Reddit user finds major RootKit security flaw in OS X
I’m reproducing the whole article below so subscribers to the RSS feed can read this, but you should also check out the original article here.
0WN3D on Mac OS: my desktop has been part of an IRC botnet for months, I’ve found evidence of a rootkit, neither chkrootkit nor antivirus software finds evidence of it
I am a longtime Mac OS user and defender of Mac OS security. Under a different username, two weeks ago I was doing battle with people suggesting that Mac OS and Safari were anything less than secure. Last week, I discovered that my desktop has been part of an IRC botnet for months.
I am fairly certain it started with a Joomla exploit on our server. From there, c99shell was installed on our machine, and a root kit was deployed. During this period, neither Little Snitch nor ClamXav altered me to the presence of the rootkit or outbound IRC connections. It wasn’t until I happened to notice that /var/log/appfirewall.log was turning over multiple times daily, that I saw a massive number of connections from a process without a name and strange errors coming from mDNSResponder.
I have heard about the recent trojans going around on Mac OS that deployed from porn websites or shared software, however this rootkit, while similar in nature (mDNSResponder), does not have files in their described locations. Further, Norton Antivirus, Intego VirusBarrier X5, ClamXav, and even chkrootkit can find nothing.
The only evidence I have on what type of kit it might be comes from a file that is used to delete evidence of the rookit after installation that was left over in the /tmp directory: exec(”rm -rf *siti* && rm rm.txt”);.
Anyone have any ideas on what this might be, any similar stories, or questions? Tonight I am wiping my hard drive and changing all my passwords.
tl;dr — Mac OS security defender discover his machine has been 0wn3d and humbly seeks advice or commiseration. Author understands (and reminds MS fanbois) that reason for the attack (Joomla and PHP) is not the fault of Apple.I should also mention that if you want to assuage your fear that you too might be part of the botnet right now, start up Console, scroll down to the /var/log section and look at appfirewall.log for unusual connections that look like this:
Jul 1 20:00:33 hostname Firewall[66]: Allow connecting from 72.30.78.244:51287 uid = 0 proto=6
Jul 1 20:00:38 hostname Firewall[66]: Allow connecting from 99.178.113.252:4874 uid = 0 proto=6
Jul 1 20:00:38 hostname Firewall[66]: Allow connecting from 72.30.78.244:51811 uid = 0 proto=6
Jul 1 20:00:39 hostname Firewall[66]: Allow connecting from 65.55.106.182:61891 uid = 0 proto=6
Jul 1 20:00:41 hostname Firewall[66]: Allow connecting from 99.178.113.252:4874 uid = 0 proto=6
Jul 1 20:00:42 hostname Firewall[66]: Allow connecting from 65.55.106.182:61891 uid = 0 proto=6
Jul 1 20:00:43 hostname Firewall[66]: Allow connecting from 187.8.53.42:59364 uid = 0 proto=6
Jul 1 20:00:44 hostname Firewall[66]: Allow connecting from 72.30.78.244:53257 uid = 0 proto=6
Jul 1 20:00:47 hostname Firewall[66]: Allow connecting from 66.249.68.148:62853 uid = 0 proto=6
Jul 1 20:00:47 hostname Firewall[66]: Allow connecting from 99.178.113.252:4874 uid = 0 proto=6
Jul 1 20:00:47 hostname Firewall[66]: Allow connecting from 72.30.78.244:53257 uid = 0 proto=6
Jul 1 20:00:48 hostname Firewall[66]: Allow connecting from 65.55.106.182:61891 uid = 0 proto=6
Jul 1 20:00:49 hostname Firewall[66]: Allow connecting from 122.165.52.62:44182 uid = 0 proto=6
Jul 1 20:00:50 hostname Firewall[66]: Allow connecting from 72.30.78.244:53856 uid = 0 proto=6
Notice the lack of a process name (between “Allow” and “connecting”) and the random port numbers (after the colon). These connections can be stopped by selecting “System Preferences > Security > Firewall > Allow only essential services”. It doesn’t, of course, solve the problem of the rootkit, which at this point can only be fixed by reinstalling the operating system and all applications.
