incidents, I am attempting to manually search for 'back-doors' and "rootkits", having little to no knowledge of "/" and "root" file hierarchies. For one, I do not have any recommendations for professional services as of yet. For two, I am figuratively crippled without a secure laptop and phone. Hence, I ask the experts here, what does a 'clean' apple laptop (MBA mid-2013) running Mavericks look like? (My noob plan is to compare a clean example ("/var", "/usr", "/private", and so forth) with my folders. FYI, I have tried clean installs (online and offline), "blessing" new firmware, deleting "boot.efi", and all that is certain is that the culprit "file" cannot be deleted installing new OS and erasing drives.)

Also, feel free to ask for "Terminal outputs" or the like. Any advice will be much appreciated. Thank you!

Edited by Nmdtime, 23 January 2014 - 08:11 AM.


BC AdBot (Login to Remove)

 


m

#2 smax013

smax013

  • BC Advisor
  • 2,326 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:32 AM

Posted 23 January 2014 - 08:10 AM

What makes you think you have some sort of root kit or similar on your Mac and/or iPhone?

I ask because there are very few confirmed "in the wild" malware, etc situations for Macs and iPhones.

#3 tgdetjen

tgdetjen

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poughkeepsie, NY 12603
  • Local time:05:32 AM

Posted 23 January 2014 - 08:25 AM

You can always call Apple Tech Support at 800-MYAPPLE.  If  you do you have Applecare, a $19 incident resolution would be worthwhile.  They will escalate the problem if necessary to a senior advisor and even system engineers.  The problem support lasts up to 30 days and is worth it.



#4 Buddyme2

Buddyme2

  • Members
  • 689 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 24 January 2014 - 12:55 AM

What is this "culprit file" that keeps coming up even after an erase and install? 



#5 Nmdtime

Nmdtime
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 24 January 2014 - 08:26 AM

Thanks for replying.
Well, there were and are many seemingly 'paranoid' occurrences --self-opening apps, altered setting and preferences, typing as though someone else is adding text simultaneously; the "cincher" was when a distinct sentence was written in my journal: "my father is a bleep." Since then, I've reviewed many text files and have discovered missing "m's" or "t's" or other strange deletions.

#6 Nmdtime

Nmdtime
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 24 January 2014 - 08:32 AM

Hi.
The "culprit file" is the mystery --more like culprit "kernel" or something similar. All that I can assume is that the file exists somewhere within the protected "zone" of the computer, that which is unaffected from clean installs. If you like, read this link: http://ho.ax/De_Mysteriis_Dom_Jobsivs_Black_Hat_Paper.pdf

Edited by Nmdtime, 24 January 2014 - 08:34 AM.


#7 smax013

smax013

  • BC Advisor
  • 2,326 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:32 AM

Posted 24 January 2014 - 10:57 PM

Thanks for replying.
Well, there were and are many seemingly 'paranoid' occurrences --self-opening apps, altered setting and preferences, typing as though someone else is adding text simultaneously; the "cincher" was when a distinct sentence was written in my journal: "my father is a bleep." Since then, I've reviewed many text files and have discovered missing "m's" or "t's" or other strange deletions.


Just a dumb question…does anyone have physical access to the computer who might be messing with you?

Of the things that you list, the only thing that would seemed rule out my question would be "typing as though someone else is adding test simultaneously".

The other "not horribly nefarious" scenario is that you might have screensharing/remote login turned on and a friend knows your login password and again is messing with you.

The reason I mention these is that there is just not much evidence of things out in the wild that do what you describe. There had been like one or two Mac trojans. I am not aware of a rootkit in the wild that does the kind of things that you are describing (if they were out there, then there is a good chance the tech/computer/Mac press would likely be reporting on it). There are plenty of proof of concept type things and hacks demonstrated at hacking contests (such as Black Hat, etc), but to my knowledge many of those exploits require some sort of physical access to the computer still and generally are not used for the types of things that you are describing. Keep in mind that most rootkits/backdoors are created for the purpose of getting access to your information typically for financial gain. As a result, they don't want to you to detect them, which would result in you trying to get ride of them and/or changing passwords, etc on other presumably non-infected machines. The activities that you describe seem contrary to that goal (i.e. staying hidden) and seem to more of the variety of someone messing with you, which seems more like someone you now might be doing…but could still be a hacker of some sort, but much less likely.

You can do some reading of Mac malware new here:

http://www.intego.com/mac-security-blog/

My point is that we may want to rule out other, potentially, simpler explanations.

So, some questions…

Do you set the Mac to require a password to login?

Does anyone else have an account on the computer? If so, are those accounts admin accounts? Does anyone else have physical access to your computer?

How did you do the clean installs? Where did you get you Mavericks install file from? The Apple App Store (this is my assumption, but thought it wise to double check)? Or somewhere else?

You originally mentioned iPhone as well, so since have only talked about a Mac. Is there a problem with the iPhone as well? Did you "jailbreak" the iPhone?

You mentioned "blessed new firmware". What do you mean? Is this firmware for the Mac or the iPhone? Where did you get the firmware?
Do you have an Apple Store anywhere near you? If so, have you tried taking it to them (no cost)?

Have you tried any Mac anti-virus/malware software and/or firewall? Personally, I use Intego's VirusBarrier, but there are other options.

If you really think it is some sort of rootkit, then ESET does now have a beta of a Mac rootkit detector, but it apparently does not work with Mavericks…at least not yet:

http://kb.eset.com/esetkb/index?page=content&id=SOLN3432

But, it supposedly does run on Mountain Lion, which your Mac should be able to run.

#8 tgdetjen

tgdetjen

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poughkeepsie, NY 12603
  • Local time:05:32 AM

Posted 25 January 2014 - 07:23 AM

There is another possibility.  Do you know if you have WEP or WPA2 security on your network.  If it is a mac, it is easy to tell.  Hold down the option key and click on the top menu con of a "fan."  It probably says WEP security, because that is the default by which most routers ship.  WEP security is very poor and easily breached.  Moving to WPA2 does two  things:  1 - It makes your network much more difficult to hack and 2 - it increases your wifi speeds.

 

To change to WPA2, I suggest you call your tech support of your Internet Service Provider.  You should also call Apple after that.  800-MYAPPLE.

 

I had WEP for years and did not realize how vulnerable I was.  The hackers are very sophisticated now.  They no longer have to cruise by your house to pick up your network broadcast.  They have large antennae which can reach for miles into your network.



#9 Nmdtime

Nmdtime
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 25 January 2014 - 11:43 AM

Smax13, thanks for the response:

No, no one has physical access to the computer.

Screen-sharing and remote-access are turned off.

I have a login password that was changed many times, and there is only one user-account (that is visible).

The OSX Mavericks is from the Apple App Store, and I've tried "Recovery Mode" and USB-Boot installs.

The iPhone wasn't jail broken when the problems occurred, and jail-broke it to look through the files with "iFile" as well as change the root password; it is not currently jail-broken.

"Bless" is a Terminal command for the Mac-Book-Air Firmware. I downloaded it from apple updates.

I am in Korea for a couple more months and there are no Apple Stores here whatsoever. (I'm also afraid of further hacking.)

I've tried several anti-virus and root-kit software without results; the problem here is well hidden indeed.

All in all, I assume that this problem begins at the root-level before any software detection could discover the problem, and cannot be erased unless I or a technician could know what to look for.

My hope is that someone here is aware of a default set of (Unix) folders and files so that I can remove whatever is foreign. Again, the problem is at the "protected folder" level, implying that I wouldn't know how to delete without proper permissions --even root user may have no privileges. In other words, I may have to use another computer (Windows/Unix) and target disk the mac for deleting privileges, I'm afraid.

#10 tgdetjen

tgdetjen

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poughkeepsie, NY 12603
  • Local time:05:32 AM

Posted 25 January 2014 - 02:23 PM

Nmdtime -

 

You definitely need to contact Korean AppleCare Support.  Click on this link:  http://support.apple.com/kb/he57



#11 smax013

smax013

  • BC Advisor
  • 2,326 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:32 AM

Posted 25 January 2014 - 11:08 PM

Nmdtime -
 
You definitely need to contact Korean AppleCare Support.  Click on this link:  http://support.apple.com/kb/he57


I would tend to agree that this is a good thing to consider. Since the computer is supposedly a "mid 2013" MBA, it should still be under the original AppleCare warranty. You should still have to pay for software support/help as you only get 90 days of "complimentary" phone support (unless you bought an AppleCare Protection Plan, which you can do anytime up to 1 year to the day from your original purchase date). So, unless you bought it less than 90 days ago, you likely will have to pay for support (this assumes that Apple uses the same terms in Korea as it does in the US).

Beyond that, I beyond what I can do to help. To be honest, while I don't want to doubt you, I am still skeptical that it is some sort of EFI firmware hack/rootkit (or something similar) since I have not heard any reports of such a thing existing in the wild on a Mac (as you pointed out, there are so-called "proof of concepts" that exist). But, I could be wrong…I have been in the past…and will certainly be wrong again on things in the future.

#12 tgdetjen

tgdetjen

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poughkeepsie, NY 12603
  • Local time:05:32 AM

Posted 26 January 2014 - 05:52 AM

Nmdtime -

 

Even if you do not have AppleCare, Apple makes it easy for you to take out a one time $19 support incident.  They will spend up to 30 days for this price to attempt to solve your problem.  I done this before and it is worth it.  They will probably escalate your problem to senior advisor who will probably collect information remotely to send to Apple engineering.  They are very good.  The $19 has always been worth it for me.

 

Ted



#13 Vhs lady

Vhs lady

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 19 September 2014 - 03:18 PM

Hi there Nmdtime.

Did you resolve this problem?

There are actually tonnes of mac and cross platform malware - i have no idea why every site we go to, someone tries to claim osx doesnt "really" get infected.

I have had a multi platform bug like what you are describing for ages - but not many so called experts have any idea how to repair it.

Love to hear how you got on!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users