Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hack Attack a Mac Book Air


  • Please log in to reply
11 replies to this topic

#1 socraticraft

socraticraft

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 PM

Posted 07 May 2014 - 03:08 AM

I wanted to propose a question or an idea:

 

I have a MacBook Air 11" (mid-2013), and the laptop has been torn asunder, hijacked remotely, backdoored or rootkitted, or something hideous that cannot be found. (Is writing software within hidden sectors of the SSD hard-drive possible?)

 

The idea/question is: 

 

How would one wipe the protected GPT, firmware, or whatever so that a new custom firmware could be installed? In other words, how do you create a new computer from a 'bricked' MacBook Air?

 

Consider this a creative challenge. Thanks.



BC AdBot (Login to Remove)

 


m

#2 zingo156

zingo156

  • BC Advisor
  • 3,333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 AM

Posted 07 May 2014 - 08:47 AM

What are the symptoms of this hijack/backdoor? It might be a failing ssd rather than any sort of virus. Also please define or give more information about the bricked macbook air...

 

If the virus is on the ssd, simply replacing the ssd and reloading the operating system on the new ssd would remidy any problem related to the old ssd.


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#3 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:10:24 PM

Posted 07 May 2014 - 09:42 PM

Hey zingo, on the subject...

 

Do you have conclusive information on 0 writing or random sequence writing (bootable applications) for SSD's for malware/rootkit removal purposes?

 

I know some solutions for standard HDD's, but am unable to find a documented solution that works for SSD's.

 

Maybe this could be a solution for the OP also...



#4 socraticraft

socraticraft
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 PM

Posted 07 May 2014 - 11:40 PM

Guys,

 

Thanks for replying.

 

The hijack-symptoms are off-line for starters -- removed the wifi/blue-tooth card. And the symptoms include changing folder names, deleted files, desktop snapshots, and so forth. Also, I've tried working off of a thumb-drive with live distros (Ubuntu, Mint) with no change in symptoms.

 

I'm not sure where the virus, back-door, rootkit or whatever resides. I've erased the hard-drive several times, and used only the thumb-drive in this state as well. I thought of many possible scenarios, yet I have a limited understanding about computers. (Protected sectors on the drive, hidden in RAM or memory, altered firmware, or who knows what; my computer was out of my possession for several days, and they had access to the hash number for the firmware password --a long story.) 

 

At this point, the laptop is just a keyboard and a screen for watching movies and reading pdfs. I'm terrifed to work on anything worth saving because the files change -- additional text when writing, missing images with graphic files, and so on. My thinking is as follows: 1) wipe the firmware somehow, 2) replace the hard-drive, 3) try OSX again.

 

Incidentally, the architecture of the hard-drive went from 250 GB to 251 GB somehow. Anyone know how to repair this anomaly?

 

Thanks...



#5 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:10:24 PM

Posted 08 May 2014 - 12:03 AM

So, you are still seeing these anomalies whilst using a live distro? With a blank hard drive? (one that you have used a several pass erasure tool on) With no network possible? (these 3 factors at the same time?)



#6 zingo156

zingo156

  • BC Advisor
  • 3,333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 AM

Posted 08 May 2014 - 08:10 AM

Hey zingo, on the subject...

 

Do you have conclusive information on 0 writing or random sequence writing (bootable applications) for SSD's for malware/rootkit removal purposes?

 

I know some solutions for standard HDD's, but am unable to find a documented solution that works for SSD's.

 

Maybe this could be a solution for the OP also...

I have no information on bootable removal tools specifically for ssd's. My recommendation would always be to re-partition and do full format if in doubt. I have never seen any virus affect modern firmware on SSD's maybe others have? Potentially booting to parted magic (linux distro) would show a hidden partition. Parted magic is a great tool for hard drives or SSD's.

 

The only thing I have seen people do with flash memory is change the read out of the size of the disk (such as in flash drives to make the storage size appear larger than actually it is) From what I understand, they are not changing the firmware but rather changing a log file (I do not know for certain, I have not tried this).

 

Guys,

 

Thanks for replying.

 

The hijack-symptoms are off-line for starters -- removed the wifi/blue-tooth card. And the symptoms include changing folder names, deleted files, desktop snapshots, and so forth. Also, I've tried working off of a thumb-drive with live distros (Ubuntu, Mint) with no change in symptoms.

 

I'm not sure where the virus, back-door, rootkit or whatever resides. I've erased the hard-drive several times, and used only the thumb-drive in this state as well. I thought of many possible scenarios, yet I have a limited understanding about computers. (Protected sectors on the drive, hidden in RAM or memory, altered firmware, or who knows what; my computer was out of my possession for several days, and they had access to the hash number for the firmware password --a long story.) 

 

At this point, the laptop is just a keyboard and a screen for watching movies and reading pdfs. I'm terrifed to work on anything worth saving because the files change -- additional text when writing, missing images with graphic files, and so on. My thinking is as follows: 1) wipe the firmware somehow, 2) replace the hard-drive, 3) try OSX again.

 

Incidentally, the architecture of the hard-drive went from 250 GB to 251 GB somehow. Anyone know how to repair this anomaly?

 

Thanks...

On your mac, you might try:

Resetting NVRAM / PRAM

  1. Shut down your Mac.
  2. Locate the following keys on the keyboard: Command (⌘), Option, P, and R. You will need to hold these keys down simultaneously in step 4.
  3. Turn on the computer.
  4. Press and hold the Command-Option-P-R keys before the gray screen appears.
  5. Hold the keys down until the computer restarts and you hear the startup sound for the second time.
  6. Release the keys.

After resetting NVRAM or PRAM, you may need to reconfigure your settings for speaker volume, screen resolution, startup disk selection, and time zone information. If issues persist, your Mac's logic board battery (not a portable Mac's rechargeable battery) may need to be replaced. The logic board battery helps retain NVRAM/PRAM settings when your computer is shut down. You can take your Mac to a Mac Genius or Apple Authorized Service Provider to replace the battery on the logic board.

Resetting NVRAM in Open Firmware

If your computer is Open Firmware-based and you are unable to reset NVRAM as described above, you may alternatively reset the NVRAM and Open Firmware settings using the steps in the Solution section of Message “To continue booting, type 'mac-boot' and press return”.

In some cases, an Open Firmware-based computer may not respond to the keyboard commands noted above, and may not allow starting up into Open Firmware by pressing and holding the Command, Option, O, and F keys during startup.  If you are unable to get to an Open Firmware prompt (and your Mac supports doing so), try holding the power button held down continuously during start up.

 

 

 

Can you go into more detail about this: "I'm terrifed to work on anything worth saving because the files change -- additional text when writing"

 

As strange as this might sound, you might have a stuck key on the keyboard or a couple of keys that sometimes stick. Maybe one of the cmd buttons which I could see causing some strange issues.


Edited by zingo156, 08 May 2014 - 08:50 AM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#7 zingo156

zingo156

  • BC Advisor
  • 3,333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 AM

Posted 08 May 2014 - 08:20 AM

You might also look into this: http://support.apple.com/kb/dl1690


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#8 zingo156

zingo156

  • BC Advisor
  • 3,333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 AM

Posted 08 May 2014 - 08:59 AM

I have been doing a little research, this might be worth a read: http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#9 zingo156

zingo156

  • BC Advisor
  • 3,333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 AM

Posted 08 May 2014 - 10:57 AM

Have you tried booting to a CD/DVD version of linux rather than the USB flash drive? I have seen some rootkits reside on flash drives. This would be worth a shot.


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#10 socraticraft

socraticraft
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 PM

Posted 09 May 2014 - 11:23 PM

So, you are still seeing these anomalies whilst using a live distro? With a blank hard drive? (one that you have used a several pass erasure tool on) With no network possible? (these 3 factors at the same time?)

Hey TsVk!,

 

Yes, I do. Mission Impossible, right?



#11 socraticraft

socraticraft
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 PM

Posted 09 May 2014 - 11:41 PM

Thanks for the response and research, Zingo 156.

 

Regarding resetting NVRAM / PRAM:

I did several times. No effects other than what is expected.

 

Regarding, "Can you go into more detail about this: 'I'm terrifed to work on anything worth saving because the files change -- additional text when writing'":

I'm not a writer, yet I know that 'editing is writing', and I write to sketch ideas. Additonal words, altered spelling, and other odd occurences appear when I review my writing after saving. It's as if someone has access to my files and edit my words to discover later -- like a prank.

 

Regarding firmware updates:

The laptop was updated to 1.7. I called Apple Support, and they informed me that the firmware cannot be reverted once it is updated. I thought about the 'Firmware Resoration CD', however the laptop will not boot from the USB in this instance. Furthermore, I cannot find any information about 'flashing' the firmware, especially a mac; I hope that an Apple Genius can restore the firmware from scratch.

 

Regarding 'badBIOS':

I've also read about that 'rootkit' or whatever it is. There are many mixed opinions about it's validity or accuracy.

 

Regarding a CD version of 'Linux-Live':

It's a Macbook Air -- no DVD/CD/Optical drive.

 

Does anyone have ideas about using what exists on a 11" MacBook Air and create a new or custom 'firmware', UEFI code, or whatever? Any hackers who have some experience hacking MacBooks beyond root-level? 

 

Thanks.


Edited by socraticraft, 09 May 2014 - 11:42 PM.


#12 zingo156

zingo156

  • BC Advisor
  • 3,333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 AM

Posted 12 May 2014 - 07:21 AM

Regarding a CD version of 'Linux-Live':

It's a Macbook Air -- no DVD/CD/Optical drive.

 

You can use an external dvd/cd drive to boot to a live version of linux.

 

I have a feeling this is related to bad flash memory. Where are you saving the files? Are you saving them to the flash drive or the SSD? To me it seems unlikely that it is a bios virus, I have seen only 1 possible bios virus in my many years of I.T. It was on a windows machine with a bios that could be flashed from windows, they had no password to prevent flashing and somehow it had a problem. The potential virus did not do anything to the operating system, it disabled all sata devices. I am not certain this was a virus, it could have simply been a flash that failed to some extent. A failed flash seems more likely than a virus. Anyway the remedy in that situation was to use a usb device and reflash the bios. The sata devices worked fine after that. 

 

If it were my macbook I would try removing the ssd, booting from a live linux disc and saving data to a new unused flash drive. See if anything changes.


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users