Rootkit For Mac Os X

Can my laptop run any slower? How did my background image change? Blue screen of death again?! Ugh! If any of these sound familiar, there’s a chance your computer has a very bad rootkit.

What is a Rootkit?

Sep 23, 2013  The tool aims to detect modifications in the OS X kernel memory that might indicate the presence of a rootkit. Its usage is very simple, a user only needs to download and run the application. Mac OS X Rootkit Tools Released. Posted on August 13th, 2009 by Peter James. Security researcher Dino Dai Zovi has released a set of advanced rootkit tools for Mac OS X. This follows his recent presentation at Black Hat, which, “covered a number of Mach-based rootkit tools and techniques including user-mode Mach-O bundle injection, Mach RPC. For rootkits, you can download and compile the Rootkit Hunter project (though it is a command-line based tool and is not a quick all-in-one scanner like you're looking for. ESET Rootkit Detector is another free program which is much easier to use, but the main downside is that it only works on OS X 10.6, 10.7 and 10.8. Considering OS X is almost to 10.13 right now, this program won’t be helpful for most people.

A rootkit is an application (or set of applications) that coneals its presence, or the presence of another application, such as adware or spyware, on a device. Rootkits hide by using some of the lower layers of the operating system, including API function redirection or undocumented OS functions, which makes them almost undetectable by common anti-malware software.

Jan 23, 2008  58 Responses to “Why Mac Security Matters: OS X Rootkit Hunter” karlos September 8, 2009 Axel. Sorry dude, the boot rom of a PC (apples are PCs now) use a Basic In Out System (BIOS) to tell the OS what motherboard it is sitting on, what CPU is use, whether hard drives are present etc – otherwise the machine wouldn’t know whether it was.

Where does the term “rootkit” come from? In Unix and Linux operating systems (OS), the system admin, an all-powerful account with full privileges and unrestricted access (similar to the administrator account in Windows), is referred to as the “root”. The applications that allow unauthorized root/admin-level access to the device and restricted areas are known as the “kit”.

Put the two together and you get “rootkit”: a program that gives someone (with legitimate or malicious intent) privileged access to a computer or mobile device. This person can now control the device remotely without the owner’s knowledge or consent.

Unfortunately, rootkits are often designed to create unauthorized access to computers, allowing cybercriminals to steal personal data and financial information, install malware, or use computers as part of a botnet to circulate spam and participate in DDoS (distributed denial-of-service) attacks.

Imagine a burglar who wants to break in and steal from your home. They dress in black to blend into the darkness and move quietly to remain undetected. But unlike the thief who takes something and then leaves, a rootkit sticks around in your computer, robbing it of data or manipulating what’s inside over time.

Is a rootkit a virus?

Mac Os X Versions

Rootkit For Mac Os XDownload

A rootkit is not a virus, per se. A computer virus is a program or piece of code designed to damage your computer by corrupting system files, wasting resources, destroying data, or just being a nuisance. A key distinction of viruses is that they use your computer’s resources to replicate themselves and spread across files or to other computers without the user’s consent.

I also disabled the 15 port patch which had been left on. Wifi adapter for mac os high sierra.

Unlike viruses, rootkits are not necessarily harmful. What’s dangerous is the various forms of malware a rootkit can deliver, which can then manipulate a computer’s OS and provide remote users with admin access. This makes them popular tools among cybercriminals, and it’s why rootkits now have such a bad rep.

Installing AVG AntiVirus FREE is your best first line of defense against malicious rootkits and many other kinds of threats. Scan your devices to detect and remove rootkits from the source, and stay protected from any future malware with AVG — all for free.

Is a rootkit malware?

A rootkit is closely associated with malware (short for “malicious software”), a program designed to infiltrate and steal data, damage devices, demand ransom, and do various other illegal activities. Malware encompasses viruses, Trojans, spyware, worms, ransomware, and numerous other types of software.

Modern rootkits act as a cover for the harmful effects of malware.

How to recognize a rootkit

By design, rootkits are difficult to detect. They’re good at camouflage, which makes rootkit detection very tedious. Even commercially available products and seemingly benign third-party apps can have rootkit-based functionality. A rootkit can disguise activities and information from an OS, preventing its bad behavior from being exposed.

Rootkit’s my name, hiding’s the game.

How? Once a rootkit is installed, it typically boots at the same time as the computer’s OS, or after the boot process begins. There are other rootkits that can boot up before the target operating system, making them even more difficult to detect.

Malware For Mac Os X

Image Source: https://en.wikipedia.org

Telltale signs of a malicious rootkit at play – told as film and TV show titles:

  • Kiss of (Blue Screen) Death: Windows error messages or blue screens with white text, while your computer constantly needs to reboot.
  • Stranger Things: unusual web browser behavior such as Google link redirection and unrecognized bookmarks.
  • Failure to Launch: slow computer performance, or when the device freezes or fails to respond to any kind of input from the mouse or keyboard.
  • The Social Network: web pages or network activities appear to be intermittent or function improperly due to excessive network traffic.
  • Out of Sight: settings in Windows change without permission. Examples of this could be the screensaver changing or the taskbar hiding itself.

How to remove a rootkit

Finding and removing rootkits isn’t an exact science, since they can be installed in many ways. Even when you wipe a machine, a rootkit can still survive in some cases. The good news: an antivirus tool with a rootkit scanner like AVG’s will go a long way toward keeping malware away. Our anti-rootkit technology, included in AVG AntiVirus FREE, detects, prevents, and removes rootkits and other forms of malicious software.

Where do rootkits come from and how do they propagate?

There are a few common ways cybercriminals can get a rootkit on your computer. One is exploiting a vulnerability (a weakness in software or an OS that hasn’t been updated) and forcing the rootkit onto the computer. Another way is through malicious links, which can be sent by email, social networking, or as part of a phishing scam. Malware can also be bundled with other files, such as infected PDFs, pirated media, or apps obtained from suspicious third-party stores.

So when they say to never trust a stranger, they mean that you should never open links or documents from anyone you don’t know over email or any messaging app. Never install a “special plugin” (pretending to be legitimate) to correctly view a webpage or launch a file either.

Unlike viruses and worms, rootkits don’t spread or multiply on their own. Usually, rootkits are just one component of what is called a blended or combined threat, which consists of three snippets of code: a dropper, loader, and rootkit.

Here’s how it works:

Activating a dropper typically entails human intervention, such as clicking a malicious link, which in turn launches a loader program. The dropper then deletes itself while the loader causes a buffer overflow (meaning it stores more data in a temporary storage area than it can hold). This loads the rootkit into the computer’s memory, creating a backdoor that allows bad actors (cybercriminals, not Nicolas Cage) to modify system files so they can remain undetected by the user and basic antivirus software.

Now they have remote access to the OS and can use the infiltrated computer for spamming, pharming, large-scale DDoS attacks, or for stealing sensitive data.

Types of rootkits

Rootkits can be persistent or non-persistent. The former means that a rootkit is capable of activating itself every time the computer boots up. The latter refers to a rootkit that resides in the memory and ceases to exist when the computer reboots.

Rootkits can be identified by which areas of a system they affect and how well they can hide.

  1. Kernel mode rootkits operate at the core of an OS (kernel level) and cause frequent system crashes. This is often how Microsoft support personnel determine that a victim’s device has been infected with a rootkit.
    An attacker first exploits a user’s system by loading malware into the kernel, which then intercepts system calls or adds its own data, filtering any data returned by the malware that might trigger detection. Kernel-based malware can be used to cover tracks and conceal threats both within the kernel and in user-mode components alike. Sneaky!
  2. User mode rootkits either start as a program in the normal manner during system startup, or get injected into the system through a dropper. They provide similar functionalities as kernel mode rootkits, such as masking and disabling access to files, but operate at the user level. User mode rootkits are not as stealthy as kernel mode, but due to their simplicity of implementation, they’re much more widespread.
    User mode rootkits are popular in financial malware. Carberp, one of the most-copied strains of financial malware, was developed to steal banking credentials and sensitive data from victims. So be careful of spam emails claiming to be payment reminders or invoices!
  3. Hybrid rootkits combine user-mode and kernel-mode characteristics. This approach is one of the most popular rootkits among hackers because of its high rate of success in penetrating computers.
  4. Bootloader rootkits target the building blocks of your computer by infecting the Master Boot Record, a fundamental part that instructs your computer how to load the OS.
  5. Firmware rootkits can hide in firmware — like a microprocessor or a router — when the computer is shut down. Then when the computer restarts, the rootkit reinstalls itself.
  6. Virtual machine-based rootkits transport an operating system into a virtual environment so that the rootkit, along with the virtual environment, cannot be discovered at all or is extremely difficult to detect. A virtual machine-based rootkit (VMBR) loads itself underneath the existing OS, then runs the OS as a virtual machine. This way, a VMBR could go undetected unless special tools are used to look for it. Round and round it goes.

Image Source: https://hyperbear.blogspot.com

Infamous rootkits in history

  • The first documented case of a rootkit was written by Stevens Dake and Lane Davis in 1990 on behalf of Sun Microsystems for SunOS Unix OS.
  • In 2005, when CDs were still a thing, Sony BMG Music Entertainment secretly installed rootkits on millions of music discs to keep buyers from burning copies of CDs via their computers, and to inform the company about what these customers were up to. The rootkit, which was undetectable by antivirus and anti-spyware, opened the floodgates for other malware to infiltrate Windows PCs unseen. It became a cultural phenomenon as a punchline in comic strips like Foxtrot and a custom t-shirt logo.
  • NTRootkit (2008) One of the first malicious rootkits for Windows NT. Different versions do different things. One captures keystrokes which allows hackers to find out data like usernames and passwords for accessing certain services.
  • Machiavelli (2009) First rootkit targeting Mac OS X. It creates hidden system calls and kernel threads.
  • Greek Watergate (2004-2005). A rootkit developed for Ericsson AXE telephone exchanges on the Greek Vodafone network, targeted at wiretapping the phones of members of the Greek government.
  • Zeus (2007) Zeus is a credential-stealing Trojan horse — a rootkit that steals banking information by using man-in-the-browser keystroke-logging and form-grabbing.
  • Stuxnet (2010) The first known rootkit targeting an industrial control system.
  • Flame (2012) This computer malware attacks Windows OS computers and can record keyboard activity, screenshots, audio, network traffic, and more.

Here’s a crazy story: Winning $16.5 million can cause quite a stir, right? It’s another thing when the security chief of Multi-State Lottery Association fixed the lottery. Eddie Tipton confessed to creating a simple program (a rootkit) called Quantum Vision Random Number Generator — partly copied from an internet source — that led to countless fraudulent lotto winnings claimed by him, his friends, family, and even strangers he met. It was as simple as inserting a thumb drive into the room where lotto numbers are drawn. It took a decade and a computer science-savvy detective to catch the thief.

How to protect yourself against rootkits

Although rootkits are sneaky and insidious, there are still ways to prevent them. Many of the strategies to avoid rootkits are also sensible computing habits that will protect you against all kinds of threats:

  • Don’t open email attachments from unknown senders
  • Don’t download unknown files
  • Ensure your system is properly patched against known vulnerabilities
  • Install software with vigilance, making sure it is legitimate and that there are no red flags in the EULA (end user license agreement)
  • Use external drives and thumb drives with caution

In addition to the common sense tips above, you can mount an even stronger defense against rootkits by installing a robust antivirus. Though some antivirus software isn’t strong enough to detect them, AVG AntiVirus FREE will find and remove even the most insidious and deeply embedded malicious rootkits — for the low, low price of free.

Sung-ting Tsai and Ming-chieh Pan, researchers from Taiwan-based Team T5, take the floor at Black Hat Asia to demonstrate how tricky a Mac OS X rootkit can be.

Sung-ting Tsai: Hello everyone! I’m TT.

Ming-chieh Pan: I’m Nanika.

Sung-ting Tsai: We are from Taiwan. We are from Team T5 Research. The topic of this talk is “You Can’t See Me: A Mac OS X Rootkit Uses the Tricks You Haven’t Known Yet”. Since more and more people start using Mac, attacking Mac OS has become a trend and we see more and more malware with advanced techniques. In order to gain persistent control and avoid detection, malware has started to adopt rootkit tricks. In this talk we are going to introduce several new rootkit tricks that cannot be detected by existing security software

Nanika and me founded Team T5 Research in Taiwan recently. We are doing cyber threat research: we monitor, analyze and track cyber threats throughout the Asia-Pacific Region. We are also very interested in vulnerability research – not only the analysis of known exploits and vulnerabilities, we are also happy to look for new programs on new platforms or in new technologies. We are also members of CHROOT Security Group in Taiwan, and we hold HITCON every year. I’m the HITCON organizer. HITCON is the largest security conference in Taiwan, and we have about 800 attendees every year.

Many people say that Taiwan is a country without natural resources. Actually, it is wrong. Taiwan has the most abundant cyber attack natural resource in the world, especially APT and targeted attack samples. I think many APT researchers are eager to look for samples because it is not easy to get those. But it is not very difficult in Taiwan due to political issues. The picture is from VirusTotal (see right-hand image), and submissions from Taiwan rank #2 (www.virustotal.com/en/statistics/). So doing cyber threat research in Taiwan is interesting.

This is a short introduction of me (see image below). My name is Sung-ting, and you can just call me TT. I’m the leader of Team T5 Research. We like threat and vulnerability research.

Nanika is our Chief Researcher (see image below). He is a well-known vulnerability researcher and has been disclosing new vulnerabilities for many years. His major areas of expertise include vulnerability research, exploit techniques, malware detection, mobile security; and he has discovered numerous samples in Windows system as well as document and application vulnerabilities. He has found many 0days and reported those to Microsoft before. In the recent years, we have started exploring and discovering problems on Mac OS. Nanika and me frequently do presentations in many security conferences.

These (see image below) are the topics we are going to discuss today. We will show you some advanced process hiding techniques; how to become a privileged normal user; how to directly access kernel memory from user space. On Mac OS X 10.9, there are security warnings if you want to load third-party kernel module. We will show you how to load a malicious kernel module without warnings. And finally, I will show you a trick to gain root permission.

Advanced Process Hiding

Rootkit For Mac Os X 10 11 Download Free

So, the first topic is Advanced Process Hiding. Let me introduce the Rubilyn rootkit. It was released for disclosure in 2012. It had such capabilities as hiding a file, hiding a process, hiding a user, hiding a network connection, etc. So, yeah, it is very famous because it is open source and it shows people how to implement a rootkit on Mac OS. Also, it is already two years old and many people are still discussing this.

Rootkit Mac Os X

There are many features, but we are going to focus on process hiding. This is how Rubilyn hides a process (see right-hand image). It directly modifies kernel objects to unlink a process from the linked list. So it is a typical DKOM approach to hide a process.

This (see image above) is the process structure in Mac OS kernel. The ‘p_list’ is the linked list. It is the list of all processes. So the first element is a list of all processes. You probably noticed the ‘task’ pointer, which is the third element. It will point to another ‘task’ object. So, one process object will have the task object. Actually, all tasks are in another linked list. As you can see, there is a chain, the ‘queue_chain_t’ – that is the linked list of all tasks (see image below). So there is another linked list.

Read next part: A Mac OS X Rootkit Uses the Tricks You Haven’t Known Yet 2 - Detecting a Process Hidden by Rubilyn