Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

"Mac OS X Kernel" service connecting to random Korean Website

Is downloading pirated software the only way Mac users can compromise their security?

  • Total voters
    9
A

alumac

macrumors member
Original poster
Mar 31, 2009
40
0
Aaaahh.. Recently, I've been witnessing a few random redirects (to Symantec Online Store) when browsing in Safari. I decided to try out Little Snitch. Everything seems normal except that a service called "Mac OS X Kernel" has been trying to connect to some random Korean website. This doesn't sound right! :eek:

This website is pretty clean actually. Just has a login box and says its owned by art korea.

http://61.110.24.133

Is my OS X the victim of a spyware attack????
 
there is definitely something fishy. for one thing 61.110.24.133 does not resolve to http://www.art-kor.co.kr/ and http://www.art-kor.co.kr/ does not resolve to 61.110.24.133.


installed cs4 or iwork this year from bittorrent by chance?

it could be a trojan of some sort. have a look in your /System/StartupItems/ and tell us what is there...
 
Thanks for your reply. I haven't installed anything on this computer except for Microsoft Word (which I had from my previous macbook).

I can't anything in System/Library/StartUp, but if something is there, it might be hidden.
 
alumac said:
Hello,

Thanks for your reply. I haven't installed anything on this computer except for Microsoft Word (which I had from my previous macbook).

I can't anything in System/Library/StartUp, but if something is there, it might be hidden.
Click to expand...

if you didn't install anything - it wouldn't be there. you had to have given your admin access code to a program.

you could check keychain access to see what you've authorized - although i doubt that woul really help
 
The only third party programs I've downloaded/installed on this mac are daisy disk, microsoft office and audio hijack pro. I own Office and the others are trial versions that I got off the apple software downloads website.

I've run scans on my HD using MacScan trial and ClamAV but they didn't find anything but tracking cookies.

I'm not sure how the trojan found its way to my disk. Is "Mac OS X Kernel" a real system service? Are there other programs I could run to figure out whats going on? Archive/Install probably wont help me so I guess backup/reformat is my only option?
 
Looking up the IP address 61.110.24.133 turned up a site that mentioned it as part of a potential botnet (of course IP can change). You may want to download iAntivirus and let that do a full scan. It may not turn up anything, but is an easy enough thing to try.

"Mac OS X Kernel" is not a real process from Mac. For me the kernel process is named "kernel_task." From activity Monitor is you click on the Mac OS X Kernel process then click on Inspect it'll bring up a window. From there, there's a tab named "Open Files and Folders" that will let you see where this thing is what it may be doing. You can also look at the Console Application, but it may be hard to track down messages related to this process.
 
^^^ Agreed. Kernel_task is the name of the real process, sounds like you picked up some malware somewhere.
 
Screw iAntivirus.

Here's what you do:

1) Back up your data (*not* your applications) onto an external drive.

2) Wipe your internal drive.

3) Install your applications from trusted sources (*not* from the pirated versions you installed in the first place.)

4) Restore your data.

All told, it'll probably take a couple hours. The benefit, of course, is that you'll be pretty sure that you've got a clean install when you're done.
 
Its actually mach_kernel

I just noticed that the service is actually called mach_kernel. It seems that "Mac OS X Kernel" is what Little Snitch refers to this service as.

I did a spotlight search of "mach_kernel" (with the quotes) and received a number of .c source code results (all from the iPhone OS 2.2.1 SDK) which is part of XCode Developer Tools.

I also google searched "mach_kernel" and found a number of results. So it seems that the service is legitimate.

I can re-install the entire system without a problem. As I've stated, I've only got 3 third-party apps (excluding little snitch). And all these apps have come from trusted sources (either Microsoft or Apple Software Downloads).

At the moment, I'm quite perplexed as to why/how mach_kernel was connecting to the random korean website. It is quite possible that there is some sort of a security flaw in the mach_kernel itself which lets outsiders access it (possibly through scripts on webpages, etc).

I don't know though. And please don't accuse me of pirating software again. If you don't believe what I'm saying, I can do without your help.
 
right, so mach_kernel covers a lot of internel BSD components that run as system level. some other frameworks are able to send data through your mach_kernel with they have the same level of permissions.

something that might be happening however is incoming connections. before you go ahead and wipe your drive, as it is honestly unlikely that you have a trojan if you have done everything you say.

considering the page that turns up, i wouldn't be surprised if it is a dodgy botnet checking you out on an open port. are you behind a router/firewall? is pnp enabled? port forwarding? os x firewall enabled? enabled stealth mode?

just a few ideas...
 
I highly doubt you have malware. What version of Little Snitch are you running? Version 1.x doesn't work with Leopard, and would report what you're seeing.

Additionally, are you running any type of torrent software like Transmission, etc?
 
jaw04005 said:
I highly doubt you have malware. What version of Little Snitch are you running? Version 1.x doesn't work with Leopard, and would report what you're seeing.

Additionally, are you running any type of torrent software like Transmission, etc?
Click to expand...

Its Little Snitch version 2. No torrent software on my mac. I have a PC which I use when I need to use bit torrents.

melchior said:
are you behind a router/firewall? is pnp enabled? port forwarding? os x firewall enabled? enabled stealth mode?

just a few ideas...
Click to expand...

Thanks for the info about mach_kernel. I do use port forwarding on my router to forward all port 80 requests to my computer (for Web Sharing). The only fire wall I use is the one built-in to Leopard, but it is set to allow all incoming connections. Don't know what steal mode or pnp are.

It did cross my mind that maybe some malicious computer was trying to make an incoming connection to my computer. But then, isn't little snitch meant to show outward traffic? It says on their website:

A firewall protects your computer against unwanted guests from the Internet. But who protects your private data from being sent out? Little Snitch does!
Click to expand...
 
Little Snitch is an outbound firewall only.

mach_kernel is the Mach kernel -- the core of the Mac OS X operating system.

"Mac OS X Kernel Service" is not a term that I've seen used anywhere in Apple's documentation, and is (at least to me) somewhat suspicious.

An another note, why is your firewall set to allow all inbound connections? This increases your attack surface considerably, so if there's not a reason to keep your computer wide open I'd suggest tightening your config somewhat.
 
ClamXAV only detects Windows threats. Don't bother with MacScan, iAntiVirus is better and free (iAV detects only OS X threats, e.g. trojans.)

You should probably switch on one of OS X's two firewalls. The one in system preferences is pretty poor, but is better than nothing.

I've got Little Snitch for outgoing connection and IPFW (configured with WaterRoof) for incoming connections. Works perfectly.
 
I found a post on the obdev forums about this, particularly read the reply by Johannes.

He mentions that 2.0 has an issue where it misidentifies some network traffic as wrongly being sent from/going to the kernel when it is actually another service.

The problem is related to running any kind of server process, so I'd guess it has something to do with web sharing being turned on.

It may just be normal webcrawling bots looking for holes in webservers, I know when I ran a small website off my Mac the logs were full of that stuff.
 
10.5.7 update

Some of the issues the new 10.5.7 update fixes (From http://support.apple.com/kb/HT3549) -

Viewing or downloading a document containing a maliciously crafted embedded CFF font may lead to arbitrary code execution
Click to expand...

Impact: Visiting a malicious website may lead to an unexpected application termination or arbitrary code execution
Click to expand...

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
Click to expand...

Clearly, there are (/were) a number of ways that malware could find its way to a Mac. So what's with pretending that only pirated downloads do that?

ihabime said:
I found a post on the obdev forums about this, particularly read the reply by Johannes.

He mentions that 2.0 has an issue where it misidentifies some network traffic as wrongly being sent from/going to the kernel when it is actually another service.

The problem is related to running any kind of server process, so I'd guess it has something to do with web sharing being turned on.

It may just be normal webcrawling bots looking for holes in webservers, I know when I ran a small website off my Mac the logs were full of that stuff.
Click to expand...

Thanks for finding that! Looks like it solves the problem!
 
alumac said:
Clearly, there are (/were) a number of ways that malware could find its way to a Mac. So what's with pretending that only pirated downloads do that?
Click to expand...

Just because a vulnerability exists, doesn't mean there is an exploit for it. There is a huge difference in finding a vulnerability and being able to exploit it.
 
alumac said:
Clearly, there are (/were) a number of ways that malware could find its way to a Mac. So what's with pretending that only pirated downloads do that?
Click to expand...

Because so far, pirated software is the only transmission vector that we've seen used "in the wild."
 
I've experienced the same problems. I'm using Little Snitch 2.3.3 and when uTorrent is running I get these random usage of mach_kernel detected in Little Snitch.

It's really uncomfortable and I've tried to block almost everything. But it still doesn't seem to be able to block this activity.

I've read something that it might be related to Paralells Desktop. Prevously I also had a lot of connections to a binary called prl_naptd wich is a Parallels binary. I changed some setting and I don't get there connections anymore. But the mach_kernel ones remain.

Anyone have any idea what it might be?

I havn't experienced any strange behavior in the OS yet so I'm very unsure if it's harmed in any way.

I can also mention that I got a folder called NMTCPSettingsTuning with a binary inside called the same thing in my Startupitems. What's wierd is that I get almost no result when I google this file name
 
Last edited:
Cbswe said:
I can also mention that I got a folder called NMTCPSettingsTuning with a binary inside called the same thing in my Startupitems. What's wierd is that I get almost no result when I google this file name
Click to expand...

NM stands for nova media. The rest of that would TCP Settings Tuning. Search for it without the 'NM'.

Have you installed a USB 3G stick that uses some 'connection' software? That's likely where it came from. Note that they may provide the software for other company's hardware, e.g. Sony Ericsson (see supported OSs on their product page: http://www.sonyericsson.com/cws/support/mobilebroadband/md400?cc=us&lc=en).

Assuming this is the case, you should have some files in a few places, such as /Library/Frameworks/. Presumably, you'd have an app somewhere as well, and a kernel extension.

To hunt down all these related files, I did a search in Terminal using this command:

locate NM > nm.txt

This finds all the indexed files with 'NM' in them. It's case sensitive by default. It dumps the results into a file called nm.txt which you can open and look at in any text editor (or spreadsheet).

Note that some files will have NM in their name but not be related. For example, MSNMgr or some SNMP tools in Perl. Often, stuff in the Library folders have related .plist file that can be opened with the Property List Editor. For the nova media stuff, the .plist will identify them.

Hope this helps.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back