OS X 10.11, Windigo Rootkit?

Discussion in 'OS X El Capitan (10.11)' started by immobilus, Aug 23, 2015.

  1. immobilus macrumors member

    May 5, 2012
    If anyone happens to have CHROOTKIT v. 0.50 installed, can you do a scan and tell me whether you also get a (likely false) positive for a Windigo infection? If this has been discussed, if someone could post the link to the discussion, it would be appreciated.

    I run Ubuntu and OS X 10.11 on the same system, and my CHKROOTKIT readout, and all the 'tests' to confirm infection, are showing positive for my macbook.
  2. Ritsuka macrumors 6502a

    Sep 3, 2006
    ssh is slightly different so the script you used doesn't work on a mac.
  3. immobilus thread starter macrumors member

    May 5, 2012
    Yea, I know... My macbook doesn't have the command, though it can be installed, so my computer jumps straight to the echo instruction.

    My macbook was hacked a few weeks ago and was out of service for a while. They were somehow able to access my macbook using bluetooth, without any connections appearing in the bluetooth utility. They were restoring old backups of my hard drive and leaving them mounted as hidden volumes. They had my physical macbook believing that its internal hard drive was located on a bluetooth server. They blocked me from accessing the root directory, and I eventually found all these documents made up of o's and different characters with random lines of text embedded, referring me to "the user" and instructing them on how to identify my wireless network every time I disconnected the router, hid and changed the SSID, or changed my network password. At one point, I was able to access my root directory and was able to find restorations of old mounted USB drives and my "passport" backup drive there were folders that were literally redacted. I could open them but there were black redactions over the folder content window in finder. There was a process open, of which I wish I had written down the name. It was a data recovery process that was restoring deleted content and piping it to a foreign server. I killed the process, and within three minutes it a popup showed up on screen saying "Warning: 3 second shutdown by <user>," and it was my username. The computer shut down, and when I tried to reboot there was a firmware password on it.

    Of course I've been complaining on here about bizarre things going on with my macbook for a while. I've always gotten the typical, "MacBooks are immune to attacks! It's all in your head!" It clearly wasn't in my head, and so true is that the Apple Store was instructed to make an image of my hard drive when they disabled the firmware password and escalate it to "System Security." All they could tell me, literally, was: "Whatever you were doing before, don't do that anymore;" and that someone, most likely an immediate neighbor, had at some point likely had physical access to the computer in order to load whatever it was onto my system.

    It began months ago when I would notice bizarre netstat connections, and an iCloud popup window began showing up, both on my macbook and iPhone, soliciting my Apple ID and password. Both my macbook and the iPhone began running very warm, and my iPhone's battery life dropped, at times, to no more than two or three hours. My Macbook's battery life, at times, dropped to several hours as well. The Macbook's screen would suddenly come alive on its own, even when untouched and sitting across the room. Apple said, additionally, that if it was an unknown rootkit that caused the damage they were seeing, it's likely that their system restore would not completely iraticate it until it could be identified. It would just reinfect the new installation by hiding out in various boot directories and partitions. They had disabled internet restore as well.

    Oh! And perhaps the MOST bizarre thing was with internet recovery. If I was to do a recovery of either my Macbook or iPhone, it would behave as normal. Except the screen would briefly dim, and give off a blueish hue. The recovery process would "run," but instead of being a slow process, taking 5 or 10 minutes, it would run very quick. On my Macbook, it would recover as normal until it hit 50% or so. Then the screen would blink, a terminal window would open for a split second, and the remaining 50% would take seconds. It could complete a full recovery process in a matter of a few minutes, five at most. The same would happen if I tried to erase free space. I would run 'diskutil secureerase freespace 3 /dev/disk0,' and whereas in the past it would have taken 12 hours or so, if not far more, it was completing 5, 6, 7 passes in a matter of thirty minutes and completing the entire process in an hour or so.

    I'm actually in a battle with Best Buy right now because when my Macbook was down, I went and bought a cheap HP laptop. They took that one down too in a matter of hours after upgrading from Windows 8.1 to 10. When I returned it, they said it's clear that it was hacked but they "don't feel they should have to exchange or refund a laptop damaged by use -- use either by me or an uninvited third party." That laptop is sitting in the back of my SUV lifeless and waiting for Best Buy's customer service to call and say they're overriding the decision of store management.

    Apple instructed me to contact the police and report it to them -- unfortunately, San Francisco police are worthless.

    Best Buy told me to shove it.

    My Macbook has been fine since the system restore, but I don't want to let my guard down. I'm watching netstat, watching processes running, and, as necessary, trying to synchronize my system running 10.11 with the systems of others to identify anomalies.
  4. immobilus thread starter macrumors member

    May 5, 2012
    I went through my root folder through terminal from the recovery partition, prior to system load, trying to educate myself on how the root system worked, what different components do and how they do it, etc. The only thing bizarre that I could find was a file located at /private/var/ called RecoveryUpdatePayload. It has no file type, and when I try to open it using vi to see what's inside, it's an empty file. It contains nothing. I've googled it, and couldn't find any information on it nor references to it in Apple documentation. But I'm going to guess it's just a filler file used to identify a mount point for the recovery HD during a recovery or while installing an update.

    Other than that, things look pretty typical.
  5. immobilus thread starter macrumors member

    May 5, 2012
    Oh, and last thing, I know the initial attack described above began with the use of Zoom.us.

Share This Page