58 Comments

Summary:

After blogging about the need to use and maintain an anti-virus solution for your OS X systems, an anonymous reply questioning the need to use security tools at all on OS X systems gave me pause. You do not need me to link to the numerous […]

OS X Rootkit Hunter LogoAfter blogging about the need to use and maintain an anti-virus solution for your OS X systems, an anonymous reply questioning the need to use security tools at all on OS X systems gave me pause. You do not need me to link to the numerous articles flying around the internets that report on how one reason switchers are flocking to OS X is because of the lack of prevalence of malware. Folks are tired of viruses, worms, trojans, etc. hammering their systems. They are even more harrowed by having to maintain vigilance over their anti-virus programs, hoping they are not too far out of sync with the current “DAT”. However, switching to run OS X to avoid running anti-virus programs may not be the wisest choice.

To answer the “do we really need security tools for OS X?” question in a slightly different way than you’ve seen from many technology pundits, I’d like to turn your attention to utility called rkhunter or “rootkit hunter”. As most TAB readers should know by now, OS X has it’s origins in Unix (the “darwin” base comes from FreeBSD), and most folks believe *nix variants (linux, FreeBSD, Solaris, etc) to be extremely secure, free of the problems that plague those sad, sad Windows users. If you fall into that camp, please take a moment and browse the Secunia FreeBSD 5.x artchives. Secunia reports show over 91 vulnerabilities, with critical ones impacting core services such as file sharing and remote access. This should not be surprising since Unix systems have been favorite targets for hackers as they provide such a powerful base to launch further exploits. One of the more gnarly hacks is the installation of a rootkit – a program that can take surreptitious control of your system. And, guess what: your Mac OS X workstation/server is susceptible to rootkits just like any other Unix system, even with Leopeard’s enhanced security features. How can you fight something you can’t even see? You need a tool to help. Modern anti-virus products can and usually do cover rootkits, but the rkhunter tool may cover additional rootkits and may update rootkit signatures more frequently than a traditional vendor.

I wouldn’t recommend trying to get rkhunter installed on your Mac since it will require some enhanced Terminal-fu. Thankfully, Christian Hornung understood the need for such a tool and built a wrapper for it called (surprisingly enough), OS X Rootkit Hunter [dmg], complete with installer. After installing the package, navigate to Applications->OSXrkhnter and run the “Rootkit Hunter” app.

It’s good practice to update the rootkit database (similar to a virus engine DAT update) before each scan since there may be new rootkit signatures from new or altered exploits. When you start the scan, you will see a password dialog – just as you would with any operation that requires additional privileges to run – since OS X Rootkit Hunter needs to look in places your normal account user account cannot. You will also see Terminal windows displaying a running report of what rkhunter has or has not found (since this front-end does not free you from all the gory details of what lies beneath Aqua).

OS X Rootkit Hunter (large)

While you can download and run OS X Rootkit Hunter, I would strongly suggest that less technical users obtain one of the commercially available malware scanners since the output from OS X Rootkit Hunter can be a bit daunting. The presence and history of this tool should be enough justification for the need to run security software on your systems.

You’re subscribed! If you like, you can update your settings

  1. RootKit Hunter, la seguridad en OSX ante todo : planetamac Wednesday, January 23, 2008

    [...] theAppleBlog  fresqui |  menéame | permalink | trackback url Si te ha [...]

  2. What about the free virus app, clamXav
    ? What’s the difference? Is one better than the other? Should one run both?

  3. @Steve: I was using OS X Rootkit Hunter primarily as an example of how there are valid historical and current security concerns on OS X. The developer did a great job and service porting it as well as he did to the Mac, but I would purport that it’s still something only more technical users of OS X go out and investigate.

    ClamXav (http://www.clamxav.com/) is another great, free security tool with *nix origins and an even better OS X front-end. TAB did a mention (http://theappleblog.com/2007/01/30/5-tips-for-a-new-mac-user/) of them last year and it may be time for a detailed comprehensive review of commercial (and qualified open source) anti-virus solutions for OS X.

    I would highly recommend using ClamXav over OS X Rootkit Hunter as a baseline layer of security.

  4. Looks like RootKitHunter only works on Leopard. Any help for those still running Tiger?

  5. Is there a MAC-like security program that works? Norton Internet Security is very clunky, not intuitive at all. Also it’s very heavy handed in its intrusiveness and its updating.
    I use Macs to avoid such programs – and dealing with Unix.
    Thanks for any suggestions.

  6. I’m interested – has anyone run this on a Macintosh and found any rootkits installed on their system? I can understand somewhat the theory in the above blog article, but have there been any real-world rootkits?

    I’m willing to run this Rootkit Hunter and ClamXav as it seems relatively painless, but I want to know if I’m defending against an existing problem or a potential problem.

    Thanks!

  7. Stop spreading FUD. There’s no reason to believe any of these rootkits will even run under OS X, let alone that any have ever been found in the wild on an OS X box.

    If (and I say If, not When) the day comes that OS X starts getting some real malware (meaning not the occasional little proof of concept that doesn’t do anything), on that day you can start using antivirus/antirootkit software. But until that day comes, you’re just wasting resources, not only on your computer, but on the computers of everybody who follows your advice.

    And I’m speaking as a Mac computer programmer, not as just another user.

    1. I think it’s plausible. Take a look at these articles pertaining to Spore.
      http://en.wikipedia.org/wiki/Spore_(2008_video_game)#Controversy
      http://www.shacknews.com/onearticle.x/54887
      A Rootkit gets surreptitiously installed via SecuROM without the user’s knowledge. Nice one EA! You’ve probably hosed my Macbook Pro.

  8. Right now, Mac users need to keep their updates current (via Software Update in the Apple menu) and be careful about blindly accepting download of video codecs.

    More general security tips:

    Using a router between your Mac and the Internet is a good idea since it acts as a firewall.

    Don’t open attachments unless you are absolutely sure they are from trusted sources. The general security motto is “Don’t open attachments. Period.”

    Do we Mac users have to run security suites at this point? Debatable. If you depend on MS Office documents with macros, you probably should run one. Otherwise, it’s not as clear-cut as with a Windows machine.

    Bot

  9. I use ClamXav and sent in a donation. Seem about right to me. Read up a little on configuring it and setting sentry to check particular folder (mail downloads etc.)

  10. Kevin Ballard (#7): There is an old saying that an ounce of prevention is worth a pound of cure! Why be reactive and not proactive?

    Why do you think this is FUD? It is possible to root-kit MacOS X. It is not a proof of concept. Any script kiddie can download a root-kit, gain access to a MacOS X system, and install a root-kit. The difference between installing root-kit under Windows versus MacOS X are the access control mechanisms that make it more difficult to do so under MacOS X.

    Those of us who are information security professionals know that it is a matter of time before issues occur. Apple has increased the risk by using an application level firewall and suppressing the built-in BSD firewall to be accessible by techies who are not afraid to use Terminal.app. Looking at the risk, we infosec professionals say “when” an exploit occurs.

    Unfortunately, many of the risks we find are the result of programmers not understanding the side effects of their coding. From buffer overruns to hard-coding passwords, programming short-cuts are our biggest headache. Rather than attacking the writer, why not try to understand the risks so that we can all ensure elimination of all issues!

Comments have been disabled for this post