Can Macs become infected with rootkits?

Discussion in 'macOS' started by DavidCar, Nov 8, 2005.

  1. DavidCar macrumors 6502a

    Joined:
    Jan 19, 2004
    #1
  2. Seasought macrumors 65816

    Seasought

    Joined:
    Nov 3, 2005
  3. robbieduncan Moderator emeritus

    robbieduncan

    Joined:
    Jul 24, 2002
    Location:
    London
    #3
    Rootkits in general? Sure. If you do not take sensible precautions then any system is at risk of infection from all sorts of rubbish.

    The Sony DRM rootkit only effects Windows PCs though.
     
  4. DavidCar thread starter macrumors 6502a

    Joined:
    Jan 19, 2004
    #4
    I don't get the impression from this article (good article, thanks) that I could catch a rootkit on a Mac as easily as the Sony rootkit is placed on a PC. I don't do root access, or network access, and I don't believe in Elvis sightings, so it seems I'm safe.
     
  5. DavidCar thread starter macrumors 6502a

    Joined:
    Jan 19, 2004
    #5
    I'll add that one thing that caught my attention in the article sub linked to my first post is that information was being sent to Sony over the network each time the CD was played.
     
  6. Daveway macrumors 68040

    Daveway

    Joined:
    Jul 10, 2004
    Location:
    New Orleans / Lafayette, La
    #6
    Mac OS X would require that a root password be put in, however the kernel could be patched first and then the rootkit can be placed in the computer.

    According to Leo L. rootkits were first developed for UNIX.
     
  7. robbieduncan Moderator emeritus

    robbieduncan

    Joined:
    Jul 24, 2002
    Location:
    London
    #7
    Every single person who has that Sony rootkit said yes to installing it (well, said yes to installing something, it never said it was a rootkit). The only saving grace on OSX is that you would have enter your Administrator password as well as saying yes, whereas most users on Windows are logged in as Administrator and you wouldn't need to type in your password again.
     
  8. robbieduncan Moderator emeritus

    robbieduncan

    Joined:
    Jul 24, 2002
    Location:
    London
    #8
    It makes sense when you think about it. root is the superuser on Unix, as opposed to Administrator on Windows.
     
  9. Celticsun1980 macrumors newbie

    Joined:
    Nov 8, 2005
    Location:
    England
    #9
    I don't believe it would directly affect the Mac, I thought the system fundamentals were too different, and if it was possible then OSX would certainly ask you for your Admin Password.

    And lets face it, Still to this day you can't Get a NetMD To work on a Mac, so I wouldn't worry about it... not yet anyways :p
     
  10. mdavey macrumors 6502a

    mdavey

    Joined:
    Nov 1, 2005
    #10
    The Sony rootkit only works on Windows and Sony's use is atypical (rootkits are usually used by crackers to gain administrator control of a system, not by music companies to implement DRM).

    Safe is a relative term. Mac OS X is based on Unix and has very good user managment and segregation but all OS's have security flaws including Linux, BSD and Mac OS X. In order to install and activate a root kit, joe cracker has to have root access on your system. There are many techniques to achieve this (including simply asking the user to enter the root password) - but most often they involve covertly exploiting a security vulnerability in a system service.

    Here is a technical document describing one such vulnerability (this is a very old one that Apple fixed ages ago). This particular vulnerability can be exploted by sending a series of carefully crafted network packets to the target computer, resulting in the cracker gaining access to an unpriviledged account. Once they have that, they can upload the root kit and execute it, gaining them a root account.

    As mentioned in the article, such an attack would be beyond most script kiddies and so the likelyhood of your particular system being cracked is low, but crucially it isn't zero. There are some simple things you can do to further reduce the risks:
    * run SoftwareUpdate on a regular basis and always install the security updates as soon as you can
    * If you are a system administrator (or have a general interest in security), monitor the security mailing lists such as Bugtraq, CERT, FIRST and SecureMac.
    * teach yourself about Unix and Mac OS X security
    * use the techniques listed in the article (such as installing tripwire and rootkit sniffers)
    * set up a proper filewall machine between your Internet router and your home network. Any old PC makes a good firewall machine and you'll find free firewall software on the Internet (try IPcop, m0n0wall or smoothwall).
     
  11. DavidCar thread starter macrumors 6502a

    Joined:
    Jan 19, 2004
    #11
    I've never heard of a firewall machine. Sounds like I may need to learn a little Unix.
     
  12. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #12
    It's just a computer that sits at the top of your home network and acts as a firewall. The advantage over other firewalls is that its more flexible than the router hardware firewall (probably), and because it's running on a computer that isn't doing too much else, it is relatively less vulnerable to being disabled or modified by viruses or malware, etc....

    Seems like an awful lot, to me, though. And only really beneficial if you need ports to be open. The only port open on my iBook is a UDP port for network time, and there're no ports open in the NAT "firewall" on my router.
     
  13. feakbeak macrumors 6502a

    feakbeak

    Joined:
    Oct 16, 2003
    Location:
    Michigan
    #13
    To add a little more about running a computer firewall it is a good idea and nice to have the firewall between your machine and the internet as opposed to just running a software firewall locally. Besides, I find software firewalls annoying with pop-ups that you usually get with them.

    I believe that a run-of-the-mill broadband router with NAT and firewall capabilities built-in is the best option as most consumers will not want to configure a spare/old box to run a software firewall. Most NAT routers come mostly locked down with all ports stealthed. You can pick up one of these at Best Buy or the like for about $50, maybe a little less. Linksys, D-Link, NetGear seem to be the big three in that market but there are many more. The only difference between them is usually the firmware but most any basic model will give the average consumer what they need and make your computing environment much more secure.
     
  14. DavidCar thread starter macrumors 6502a

    Joined:
    Jan 19, 2004
    #14
    I had some strange problems with a Netgear once. It seemed to be rerouting lots of mysterious incoming traffic and then sending it out again without it reaching the computer. I don't really need a router, but if I got another one I would want to have the most information and control available.
     
  15. feakbeak macrumors 6502a

    feakbeak

    Joined:
    Oct 16, 2003
    Location:
    Michigan
    #15
    I've used Linksys in the past and now have a D-Link router. I've also tried an Airport Express for a wireless access point but I didn't like the software tool used to configure it. Out of all of them I most like the D-Link mostly because of the firmware.
     
  16. DavidCar thread starter macrumors 6502a

    Joined:
    Jan 19, 2004
    #16
    Any specific feature about the firmware that you like?
     
  17. Mechcozmo macrumors 603

    Mechcozmo

    Joined:
    Jul 17, 2004
    #17
    I hate our D-Link. It doesn't play nice when it has its DNS server disabled. See, we have a Linksys router that gives out IPs and is connected to the cable modem. The D-Link is a switch/wireless AP. Well, disable the DNS server and you cannot connect to it anymore. So it is stuck at WEP-128 until I can pull it out of the attic and do a hard reset, restore all settings, and then put it back up there.

    Linksys routers I've had better luck with... nicer, better range, you can buy high-gain antennae.
     
  18. feakbeak macrumors 6502a

    feakbeak

    Joined:
    Oct 16, 2003
    Location:
    Michigan
    #18
    While I don't use every feature of the router I use a fair amount of the features. BTW, I have the DI-624 for reference.

    - Use DDNS feature to keep my domain name pointed at my machine at home that I run a web server off.
    - Use the wi-fi capabilities with WEP enabled. They let you store up to four keys to let you switch them easily to keep it a little more secure.
    - I enabled MAC address filtering so that only machines I allow can get on my network.
    - I use both static and dynamic DHCP features. It is nice that when you enter the MAC address for computers (say for MAC address filtering) it has you associate it with a name that MAC address and keeps a list of them so that then if I go to configure a static DHCP entry for that MAC address I can just pick the machine name from a drop-down list and I don't have to enter the MAC address again.
    - The port-forwarding options are nice and can be set to a schedule. All of the filtering options and parental control stuff can also be set to a schedule.
    - The reboot from the firmware is also nice so you don't have to go over to the physical device.

    Also, the interface for the firmware (web-based) is very responsive and just very well done, IMO. After configuring the router you can save off your configuration settings to a file and load them up later if you ever mess it up.

    I used a couple Linksys routers in the past and their firmware was not nearly as robust or responsive. It has been a couple of years since I've used their stuff though - maybe they are better now that they owned by Cisco. I think they changed over their firmware since I last owned one. I also know you can replace the Linksys firmware with some open-source stuff now too.

    As for the Airport Express I really didn't care for the fact that there was not web-interface to configure the router. You had to use a software tool to view and change the settings and then upload them to the device - this is not ideal, IMO.

    Hope that helps you.
     
  19. DavidCar thread starter macrumors 6502a

    Joined:
    Jan 19, 2004
    #19
    It gives me some things to think about, thanks.
     

Share This Page