Why Mac Security Matters: OS X Rootkit Hunter
After blogging about the need to use and maintain an anti-virus solution for your OS X systems, an anonymous reply questioning the need to use security tools at all on OS X systems gave me pause. You do not need me to link to the numerous articles flying around the internets that report on how one reason switchers are flocking to OS X is because of the lack of prevalence of malware. Folks are tired of viruses, worms, trojans, etc. hammering their systems. They are even more harrowed by having to maintain vigilance over their anti-virus programs, hoping they are not too far out of sync with the current “DAT”. However, switching to run OS X to avoid running anti-virus programs may not be the wisest choice.
To answer the “do we really need security tools for OS X?” question in a slightly different way than you’ve seen from many technology pundits, I’d like to turn your attention to utility called rkhunter or “rootkit hunter”. As most TAB readers should know by now, OS X has it’s origins in Unix (the “darwin” base comes from FreeBSD), and most folks believe *nix variants (linux, FreeBSD, Solaris, etc) to be extremely secure, free of the problems that plague those sad, sad Windows users. If you fall into that camp, please take a moment and browse the Secunia FreeBSD 5.x artchives. Secunia reports show over 91 vulnerabilities, with critical ones impacting core services such as file sharing and remote access. This should not be surprising since Unix systems have been favorite targets for hackers as they provide such a powerful base to launch further exploits. One of the more gnarly hacks is the installation of a rootkit – a program that can take surreptitious control of your system. And, guess what: your Mac OS X workstation/server is susceptible to rootkits just like any other Unix system, even with Leopeard’s enhanced security features. How can you fight something you can’t even see? You need a tool to help. Modern anti-virus products can and usually do cover rootkits, but the rkhunter tool may cover additional rootkits and may update rootkit signatures more frequently than a traditional vendor.
I wouldn’t recommend trying to get rkhunter installed on your Mac since it will require some enhanced Terminal-fu. Thankfully, Christian Hornung understood the need for such a tool and built a wrapper for it called (surprisingly enough), OS X Rootkit Hunter [dmg], complete with installer. After installing the package, navigate to Applications->OSXrkhnter and run the “Rootkit Hunter” app.
It’s good practice to update the rootkit database (similar to a virus engine DAT update) before each scan since there may be new rootkit signatures from new or altered exploits. When you start the scan, you will see a password dialog – just as you would with any operation that requires additional privileges to run – since OS X Rootkit Hunter needs to look in places your normal account user account cannot. You will also see Terminal windows displaying a running report of what rkhunter has or has not found (since this front-end does not free you from all the gory details of what lies beneath Aqua).
While you can download and run OS X Rootkit Hunter, I would strongly suggest that less technical users obtain one of the commercially available malware scanners since the output from OS X Rootkit Hunter can be a bit daunting. The presence and history of this tool should be enough justification for the need to run security software on your systems.
Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.
What about the free virus app, clamXav
? What’s the difference? Is one better than the other? Should one run both?
@Steve: I was using OS X Rootkit Hunter primarily as an example of how there are valid historical and current security concerns on OS X. The developer did a great job and service porting it as well as he did to the Mac, but I would purport that it’s still something only more technical users of OS X go out and investigate.
ClamXav (http://www.clamxav.com/) is another great, free security tool with *nix origins and an even better OS X front-end. TAB did a mention (http://theappleblog.com/2007/01/30/5-tips-for-a-new-mac-user/) of them last year and it may be time for a detailed comprehensive review of commercial (and qualified open source) anti-virus solutions for OS X.
I would highly recommend using ClamXav over OS X Rootkit Hunter as a baseline layer of security.
Looks like RootKitHunter only works on Leopard. Any help for those still running Tiger?
Is there a MAC-like security program that works? Norton Internet Security is very clunky, not intuitive at all. Also it’s very heavy handed in its intrusiveness and its updating.
I use Macs to avoid such programs – and dealing with Unix.
Thanks for any suggestions.
I’m interested – has anyone run this on a Macintosh and found any rootkits installed on their system? I can understand somewhat the theory in the above blog article, but have there been any real-world rootkits?
I’m willing to run this Rootkit Hunter and ClamXav as it seems relatively painless, but I want to know if I’m defending against an existing problem or a potential problem.
Thanks!
Stop spreading FUD. There’s no reason to believe any of these rootkits will even run under OS X, let alone that any have ever been found in the wild on an OS X box.
If (and I say If, not When) the day comes that OS X starts getting some real malware (meaning not the occasional little proof of concept that doesn’t do anything), on that day you can start using antivirus/antirootkit software. But until that day comes, you’re just wasting resources, not only on your computer, but on the computers of everybody who follows your advice.
And I’m speaking as a Mac computer programmer, not as just another user.
I think it’s plausible. Take a look at these articles pertaining to Spore.
http://en.wikipedia.org/wiki/Spore_(2008_video_game)#Controversy
http://www.shacknews.com/onearticle.x/54887
A Rootkit gets surreptitiously installed via SecuROM without the user’s knowledge. Nice one EA! You’ve probably hosed my Macbook Pro.
Right now, Mac users need to keep their updates current (via Software Update in the Apple menu) and be careful about blindly accepting download of video codecs.
More general security tips:
Using a router between your Mac and the Internet is a good idea since it acts as a firewall.
Don’t open attachments unless you are absolutely sure they are from trusted sources. The general security motto is “Don’t open attachments. Period.”
Do we Mac users have to run security suites at this point? Debatable. If you depend on MS Office documents with macros, you probably should run one. Otherwise, it’s not as clear-cut as with a Windows machine.
Bot
I use ClamXav and sent in a donation. Seem about right to me. Read up a little on configuring it and setting sentry to check particular folder (mail downloads etc.)
Kevin Ballard (#7): There is an old saying that an ounce of prevention is worth a pound of cure! Why be reactive and not proactive?
Why do you think this is FUD? It is possible to root-kit MacOS X. It is not a proof of concept. Any script kiddie can download a root-kit, gain access to a MacOS X system, and install a root-kit. The difference between installing root-kit under Windows versus MacOS X are the access control mechanisms that make it more difficult to do so under MacOS X.
Those of us who are information security professionals know that it is a matter of time before issues occur. Apple has increased the risk by using an application level firewall and suppressing the built-in BSD firewall to be accessible by techies who are not afraid to use Terminal.app. Looking at the risk, we infosec professionals say “when” an exploit occurs.
Unfortunately, many of the risks we find are the result of programmers not understanding the side effects of their coding. From buffer overruns to hard-coding passwords, programming short-cuts are our biggest headache. Rather than attacking the writer, why not try to understand the risks so that we can all ensure elimination of all issues!
“Why do you think this is FUD? It is possible to root-kit MacOS X. It is not a proof of concept.”
Have you ever seen an OS X box with a root kit? Have you ever actually heard of this happening in the wild? I sure haven’t. In fact, the only malware I’ve ever actually seen was the Merry Xmas Hypercard virus which only affected Hypercard stacks under the classic Mac OS and was about as benign as a virus could possibly be.
The differences between installing a root-kit on Windows and one on OS X is people actually write root-kits for Windows. People don’t write them for OS X. Testing for existing root kits under OS X is quite pointless if they don’t actually affect the system, which is what the Rootkit Hunter seems to be doing.
People have been saying “when” an exploit occurs for years and years, and yet, OS X is still incredibly secure. I’m not saying don’t practice safe habits like being careful when opening attachments or downloads, or keeping the system up-to-date. I’m saying using tools like Rootkit Hunter is a complete waste of time, because I can guarantee it’ll never find anything. If you actually see confirmed reports of a rootkit being found in the wild on OS X systems, at that point it may make sense to start using a tool like this. However, even then you can avoid any trouble by simply being smart about what you launch. Unlike a virus, a rootkit still needs the user’s help to be installed.
In short, I guarantee this tool will never find anything on your system. Don’t bother.
ballard is right. Do an md5 checksum after each sw update. Keep records, if weird things happen, rechecksum. Thats how you would detect rootkits iv there were any…
(neglected to turn subscriptions on for the thread, apologies folks)
If you’ve looked at my some of my previous posts, you’ll see that I put security in the context of risk management. Clearly, Kevin’s risk analysis in his particular context gives him the conclusion that there is little-to-no risk for him. That doesn’t make my advice to use anti-malware software FUD. Furthermore, the existence of malware for any platform is not necessarily a factor in determining risk (I have supporting links if pressed for them…kinda tired tonight). When Windows security patches come out each month, many of them do not have public exploit code. Kevin’s argument can be extrapolated to mean the lack of such code is cause to not install those security patches (which would be insane, especially on that platform). [NOTE: @ex2bot is absolutely right when he encourages everyone to keep their Mac systems updated as well]
I reiterate that you may choose to accept the risk of running without anti-malware software if you are an experienced user who fully understands his/her computing environments, habits and exposure.
@Scott B is also right on target. Having been a programmer (Mac, Windows, Solaris, Linux, *BSD and *VMS*) and also now working as a security professional with developers I can say with some authority that programmers in general care little about security and even less about thorough software life cycle development. In many shops, it’s “code fast or die” and for open source, the mantra is release often (some might call that iterative development, I call it rapid bug fixing). In either case. Most software is rife with buffers waiting to be overflown (overflew?).
@march has a very good suggestion (anyone else on this thread remember tripwire?), but it’s not very practical for the average user.
@Graham: I’m pretty convinced to do a complete series on practical security solutions for OS X at this point. I’m as annoyed with the “OS X is a target” news in the feeds and in the press and one of the only ways to help make sense of it is to document what (good stuff) is available. Keep an eye out.
@Patrick, stick with ClamXav. @Mike, if you’re *really* interested, I can build a command-line only version for Tiger.
again, apologies for the subscription foible…I’ll try to remember to click the checkbox next time.
Bob, please point to an article that indicates that OS X users are getting infected with rootkits. The only information I can find on any real-world rootkits for OS X is a specific one called Opener, which only ever affected one real user (it requires admin privileges to be installed anyhow), and requires admin privileges to even be installed in the first place anyhow. It also was nothing more than a bash script, put in the startup items folder, that attempted to gather password information and run John the Ripper on it. This was 3 years ago, and this is the only information I can find about real rootkits on OS X.
If you’re talking about a business-critical machine that handles sensitive data, sure, it’s better to be safe than sorry, as such a machine will be a juicy target for hackers or social engineers. On such a machine, it might make sense to run a rootkit scanner. But on any other machine, it’s a complete waste of resources. And it even might still be a waste of resources on such a sensitive, critical machine because I’m not convinced that any of the rootkits this software actually scans for even function on OS X.
Even if rootkits existed in the wild for OS X, and even if this software was proven to be able to detect rootkits on OS X, I still wouldn’t recommend that regular people use it. To have a rootkit installed on your system, you must a) run untrusted code, and b) provide your password. I would hope that people are smart enough to not type their password at a password prompt unless they know what the software is actually going to do with it. But even if they are not, the chances that a regular user would ever be exposed to a rootkit (assuming they exist and are infecting people in the wild) is so small that running this software is useless.
In short, I don’t have any reason to believe this software is actually capable of finding rootkits that even function on OS X, and running it is a complete waste of time.
HOWEVER, you should always keep your system up-to-date with the latest security releases, pay attention to news of any new potential exploits (such as the recent QuickTime holes), and simply exercise caution and proper judgement when running untrusted code or typing your password.
I installed this and after installation, during the first run, the system asked me to power-off (in multiple language). Does that mean my Mac was infected?
Vinod – You saw a Kernel Panic. If this software triggered a Kernel Panic, then this software is even worse than I thought. In any case, no, you are not infected. Kernel Panics are rare, but they do happen. If you see another Kernel Panic, you might want to consider having your hardware checked out at your local Apple Store, as it might indicate damaged or faulty hardware. It’s also possible that this software behaves much worse than I thought and is mucking around with your system. I certainly hope it’s not.
In any case, I recommend uninstalling this software, as it is completely useless.
Hello!
I know OS X is generally more secure than Windows, but hearing lately about Quicktime vulnerabilities where code can be executed and what not makes me a little worried.
Reading ClamXav website, it doesn’t look like it’s a security software for OS X. It looks like it’s basically security software for Windows PCs that runs on OS X to make sure you don’t spread Windows malware. Can it even detect OS X malware? I’m looking for something that can.
CJ: Yes, Quicktime vulnerabilities are not a good thing, but Apple is good about pushing out security updates, and I’ve never actually heard of an exploit in the wild for one of these vulnerabilities.
As for ClamAV, yes, that’s for detecting Windows malware. Don’t even bother looking for something to detect OS X malware, though, as that hinges upon the assumption that there is OS X malware, which is, for all practical purposes, untrue.
oh my first Kernel panic!.. Thanks for letting me know. I promptly uninstalled the beast.
Awesome. Just found RootKit Hunter on VersionTracker and wasn’t sure if I should trust it. Great write – appreciate the post.
New Rootkit – installs via updates: Reason to Scan for Rootkits
http://blogs.pcmag.com/securitywatch/2008/07/evilgrade_exploit_toolkit_atta.php
Joe,
You may have missed something in the article. The last sentence indicates that Apple has hardened their update mechanism against a man-in-the-middle attack such as this. Just because these fools (the people who created Evilgrade) SAY they can attack OS X’s Software Update doesn’t make it so.
From the article (http://blogs.pcmag.com/securitywatch/2008/07/evilgrade_exploit_toolkit_atta.php accessed on 8/4/08):
“Krebs also reports that, contrary to the claims of Evilgrade’s authors, Apple has strengthened their update mechanism to defeat this attack. ”
Bot
I tend to read security reports I find in the tech press with a large grain of Kosher Salt. The general security in OS X works well with a few notable items. Strangely, although these holes are widely known and perhaps even easily exploited they continue to NOT be exploited. Just like the Quicktime vulnerabilities that always seem to state ‘May cause unwanted code execution’ (The ever present buffer overflow issue everyone seems to get hit by)
I have my doubts as to how well, or even at all that they could actually be utilized.
Certainly we can look back on the past 3 or 4 years to stories surfacing in January that ‘THIS IS THE YEAR FOR THE MAC VIRUS” only to find exploits available, exploits ‘supposedly’ IN THE WILD that never amount to anything. If it genuinely, fully is as easy to pwn (Ghod I hate l33t, it’s so 1993) an OSX machine then there oughta be millions of zombied macs out there happily buzzing away.
As for Trojans, I can’t see how any real defense can be made against them other than understanding you can’t download whatever the devil you wish from the Internet. The OS is SUPPOSED to run applications for heavens sake. Now, one can make sure certain vital organs are not dangling out to get hit by the Trojan’s sword and I think OS X does a reasonably good job doing so.
So what am I saying with this rambling missive?
I’m saying this, have the tools at hand, but don’t be an idiot! I ran on Windows for years with nary a security app and the like and never got hit. Behind OS X I might as well be behind a wall of armor plate steel compared to my windows days.
Good comment, Matt. But to clarify something, when these vulnerabilities say “may cause unwanted code execution”, it doesn’t mean that it actually *can*. It just means that they haven’t ruled out the possibility. It’s generally very tricky to actually turn a buffer overflow into an exploit, and just as hard to prove that it can’t. So most of these vulnerabilities get patched without ever knowing if they were a real vector for attack, or just a simple crash.
So does anyone here have the actual knowledge to well say “Hack A Mac”. Has anyone ever tried to write specific malware or a rootkit pertaining to OS X. Did they succeed.
If its possible I’d like to see it happen. I want to know if it will work I have a junk MAc running 10.4.11 and I want someone to put a rootkit on it and see if it actually can affect the systems integrity. I want to post all observational data during this experiment thus proving or disproving this entire article . Anyone interested?
notchris
KEVIN: Bob, please point to an article that indicates that OS X users are getting infected with rootkits.
ME: HAVE YOU SEARCHED GOOGLE DUMBASS???
http://lmgtfy.com/?q=mac+users+infected
http://macenstein.com/default/archives/2328
http://www.domain-b.com/infotech/itnews/20090124_iwork_copies.html
KEVIN: I’m not convinced that any of the rootkits this software actually scans for even function on OS X.
ME: AGAIN HAVE YOU SEARCHED GOOGLE DUMBASS??? Have you even checked how rkhunter works or at least GOOGLED for it? It actually does more than just check for ROOTKITS.
http://www.rootkit.nl/projects/rootkit_hunter.html
No need for the language. It makes people not want to take you seriously regardless of the point your trying to make.
Anyway two points. 1) I personally believe we will be seeing more mac malware. I think the resent exploits are just the start and Macs will continue make up a still small but growing part of the large botnets that are out there.
2) The comments here were from a year and a half ago. 1.5 years ago any Mac would be justified in saying 99% of Mac “security” software was utterly useless and not needed. You can’t point at events that transpired after the poster’s initial statement and then claim he should have know better.
I personally highly recommend Little Snitch for every Mac out there. http://www.obdev.at
How about my wife’s computer that when I open Activity Monitor, it … closes. All by itself. No… I am sure that is just Steve watching out for my wife who knows nothing about computer security… Magical…
Clear your computer of all the same bugs.
When you are searching for antispyware there is one that you can always depend on, it’s called Orbasoft Antispyware. The antispyware solution from Orbasoft can provide you with a scan that can find and clear your computer of all the same bugs that the more expensive scans can a much lower price. You can’t beat that, keep your computer running great for less. Visit their site at http://www.orbasoft.com to download this scan and get all the benefits it has to offer. If you’re like me, it will be the best decision you made in a long time.
I believe I have a rootkit in my Macbook which made it obsolete. First I was attacked by a malware redirecting me unwanted sites, however i realized that the problem is much deeper when i tried to erase and re-install the Leopard… I could not! The installer reported failures no matter which cd-drive I used or how many new hard-disks. I concluded that it must me something resident on the logicboard.
I took the Macbook to the authorized Apple dealer, who is now after 2 days as much puzzled as I am. He reports that he cannot find in tests anything wrong with the hardware but still cannot install the Leopard from my or his DVDs, also with his own HDDS, inserted in my Mac. We are now waiting for a replacement board to try with my original HDD and installer disks. If that solves the problem, we will be sure on a virus resident on the bios since hardware tests brought no failure results so far.
Not to mention that I tried nearly all antivirus software before going to the dealer. No sign of virus could be found except for Macscan, which reported something he could not describe.
To make a long story short, I would say that bios-viruses are not a myth, I personally believe that they do exist and we need a good protection, which in my experience isn’t currently available for the OSX in the market today.
Sound very much like a possible virus then hardware problem having nothing to do with malware.
If you could find a virus that infected both your Mac then it’s firmware you could definitely sell your computer for 6+ figures to security researchers and/or Apple. And I mean $100,000+ easy. That type of infection simple has not happened on a Mac that I know of.
btw with the possible malware that you thought was redirecting you, was it during a single browsing session or was it permanent even if you rebooted?
Hey, BIOS is for PC. Macs have no BIOS.
OS X Rootkit Hunter needs to be started with administrator privileges, please authenticate first.
[ Rootkit Hunter version 1.3.0 ]
Running Rootkit Hunter version 1.3.0 on roy-simss-imac
Checking system commands…
Performing ‘strings’ command checks
Checking ‘strings’ command [ OK ]
Performing ‘shared libraries’ checks
Checking for preloading variables [ None found ]
Checking for preload file [ Not found ]
Checking LD_LIBRARY_PATH variable [ Skipped ]
Performing file properties checks
Checking for prerequisites [ Warning ]
The (command properties test) is not completly supported in this version of OSX rootkit hunter
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/cp [ OK ]
/bin/csh [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/kill [ OK ]
/bin/ls [ OK ]
/bin/mv [ OK ]
/bin/ps [ OK ]
/bin/pwd [ OK ]
/bin/sh [ OK ]
/bin/test [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/du [ OK ]
/usr/bin/egrep [ OK ]
/usr/bin/env [ OK ]
/usr/bin/fgrep [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/grep [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/login [ OK ]
/usr/bin/mail [ OK ]
/usr/bin/mktemp [ OK ]
/usr/bin/more [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/readlink [ OK ]
/usr/bin/sed [ OK ]
/usr/bin/sort [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/su [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/top [ OK ]
/usr/bin/touch [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uname [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/w [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/whatis [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/sbin/dmesg [ OK ]
/sbin/ifconfig [ OK ]
/sbin/md5 [ OK ]
/sbin/mount [ OK ]
/sbin/nologin [ OK ]
/usr/sbin/chown [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/cron [ OK ]
/usr/sbin/lsof [ OK ]
/usr/sbin/netstat [ OK ]
/usr/sbin/newsyslog [ OK ]
/usr/sbin/sysctl [ OK ]
/usr/sbin/syslogd [ OK ]
/usr/sbin/vipw [ OK ]
/usr/libexec/tcpd [ OK ]
Checking for rootkits…
Performing check of known rootkit files and directories
55808 Trojan – Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy’s Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
FreeBSD Rootkit [ Not found ]
Fuck`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
ImperalsS-FBRK Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe’s Rootkit [ Not found ]
RSHA’s Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
SunOS Rootkit [ Not found ]
SunOS / NSDAP Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
X-Org SunOS Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]
Performing additional rootkit checks
Checking for possible rootkit files and directories [ None found ]
Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for hidden processes [ Skipped ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]
Checking the network…
Performing check for backdoor ports
Checking for UDP port 2001 [ Not found ]
Checking for TCP port 2006 [ Not found ]
Checking for TCP port 2128 [ Not found ]
Checking for TCP port 14856 [ Not found ]
Checking for TCP port 47107 [ Not found ]
Checking for TCP port 60922 [ Not found ]
Now we run an additional connection check, to inform you about used and listen tcp-ports
and their appropriate process/commands. – This additional check was created by Christian Hornung
There is a LISTEN tcp Port *:64000 created by Process/Command: prl_disp_
There is a LISTEN tcp Port localhost:47807 created by Process/Command: IntegoiCa
There is a LISTEN tcp Port localhost:ipp created by Process/Command: cupsd
There is a LISTEN tcp Port localhost:ipp created by Process/Command: launchd
FYI, named services are described in the file /etc/services
Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]
Checking the local host…
Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ None found ]
Performing system configuration file checks
Checking for SSH configuration file [ Found ]
Checking if SSH root access is allowed [ OK ]
Checking if SSH protocol v1 is allowed [ Not allowed ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Warning ]
Syslog configuration file allows remote logging: install.* @127.0.0.1:32376
Performing filesystem checks
Checking /dev for suspicious file types [ None found ]
Checking for hidden files and directories [ Warning ]
Hidden file found: /usr/share/man/man5/.rhosts.5.gz: gzip compressed data, from Unix
Checking application versions…
Checking version of Apache [ OK ]
Checking version of Bind DNS [ OK ]
Checking version of OpenSSL [ OK ]
Checking version of PHP [ OK ]
Checking version of Procmail MTA [ OK ]
Checking version of OpenSSH [ OK ]
System checks summary
=====================
File properties checks…
Required commands check failed
Files checked: 80
Suspect files: 0
Rootkit checks…
Rootkits checked : 77
Possible rootkits: 0
Applications checks…
Applications checked: 6
Suspect applications: 0
The system checks took: 35 seconds
All results have been written to the logfile (/tmp/rkhunter.log)
One or more warnings have been found while checking the system.
Please check the log file (/tmp/rkhunter.log)
Many thanks to the founder and developer of the original rootkit hunter:
Michael Boelen from http://www.rootkit.nl
any suggestions
also before i put in virus barrier i was getting
en3: flags=8922 mtu 1500 -
i am new to this world please help
Hi,
text: OS X has it’s origins in
error: it’s
correct: its
Should be easy to fix. Thanks for the article.
–arden
Axel.. sorry dude, the boot rom of a PC (apples are PCs now) use a Basic In Out System (BIOS) to tell the OS what motherboard it is sitting on, what CPU is use, whether hard drives are present etc – otherwise the machine wouldn’t know whether it was a computer or a popup toaster
i would prefer to have such a problem fixed from a computer repair expert, i think i trieed geeks mobile usa once, they could guide you better: http://www.computerrepairservicesusa.com
You might want to take a look what PCTools are bringing out for the MAC as well!
BIOS is for PC. Macs have no BIOS.
My two Apples, a PowerBook Titanium and a MacBook, under Leopard and Snow Leopard, respectively, both have system-dominating rootkits. I’ve been slaving over them for six weeks. I’m sure. I can’t even erase and install. Won’t bore you with all the gruesome details, but be afraid. Be very afraid.
do you plan to post details I’d like more on your experience
I don’t know where to begin. I know how crazy it sounds to start, but it is possible the Bluetooth features on my iPhone were used to transfer the malware through the Bluetooth on my MacBook. I think this because one of the first signs that something was wrong was that my Bluetooth kept turning itself on in my computer and I noticed data changing on my phone.
I also noticed iCal and Address Book apps running from the Console for no good reason in the beginning.
Now, I’ve uncovered a lot of evidence of a system that envelops mine. I can’t get rid of it yet.
my first Kernel panic!.. Thanks for letting me know. I promptly uninstalled the beast.
Hey, BIOS is for PC. Macs have no BIOS.
But still thank your for share it!
thanks nice posting,keep coming!
Great post about Mac Security Matters. Keep up the good work. one source vitamins dating mansion blog
Regardless what operating system you use you network needs to be monitored and locked down. No computer system is 100 pct safe and waiting for infections to show up on forums is silly IMO.
Rootkits / trojans are just a small piece of the puzzle when most attackers are now using web based techniques to steal your information REGARDLESS of operating system.
Its been a while since this article was published and since then the russian internet mafia has put a “bounty” out for infected macs.
This means that there is now a financial benefit to infecting a mac, and money my friends is what drives hackers and script kiddies to do damage to your systems.
I don’t trust a single machine tot protect any of my networks. Using a good spi firewall, monitoring your network activity, using whitelists and keeping software up to date should be common sense now a days.
I was considering a MAC since I heard they don’t have as many security issues as PCs. This thread sounds similar to PC. Any thoughts?
I’m a living, survived witness of a firmware rootkit, probably took off from an uncontrolled Linux device that propagated itself on HPA partitions of my WIN/MAC (with parallels stuff) hard disks and/or hacking/flashing the low level drivers of old ATI/NVIDIA chipset/boards…
A part from this, the last five years brought to our attention a quite new phenomenon: the presence in our SOHO LANs of several (networked/netbiosed/upnped/trusted) operating systems….. generally reliable and efficient in protecting themselves from attacks of any kind but poorly configured and structured to avoid their use as possible platforms to attack/infect other OSs on a LAN.
After 3 months of intense use of my brand new MacBook Pro SnowLeo engined, I personally found traces in some hidden scripts/dirs of a sadly famous, early Microsoft product for the Macintosh: the Microsoft Personal Web Server for Mac…. happily co-operating with an hidden local DNS proxy and altered SMB/CUPS startup tricks.
Firewalls (Outpost and Little Snitch) has been precious in alerting me of something strange going on…
How did I get it?
Don’t know….
Probably through an old Ubuntu machine, left unprotected with uncontrolled and activated network services…
It is not important.
What counts is that I have very little experience on Mac and that I approached Mac OS X as a supersafe system, not susceptible to malware like its Richmond competitor.
This remains probably true in a not hybrid environment, but where multiple OSs co-house in a (at least) 53/137/445 communicating circuit (don’t talk about UPNP, Smartphones, NAS and other “exploits factories” if not accurately monitored…) some more attention and care should be paid…
Stefania
Now that all Macs are now switched over to Intel and now the number of mac users is growing every day there is bound to be an increase in malware. Regardless I have still yet to come across a mac infected with any kind of malware.
Agreed, as Mac users increase expect more malware.
Ok… My wife uses a macbook pro, and it is now SLOW… I downloaded the clam mac version and opened activity monitor…then it closed. I opened it, and it closed…
There were some items that caught my eye…
pboard, something sync, and a few others under the user name. Is there a list of appropriate items on this list?
I noted her yahoo mail account had a number of secondary email that were not hers and she did not add–you know the lskdjflskdjfs@yahoo.com type.
Any suggestions on how to eliminate the problem would be appreciated. A full re-install?
That RKH still works on latest Mac Mini Server with up2date Snow Leopard anno 2011.
RKH is certainly useful when you use the server as a Samba/Mail/Web server for Windows clients. Already knew that the stock ClamAv is outdated but with the latest definitions still useful. RKH complains(warnings) about other outdated Stock Open Source ware on the mac mini server such as OpenSSH, OpenSSL and Apache. Jobs stable is clearly behind with patching the OSS utilities.
Meaning a stock MAC OS X Server is more vulnerable than other up2date BSD’s and Linuxes and it is definitely not ready to be deployed as a professional server with necessary security compliances – point.
However it might be ok as a graphics workstation behind a proper up2date (BSD/Linux)firewall/internet security gateway.