"Mac OS X Kernel" service connecting to random Korean Website

Discussion in 'macOS' started by alumac, May 12, 2009.


Is downloading pirated software the only way Mac users can compromise their security?

  1. Yes

  2. No

  3. Theoretically no, but practically yes

  1. alumac macrumors member

    Mar 31, 2009
    Aaaahh.. Recently, I've been witnessing a few random redirects (to Symantec Online Store) when browsing in Safari. I decided to try out Little Snitch. Everything seems normal except that a service called "Mac OS X Kernel" has been trying to connect to some random Korean website. This doesn't sound right! :eek:

    This website is pretty clean actually. Just has a login box and says its owned by art korea.

    Is my OS X the victim of a spyware attack????
  2. melchior macrumors 65816


    Nov 17, 2002
    there is definitely something fishy. for one thing does not resolve to http://www.art-kor.co.kr/ and http://www.art-kor.co.kr/ does not resolve to

    installed cs4 or iwork this year from bittorrent by chance?

    it could be a trojan of some sort. have a look in your /System/StartupItems/ and tell us what is there...
  3. alumac thread starter macrumors member

    Mar 31, 2009
    Thanks for your reply. I haven't installed anything on this computer except for Microsoft Word (which I had from my previous macbook).

    I can't anything in System/Library/StartUp, but if something is there, it might be hidden.
  4. kolax macrumors G3

    Mar 20, 2007
    Sounds like a trojan. Installed video codecs from x-rated websites?
  5. michael.lauden macrumors 68020


    Dec 25, 2008
    if you didn't install anything - it wouldn't be there. you had to have given your admin access code to a program.

    you could check keychain access to see what you've authorized - although i doubt that woul really help
  6. alumac thread starter macrumors member

    Mar 31, 2009
    The only third party programs I've downloaded/installed on this mac are daisy disk, microsoft office and audio hijack pro. I own Office and the others are trial versions that I got off the apple software downloads website.

    I've run scans on my HD using MacScan trial and ClamAV but they didn't find anything but tracking cookies.

    I'm not sure how the trojan found its way to my disk. Is "Mac OS X Kernel" a real system service? Are there other programs I could run to figure out whats going on? Archive/Install probably wont help me so I guess backup/reformat is my only option?
  7. angelwatt Moderator emeritus


    Aug 16, 2005
    Looking up the IP address turned up a site that mentioned it as part of a potential botnet (of course IP can change). You may want to download iAntivirus and let that do a full scan. It may not turn up anything, but is an easy enough thing to try.

    "Mac OS X Kernel" is not a real process from Mac. For me the kernel process is named "kernel_task." From activity Monitor is you click on the Mac OS X Kernel process then click on Inspect it'll bring up a window. From there, there's a tab named "Open Files and Folders" that will let you see where this thing is what it may be doing. You can also look at the Console Application, but it may be hard to track down messages related to this process.
  8. r.j.s Moderator emeritus


    Mar 7, 2007
    ^^^ Agreed. Kernel_task is the name of the real process, sounds like you picked up some malware somewhere.
  9. ppc750fx macrumors 65816

    Aug 20, 2008
    Screw iAntivirus.

    Here's what you do:

    1) Back up your data (*not* your applications) onto an external drive.

    2) Wipe your internal drive.

    3) Install your applications from trusted sources (*not* from the pirated versions you installed in the first place.)

    4) Restore your data.

    All told, it'll probably take a couple hours. The benefit, of course, is that you'll be pretty sure that you've got a clean install when you're done.
  10. alumac thread starter macrumors member

    Mar 31, 2009
    Its actually mach_kernel

    I just noticed that the service is actually called mach_kernel. It seems that "Mac OS X Kernel" is what Little Snitch refers to this service as.

    I did a spotlight search of "mach_kernel" (with the quotes) and received a number of .c source code results (all from the iPhone OS 2.2.1 SDK) which is part of XCode Developer Tools.

    I also google searched "mach_kernel" and found a number of results. So it seems that the service is legitimate.

    I can re-install the entire system without a problem. As I've stated, I've only got 3 third-party apps (excluding little snitch). And all these apps have come from trusted sources (either Microsoft or Apple Software Downloads).

    At the moment, I'm quite perplexed as to why/how mach_kernel was connecting to the random korean website. It is quite possible that there is some sort of a security flaw in the mach_kernel itself which lets outsiders access it (possibly through scripts on webpages, etc).

    I don't know though. And please don't accuse me of pirating software again. If you don't believe what I'm saying, I can do without your help.
  11. melchior macrumors 65816


    Nov 17, 2002
    right, so mach_kernel covers a lot of internel BSD components that run as system level. some other frameworks are able to send data through your mach_kernel with they have the same level of permissions.

    something that might be happening however is incoming connections. before you go ahead and wipe your drive, as it is honestly unlikely that you have a trojan if you have done everything you say.

    considering the page that turns up, i wouldn't be surprised if it is a dodgy botnet checking you out on an open port. are you behind a router/firewall? is pnp enabled? port forwarding? os x firewall enabled? enabled stealth mode?

    just a few ideas...
  12. jaw04005 macrumors 601


    Aug 19, 2003
    I highly doubt you have malware. What version of Little Snitch are you running? Version 1.x doesn't work with Leopard, and would report what you're seeing.

    Additionally, are you running any type of torrent software like Transmission, etc?
  13. alumac thread starter macrumors member

    Mar 31, 2009
    Its Little Snitch version 2. No torrent software on my mac. I have a PC which I use when I need to use bit torrents.

    Thanks for the info about mach_kernel. I do use port forwarding on my router to forward all port 80 requests to my computer (for Web Sharing). The only fire wall I use is the one built-in to Leopard, but it is set to allow all incoming connections. Don't know what steal mode or pnp are.

    It did cross my mind that maybe some malicious computer was trying to make an incoming connection to my computer. But then, isn't little snitch meant to show outward traffic? It says on their website:

  14. ppc750fx macrumors 65816

    Aug 20, 2008
    Little Snitch is an outbound firewall only.

    mach_kernel is the Mach kernel -- the core of the Mac OS X operating system.

    "Mac OS X Kernel Service" is not a term that I've seen used anywhere in Apple's documentation, and is (at least to me) somewhat suspicious.

    An another note, why is your firewall set to allow all inbound connections? This increases your attack surface considerably, so if there's not a reason to keep your computer wide open I'd suggest tightening your config somewhat.
  15. Jethryn Freyman macrumors 68020

    Jethryn Freyman

    Aug 9, 2007
    ClamXAV only detects Windows threats. Don't bother with MacScan, iAntiVirus is better and free (iAV detects only OS X threats, e.g. trojans.)

    You should probably switch on one of OS X's two firewalls. The one in system preferences is pretty poor, but is better than nothing.

    I've got Little Snitch for outgoing connection and IPFW (configured with WaterRoof) for incoming connections. Works perfectly.
  16. ppc750fx macrumors 65816

    Aug 20, 2008
    It's not terribly fine-grained, but when properly configured it's quite solid. And AFAIK there's only one firewall built in to Mac OS X: ipfw.
  17. angelwatt Moderator emeritus


    Aug 16, 2005
  18. ppc750fx macrumors 65816

    Aug 20, 2008
  19. ihabime macrumors 6502

    Jan 12, 2005
    I found a post on the obdev forums about this, particularly read the reply by Johannes.

    He mentions that 2.0 has an issue where it misidentifies some network traffic as wrongly being sent from/going to the kernel when it is actually another service.

    The problem is related to running any kind of server process, so I'd guess it has something to do with web sharing being turned on.

    It may just be normal webcrawling bots looking for holes in webservers, I know when I ran a small website off my Mac the logs were full of that stuff.
  20. alumac thread starter macrumors member

    Mar 31, 2009
    10.5.7 update

    Some of the issues the new 10.5.7 update fixes (From http://support.apple.com/kb/HT3549) -

    Clearly, there are (/were) a number of ways that malware could find its way to a Mac. So what's with pretending that only pirated downloads do that?

    Thanks for finding that! Looks like it solves the problem!
  21. r.j.s Moderator emeritus


    Mar 7, 2007
    Just because a vulnerability exists, doesn't mean there is an exploit for it. There is a huge difference in finding a vulnerability and being able to exploit it.
  22. ppc750fx macrumors 65816

    Aug 20, 2008
    Because so far, pirated software is the only transmission vector that we've seen used "in the wild."
  23. Cbswe, Jan 7, 2011
    Last edited: Jan 7, 2011

    Cbswe macrumors member

    Jan 11, 2010
    I've experienced the same problems. I'm using Little Snitch 2.3.3 and when uTorrent is running I get these random usage of mach_kernel detected in Little Snitch.

    It's really uncomfortable and I've tried to block almost everything. But it still doesn't seem to be able to block this activity.

    I've read something that it might be related to Paralells Desktop. Prevously I also had a lot of connections to a binary called prl_naptd wich is a Parallels binary. I changed some setting and I don't get there connections anymore. But the mach_kernel ones remain.

    Anyone have any idea what it might be?

    I havn't experienced any strange behavior in the OS yet so I'm very unsure if it's harmed in any way.

    I can also mention that I got a folder called NMTCPSettingsTuning with a binary inside called the same thing in my Startupitems. What's wierd is that I get almost no result when I google this file name
  24. Mockman macrumors newbie

    Feb 28, 2011
    NM stands for nova media. The rest of that would TCP Settings Tuning. Search for it without the 'NM'.

    Have you installed a USB 3G stick that uses some 'connection' software? That's likely where it came from. Note that they may provide the software for other company's hardware, e.g. Sony Ericsson (see supported OSs on their product page: http://www.sonyericsson.com/cws/support/mobilebroadband/md400?cc=us&lc=en).

    Assuming this is the case, you should have some files in a few places, such as /Library/Frameworks/. Presumably, you'd have an app somewhere as well, and a kernel extension.

    To hunt down all these related files, I did a search in Terminal using this command:

    locate NM > nm.txt

    This finds all the indexed files with 'NM' in them. It's case sensitive by default. It dumps the results into a file called nm.txt which you can open and look at in any text editor (or spreadsheet).

    Note that some files will have NM in their name but not be related. For example, MSNMgr or some SNMP tools in Perl. Often, stuff in the Library folders have related .plist file that can be opened with the Property List Editor. For the nova media stuff, the .plist will identify them.

    Hope this helps.
  25. munkery, Mar 2, 2011
    Last edited: Mar 2, 2011

    munkery macrumors 68020


    Dec 18, 2006

Share This Page