Blog Post

Why Mac Security Matters: OS X Rootkit Hunter

OS X Rootkit Hunter LogoAfter blogging about the need to use and maintain an anti-virus solution for your OS X systems, an anonymous reply questioning the need to use security tools at all on OS X systems gave me pause. You do not need me to link to the numerous articles flying around the internets that report on how one reason switchers are flocking to OS X is because of the lack of prevalence of malware. Folks are tired of viruses, worms, trojans, etc. hammering their systems. They are even more harrowed by having to maintain vigilance over their anti-virus programs, hoping they are not too far out of sync with the current “DAT”. However, switching to run OS X to avoid running anti-virus programs may not be the wisest choice.

To answer the “do we really need security tools for OS X?” question in a slightly different way than you’ve seen from many technology pundits, I’d like to turn your attention to utility called rkhunter or “rootkit hunter”. As most TAB readers should know by now, OS X has it’s origins in Unix (the “darwin” base comes from FreeBSD), and most folks believe *nix variants (linux, FreeBSD, Solaris, etc) to be extremely secure, free of the problems that plague those sad, sad Windows users. If you fall into that camp, please take a moment and browse the Secunia FreeBSD 5.x artchives. Secunia reports show over 91 vulnerabilities, with critical ones impacting core services such as file sharing and remote access. This should not be surprising since Unix systems have been favorite targets for hackers as they provide such a powerful base to launch further exploits. One of the more gnarly hacks is the installation of a rootkit – a program that can take surreptitious control of your system. And, guess what: your Mac OS X workstation/server is susceptible to rootkits just like any other Unix system, even with Leopeard’s enhanced security features. How can you fight something you can’t even see? You need a tool to help. Modern anti-virus products can and usually do cover rootkits, but the rkhunter tool may cover additional rootkits and may update rootkit signatures more frequently than a traditional vendor.

I wouldn’t recommend trying to get rkhunter installed on your Mac since it will require some enhanced Terminal-fu. Thankfully, Christian Hornung understood the need for such a tool and built a wrapper for it called (surprisingly enough), OS X Rootkit Hunter [dmg], complete with installer. After installing the package, navigate to Applications->OSXrkhnter and run the “Rootkit Hunter” app.

It’s good practice to update the rootkit database (similar to a virus engine DAT update) before each scan since there may be new rootkit signatures from new or altered exploits. When you start the scan, you will see a password dialog – just as you would with any operation that requires additional privileges to run – since OS X Rootkit Hunter needs to look in places your normal account user account cannot. You will also see Terminal windows displaying a running report of what rkhunter has or has not found (since this front-end does not free you from all the gory details of what lies beneath Aqua).

OS X Rootkit Hunter (large)

While you can download and run OS X Rootkit Hunter, I would strongly suggest that less technical users obtain one of the commercially available malware scanners since the output from OS X Rootkit Hunter can be a bit daunting. The presence and history of this tool should be enough justification for the need to run security software on your systems.

58 Responses to “Why Mac Security Matters: OS X Rootkit Hunter”

  1. Axel.. sorry dude, the boot rom of a PC (apples are PCs now) use a Basic In Out System (BIOS) to tell the OS what motherboard it is sitting on, what CPU is use, whether hard drives are present etc – otherwise the machine wouldn’t know whether it was a computer or a popup toaster

  2. sycosiis

    OS X Rootkit Hunter needs to be started with administrator privileges, please authenticate first.
    [ Rootkit Hunter version 1.3.0 ]
    Running Rootkit Hunter version 1.3.0 on roy-simss-imac

    Checking system commands…

    Performing ‘strings’ command checks
    Checking ‘strings’ command [ OK ]

    Performing ‘shared libraries’ checks
    Checking for preloading variables [ None found ]
    Checking for preload file [ Not found ]
    Checking LD_LIBRARY_PATH variable [ Skipped ]

    Performing file properties checks
    Checking for prerequisites [ Warning ]
    The (command properties test) is not completly supported in this version of OSX rootkit hunter
    /bin/bash [ OK ]
    /bin/cat [ OK ]
    /bin/chmod [ OK ]
    /bin/cp [ OK ]
    /bin/csh [ OK ]
    /bin/date [ OK ]
    /bin/df [ OK ]
    /bin/echo [ OK ]
    /bin/ed [ OK ]
    /bin/kill [ OK ]
    /bin/ls [ OK ]
    /bin/mv [ OK ]
    /bin/ps [ OK ]
    /bin/pwd [ OK ]
    /bin/sh [ OK ]
    /bin/test [ OK ]
    /usr/bin/awk [ OK ]
    /usr/bin/basename [ OK ]
    /usr/bin/curl [ OK ]
    /usr/bin/cut [ OK ]
    /usr/bin/diff [ OK ]
    /usr/bin/dirname [ OK ]
    /usr/bin/du [ OK ]
    /usr/bin/egrep [ OK ]
    /usr/bin/env [ OK ]
    /usr/bin/fgrep [ OK ]
    /usr/bin/file [ OK ]
    /usr/bin/find [ OK ]
    /usr/bin/grep [ OK ]
    /usr/bin/groups [ OK ]
    /usr/bin/head [ OK ]
    /usr/bin/id [ OK ]
    /usr/bin/killall [ OK ]
    /usr/bin/last [ OK ]
    /usr/bin/less [ OK ]
    /usr/bin/locate [ OK ]
    /usr/bin/logger [ OK ]
    /usr/bin/login [ OK ]
    /usr/bin/mail [ OK ]
    /usr/bin/mktemp [ OK ]
    /usr/bin/more [ OK ]
    /usr/bin/newgrp [ OK ]
    /usr/bin/passwd [ OK ]
    /usr/bin/perl [ OK ]
    /usr/bin/readlink [ OK ]
    /usr/bin/sed [ OK ]
    /usr/bin/sort [ OK ]
    /usr/bin/stat [ OK ]
    /usr/bin/strings [ OK ]
    /usr/bin/su [ OK ]
    /usr/bin/sudo [ OK ]
    /usr/bin/tail [ OK ]
    /usr/bin/top [ OK ]
    /usr/bin/touch [ OK ]
    /usr/bin/tr [ OK ]
    /usr/bin/uname [ OK ]
    /usr/bin/uniq [ OK ]
    /usr/bin/users [ OK ]
    /usr/bin/w [ OK ]
    /usr/bin/wc [ OK ]
    /usr/bin/whatis [ OK ]
    /usr/bin/whereis [ OK ]
    /usr/bin/which [ OK ]
    /usr/bin/who [ OK ]
    /usr/bin/whoami [ OK ]
    /sbin/dmesg [ OK ]
    /sbin/ifconfig [ OK ]
    /sbin/md5 [ OK ]
    /sbin/mount [ OK ]
    /sbin/nologin [ OK ]
    /usr/sbin/chown [ OK ]
    /usr/sbin/chroot [ OK ]
    /usr/sbin/cron [ OK ]
    /usr/sbin/lsof [ OK ]
    /usr/sbin/netstat [ OK ]
    /usr/sbin/newsyslog [ OK ]
    /usr/sbin/sysctl [ OK ]
    /usr/sbin/syslogd [ OK ]
    /usr/sbin/vipw [ OK ]
    /usr/libexec/tcpd [ OK ]

    Checking for rootkits…

    Performing check of known rootkit files and directories
    55808 Trojan – Variant A [ Not found ]
    ADM Worm [ Not found ]
    AjaKit Rootkit [ Not found ]
    aPa Kit [ Not found ]
    Apache Worm [ Not found ]
    Ambient (ark) Rootkit [ Not found ]
    Balaur Rootkit [ Not found ]
    BeastKit Rootkit [ Not found ]
    beX2 Rootkit [ Not found ]
    BOBKit Rootkit [ Not found ]
    CiNIK Worm (Slapper.B variant) [ Not found ]
    Danny-Boy’s Abuse Kit [ Not found ]
    Devil RootKit [ Not found ]
    Dica-Kit Rootkit [ Not found ]
    Dreams Rootkit [ Not found ]
    Duarawkz Rootkit [ Not found ]
    Enye LKM [ Not found ]
    Flea Linux Rootkit [ Not found ]
    FreeBSD Rootkit [ Not found ]
    Fuck`it Rootkit [ Not found ]
    GasKit Rootkit [ Not found ]
    Heroin LKM [ Not found ]
    HjC Kit [ Not found ]
    ignoKit Rootkit [ Not found ]
    ImperalsS-FBRK Rootkit [ Not found ]
    Irix Rootkit [ Not found ]
    Kitko Rootkit [ Not found ]
    Knark Rootkit [ Not found ]
    Li0n Worm [ Not found ]
    Lockit / LJK2 Rootkit [ Not found ]
    Mood-NT Rootkit [ Not found ]
    MRK Rootkit [ Not found ]
    Ni0 Rootkit [ Not found ]
    Ohhara Rootkit [ Not found ]
    Optic Kit (Tux) Worm [ Not found ]
    Oz Rootkit [ Not found ]
    Phalanx Rootkit [ Not found ]
    Portacelo Rootkit [ Not found ]
    R3dstorm Toolkit [ Not found ]
    RH-Sharpe’s Rootkit [ Not found ]
    RSHA’s Rootkit [ Not found ]
    Scalper Worm [ Not found ]
    Sebek LKM [ Not found ]
    Shutdown Rootkit [ Not found ]
    SHV4 Rootkit [ Not found ]
    SHV5 Rootkit [ Not found ]
    Sin Rootkit [ Not found ]
    Slapper Worm [ Not found ]
    Sneakin Rootkit [ Not found ]
    Suckit Rootkit [ Not found ]
    SunOS Rootkit [ Not found ]
    SunOS / NSDAP Rootkit [ Not found ]
    Superkit Rootkit [ Not found ]
    TBD (Telnet BackDoor) [ Not found ]
    TeLeKiT Rootkit [ Not found ]
    T0rn Rootkit [ Not found ]
    Trojanit Kit [ Not found ]
    Tuxtendo Rootkit [ Not found ]
    URK Rootkit [ Not found ]
    VcKit Rootkit [ Not found ]
    Volc Rootkit [ Not found ]
    X-Org SunOS Rootkit [ Not found ]
    zaRwT.KiT Rootkit [ Not found ]

    Performing additional rootkit checks
    Checking for possible rootkit files and directories [ None found ]

    Performing malware checks
    Checking running processes for suspicious files [ None found ]
    Checking for hidden processes [ Skipped ]
    Checking for login backdoors [ None found ]
    Checking for suspicious directories [ None found ]
    Checking for sniffer log files [ None found ]

    Checking the network…

    Performing check for backdoor ports
    Checking for UDP port 2001 [ Not found ]
    Checking for TCP port 2006 [ Not found ]
    Checking for TCP port 2128 [ Not found ]
    Checking for TCP port 14856 [ Not found ]
    Checking for TCP port 47107 [ Not found ]
    Checking for TCP port 60922 [ Not found ]

    Now we run an additional connection check, to inform you about used and listen tcp-ports
    and their appropriate process/commands. – This additional check was created by Christian Hornung

    There is a LISTEN tcp Port *:64000 created by Process/Command: prl_disp_
    There is a LISTEN tcp Port localhost:47807 created by Process/Command: IntegoiCa
    There is a LISTEN tcp Port localhost:ipp created by Process/Command: cupsd
    There is a LISTEN tcp Port localhost:ipp created by Process/Command: launchd

    FYI, named services are described in the file /etc/services

    Performing checks on the network interfaces
    Checking for promiscuous interfaces [ None found ]

    Checking the local host…

    Performing group and account checks
    Checking for passwd file [ Found ]
    Checking for root equivalent (UID 0) accounts [ None found ]
    Checking for passwordless accounts [ None found ]
    Checking for passwd file changes [ None found ]
    Checking for group file changes [ None found ]
    Checking root account shell history files [ None found ]

    Performing system configuration file checks
    Checking for SSH configuration file [ Found ]
    Checking if SSH root access is allowed [ OK ]
    Checking if SSH protocol v1 is allowed [ Not allowed ]
    Checking for running syslog daemon [ Found ]
    Checking for syslog configuration file [ Found ]
    Checking if syslog remote logging is allowed [ Warning ]
    Syslog configuration file allows remote logging: install.* @

    Performing filesystem checks
    Checking /dev for suspicious file types [ None found ]
    Checking for hidden files and directories [ Warning ]
    Hidden file found: /usr/share/man/man5/.rhosts.5.gz: gzip compressed data, from Unix

    Checking application versions…

    Checking version of Apache [ OK ]
    Checking version of Bind DNS [ OK ]
    Checking version of OpenSSL [ OK ]
    Checking version of PHP [ OK ]
    Checking version of Procmail MTA [ OK ]
    Checking version of OpenSSH [ OK ]

    System checks summary

    File properties checks…
    Required commands check failed
    Files checked: 80
    Suspect files: 0

    Rootkit checks…
    Rootkits checked : 77
    Possible rootkits: 0

    Applications checks…
    Applications checked: 6
    Suspect applications: 0

    The system checks took: 35 seconds

    All results have been written to the logfile (/tmp/rkhunter.log)

    One or more warnings have been found while checking the system.
    Please check the log file (/tmp/rkhunter.log)

    Many thanks to the founder and developer of the original rootkit hunter:
    Michael Boelen from

    any suggestions
    also before i put in virus barrier i was getting
    en3: flags=8922 mtu 1500 –
    i am new to this world please help

  3. I believe I have a rootkit in my Macbook which made it obsolete. First I was attacked by a malware redirecting me unwanted sites, however i realized that the problem is much deeper when i tried to erase and re-install the Leopard… I could not! The installer reported failures no matter which cd-drive I used or how many new hard-disks. I concluded that it must me something resident on the logicboard.

    I took the Macbook to the authorized Apple dealer, who is now after 2 days as much puzzled as I am. He reports that he cannot find in tests anything wrong with the hardware but still cannot install the Leopard from my or his DVDs, also with his own HDDS, inserted in my Mac. We are now waiting for a replacement board to try with my original HDD and installer disks. If that solves the problem, we will be sure on a virus resident on the bios since hardware tests brought no failure results so far.

    Not to mention that I tried nearly all antivirus software before going to the dealer. No sign of virus could be found except for Macscan, which reported something he could not describe.

    To make a long story short, I would say that bios-viruses are not a myth, I personally believe that they do exist and we need a good protection, which in my experience isn’t currently available for the OSX in the market today.

    • Sound very much like a possible virus then hardware problem having nothing to do with malware.

      If you could find a virus that infected both your Mac then it’s firmware you could definitely sell your computer for 6+ figures to security researchers and/or Apple. And I mean $100,000+ easy. That type of infection simple has not happened on a Mac that I know of.

      btw with the possible malware that you thought was redirecting you, was it during a single browsing session or was it permanent even if you rebooted?

  4. Briana

    Clear your computer of all the same bugs.
    When you are searching for antispyware there is one that you can always depend on, it’s called Orbasoft Antispyware. The antispyware solution from Orbasoft can provide you with a scan that can find and clear your computer of all the same bugs that the more expensive scans can a much lower price. You can’t beat that, keep your computer running great for less. Visit their site at to download this scan and get all the benefits it has to offer. If you’re like me, it will be the best decision you made in a long time.

  5. KEVIN: Bob, please point to an article that indicates that OS X users are getting infected with rootkits.


    KEVIN: I’m not convinced that any of the rootkits this software actually scans for even function on OS X.

    ME: AGAIN HAVE YOU SEARCHED GOOGLE DUMBASS??? Have you even checked how rkhunter works or at least GOOGLED for it? It actually does more than just check for ROOTKITS.

    • No need for the language. It makes people not want to take you seriously regardless of the point your trying to make.

      Anyway two points. 1) I personally believe we will be seeing more mac malware. I think the resent exploits are just the start and Macs will continue make up a still small but growing part of the large botnets that are out there.
      2) The comments here were from a year and a half ago. 1.5 years ago any Mac would be justified in saying 99% of Mac “security” software was utterly useless and not needed. You can’t point at events that transpired after the poster’s initial statement and then claim he should have know better.

      I personally highly recommend Little Snitch for every Mac out there.

    • How about my wife’s computer that when I open Activity Monitor, it … closes. All by itself. No… I am sure that is just Steve watching out for my wife who knows nothing about computer security… Magical…

  6. notchirs

    So does anyone here have the actual knowledge to well say “Hack A Mac”. Has anyone ever tried to write specific malware or a rootkit pertaining to OS X. Did they succeed.
    If its possible I’d like to see it happen. I want to know if it will work I have a junk MAc running 10.4.11 and I want someone to put a rootkit on it and see if it actually can affect the systems integrity. I want to post all observational data during this experiment thus proving or disproving this entire article . Anyone interested?


  7. Good comment, Matt. But to clarify something, when these vulnerabilities say “may cause unwanted code execution”, it doesn’t mean that it actually *can*. It just means that they haven’t ruled out the possibility. It’s generally very tricky to actually turn a buffer overflow into an exploit, and just as hard to prove that it can’t. So most of these vulnerabilities get patched without ever knowing if they were a real vector for attack, or just a simple crash.

  8. I tend to read security reports I find in the tech press with a large grain of Kosher Salt. The general security in OS X works well with a few notable items. Strangely, although these holes are widely known and perhaps even easily exploited they continue to NOT be exploited. Just like the Quicktime vulnerabilities that always seem to state ‘May cause unwanted code execution’ (The ever present buffer overflow issue everyone seems to get hit by)

    I have my doubts as to how well, or even at all that they could actually be utilized.

    Certainly we can look back on the past 3 or 4 years to stories surfacing in January that ‘THIS IS THE YEAR FOR THE MAC VIRUS” only to find exploits available, exploits ‘supposedly’ IN THE WILD that never amount to anything. If it genuinely, fully is as easy to pwn (Ghod I hate l33t, it’s so 1993) an OSX machine then there oughta be millions of zombied macs out there happily buzzing away.

    As for Trojans, I can’t see how any real defense can be made against them other than understanding you can’t download whatever the devil you wish from the Internet. The OS is SUPPOSED to run applications for heavens sake. Now, one can make sure certain vital organs are not dangling out to get hit by the Trojan’s sword and I think OS X does a reasonably good job doing so.

    So what am I saying with this rambling missive?

    I’m saying this, have the tools at hand, but don’t be an idiot! I ran on Windows for years with nary a security app and the like and never got hit. Behind OS X I might as well be behind a wall of armor plate steel compared to my windows days.

  9. Joe,

    You may have missed something in the article. The last sentence indicates that Apple has hardened their update mechanism against a man-in-the-middle attack such as this. Just because these fools (the people who created Evilgrade) SAY they can attack OS X’s Software Update doesn’t make it so.

    From the article ( accessed on 8/4/08):

    “Krebs also reports that, contrary to the claims of Evilgrade’s authors, Apple has strengthened their update mechanism to defeat this attack. ”


  10. CJ: Yes, Quicktime vulnerabilities are not a good thing, but Apple is good about pushing out security updates, and I’ve never actually heard of an exploit in the wild for one of these vulnerabilities.

    As for ClamAV, yes, that’s for detecting Windows malware. Don’t even bother looking for something to detect OS X malware, though, as that hinges upon the assumption that there is OS X malware, which is, for all practical purposes, untrue.

  11. Hello!

    I know OS X is generally more secure than Windows, but hearing lately about Quicktime vulnerabilities where code can be executed and what not makes me a little worried.

    Reading ClamXav website, it doesn’t look like it’s a security software for OS X. It looks like it’s basically security software for Windows PCs that runs on OS X to make sure you don’t spread Windows malware. Can it even detect OS X malware? I’m looking for something that can.

  12. Vinod – You saw a Kernel Panic. If this software triggered a Kernel Panic, then this software is even worse than I thought. In any case, no, you are not infected. Kernel Panics are rare, but they do happen. If you see another Kernel Panic, you might want to consider having your hardware checked out at your local Apple Store, as it might indicate damaged or faulty hardware. It’s also possible that this software behaves much worse than I thought and is mucking around with your system. I certainly hope it’s not.

    In any case, I recommend uninstalling this software, as it is completely useless.

  13. Bob, please point to an article that indicates that OS X users are getting infected with rootkits. The only information I can find on any real-world rootkits for OS X is a specific one called Opener, which only ever affected one real user (it requires admin privileges to be installed anyhow), and requires admin privileges to even be installed in the first place anyhow. It also was nothing more than a bash script, put in the startup items folder, that attempted to gather password information and run John the Ripper on it. This was 3 years ago, and this is the only information I can find about real rootkits on OS X.

    If you’re talking about a business-critical machine that handles sensitive data, sure, it’s better to be safe than sorry, as such a machine will be a juicy target for hackers or social engineers. On such a machine, it might make sense to run a rootkit scanner. But on any other machine, it’s a complete waste of resources. And it even might still be a waste of resources on such a sensitive, critical machine because I’m not convinced that any of the rootkits this software actually scans for even function on OS X.

    Even if rootkits existed in the wild for OS X, and even if this software was proven to be able to detect rootkits on OS X, I still wouldn’t recommend that regular people use it. To have a rootkit installed on your system, you must a) run untrusted code, and b) provide your password. I would hope that people are smart enough to not type their password at a password prompt unless they know what the software is actually going to do with it. But even if they are not, the chances that a regular user would ever be exposed to a rootkit (assuming they exist and are infecting people in the wild) is so small that running this software is useless.

    In short, I don’t have any reason to believe this software is actually capable of finding rootkits that even function on OS X, and running it is a complete waste of time.

    HOWEVER, you should always keep your system up-to-date with the latest security releases, pay attention to news of any new potential exploits (such as the recent QuickTime holes), and simply exercise caution and proper judgement when running untrusted code or typing your password.

  14. (neglected to turn subscriptions on for the thread, apologies folks)

    If you’ve looked at my some of my previous posts, you’ll see that I put security in the context of risk management. Clearly, Kevin’s risk analysis in his particular context gives him the conclusion that there is little-to-no risk for him. That doesn’t make my advice to use anti-malware software FUD. Furthermore, the existence of malware for any platform is not necessarily a factor in determining risk (I have supporting links if pressed for them…kinda tired tonight). When Windows security patches come out each month, many of them do not have public exploit code. Kevin’s argument can be extrapolated to mean the lack of such code is cause to not install those security patches (which would be insane, especially on that platform). [NOTE: @ex2bot is absolutely right when he encourages everyone to keep their Mac systems updated as well]

    I reiterate that you may choose to accept the risk of running without anti-malware software if you are an experienced user who fully understands his/her computing environments, habits and exposure.

    @Scott B is also right on target. Having been a programmer (Mac, Windows, Solaris, Linux, *BSD and *VMS*) and also now working as a security professional with developers I can say with some authority that programmers in general care little about security and even less about thorough software life cycle development. In many shops, it’s “code fast or die” and for open source, the mantra is release often (some might call that iterative development, I call it rapid bug fixing). In either case. Most software is rife with buffers waiting to be overflown (overflew?).

    @march has a very good suggestion (anyone else on this thread remember tripwire?), but it’s not very practical for the average user.

    @Graham: I’m pretty convinced to do a complete series on practical security solutions for OS X at this point. I’m as annoyed with the “OS X is a target” news in the feeds and in the press and one of the only ways to help make sense of it is to document what (good stuff) is available. Keep an eye out.

    @Patrick, stick with ClamXav. @Mike, if you’re *really* interested, I can build a command-line only version for Tiger.

    again, apologies for the subscription foible…I’ll try to remember to click the checkbox next time.

  15. ballard is right. Do an md5 checksum after each sw update. Keep records, if weird things happen, rechecksum. Thats how you would detect rootkits iv there were any…

  16. “Why do you think this is FUD? It is possible to root-kit MacOS X. It is not a proof of concept.”

    Have you ever seen an OS X box with a root kit? Have you ever actually heard of this happening in the wild? I sure haven’t. In fact, the only malware I’ve ever actually seen was the Merry Xmas Hypercard virus which only affected Hypercard stacks under the classic Mac OS and was about as benign as a virus could possibly be.

    The differences between installing a root-kit on Windows and one on OS X is people actually write root-kits for Windows. People don’t write them for OS X. Testing for existing root kits under OS X is quite pointless if they don’t actually affect the system, which is what the Rootkit Hunter seems to be doing.

    People have been saying “when” an exploit occurs for years and years, and yet, OS X is still incredibly secure. I’m not saying don’t practice safe habits like being careful when opening attachments or downloads, or keeping the system up-to-date. I’m saying using tools like Rootkit Hunter is a complete waste of time, because I can guarantee it’ll never find anything. If you actually see confirmed reports of a rootkit being found in the wild on OS X systems, at that point it may make sense to start using a tool like this. However, even then you can avoid any trouble by simply being smart about what you launch. Unlike a virus, a rootkit still needs the user’s help to be installed.

    In short, I guarantee this tool will never find anything on your system. Don’t bother.

  17. Kevin Ballard (#7): There is an old saying that an ounce of prevention is worth a pound of cure! Why be reactive and not proactive?

    Why do you think this is FUD? It is possible to root-kit MacOS X. It is not a proof of concept. Any script kiddie can download a root-kit, gain access to a MacOS X system, and install a root-kit. The difference between installing root-kit under Windows versus MacOS X are the access control mechanisms that make it more difficult to do so under MacOS X.

    Those of us who are information security professionals know that it is a matter of time before issues occur. Apple has increased the risk by using an application level firewall and suppressing the built-in BSD firewall to be accessible by techies who are not afraid to use Looking at the risk, we infosec professionals say “when” an exploit occurs.

    Unfortunately, many of the risks we find are the result of programmers not understanding the side effects of their coding. From buffer overruns to hard-coding passwords, programming short-cuts are our biggest headache. Rather than attacking the writer, why not try to understand the risks so that we can all ensure elimination of all issues!

  18. I use ClamXav and sent in a donation. Seem about right to me. Read up a little on configuring it and setting sentry to check particular folder (mail downloads etc.)

  19. Right now, Mac users need to keep their updates current (via Software Update in the Apple menu) and be careful about blindly accepting download of video codecs.

    More general security tips:

    Using a router between your Mac and the Internet is a good idea since it acts as a firewall.

    Don’t open attachments unless you are absolutely sure they are from trusted sources. The general security motto is “Don’t open attachments. Period.”

    Do we Mac users have to run security suites at this point? Debatable. If you depend on MS Office documents with macros, you probably should run one. Otherwise, it’s not as clear-cut as with a Windows machine.


  20. Stop spreading FUD. There’s no reason to believe any of these rootkits will even run under OS X, let alone that any have ever been found in the wild on an OS X box.

    If (and I say If, not When) the day comes that OS X starts getting some real malware (meaning not the occasional little proof of concept that doesn’t do anything), on that day you can start using antivirus/antirootkit software. But until that day comes, you’re just wasting resources, not only on your computer, but on the computers of everybody who follows your advice.

    And I’m speaking as a Mac computer programmer, not as just another user.

  21. Patrick Weigel

    I’m interested – has anyone run this on a Macintosh and found any rootkits installed on their system? I can understand somewhat the theory in the above blog article, but have there been any real-world rootkits?

    I’m willing to run this Rootkit Hunter and ClamXav as it seems relatively painless, but I want to know if I’m defending against an existing problem or a potential problem.


  22. Is there a MAC-like security program that works? Norton Internet Security is very clunky, not intuitive at all. Also it’s very heavy handed in its intrusiveness and its updating.
    I use Macs to avoid such programs – and dealing with Unix.
    Thanks for any suggestions.

  23. @Steve: I was using OS X Rootkit Hunter primarily as an example of how there are valid historical and current security concerns on OS X. The developer did a great job and service porting it as well as he did to the Mac, but I would purport that it’s still something only more technical users of OS X go out and investigate.

    ClamXav ( is another great, free security tool with *nix origins and an even better OS X front-end. TAB did a mention ( of them last year and it may be time for a detailed comprehensive review of commercial (and qualified open source) anti-virus solutions for OS X.

    I would highly recommend using ClamXav over OS X Rootkit Hunter as a baseline layer of security.