OS X - free of Malware (rootkits, etc.)?

[casd]

Hi there,

I have some questions concerning security on os x. First I try to explain why security recently has become more important to me:
About two weeks ago my parents' windows pc was infected with a few trojans. They asked me to delete them, but also to check their pc for other malware. So I did some scans with several programs (Avira Antivirus, Malwarebytes AM, etc.). In the end I found a ZeroAccess Rootkit which is - according to the statements in many forums - very difficult to delete completely.
Now you might ask yourself: "What does this have to do with my macbook?"
The thing is that I can't rule out that malware hasn't been transferred from the infected windows pc to my macbook pro via network or external storage media. All I can say is: I didn't configure my macbook after the installation (firewall was turned off, java was active in the browser, etc.) I definitely didn't follow the steps of the malware guide in this forum.

My questions are as follows:

1) Let's assume, that my macbook has been infected with malware (rootkit, etc.) via the home network. How would I know of it and what steps would I have to follow to delete it (completely)?
Is it possible to run a system with a inactive rootkit in case it couldn't be found/deleted?
2) Did anyone of you have issues with Little Snitch? My parents' pc got infected with malware not long after I had installed Little Snitch on my macbook. Do you think that these two events have a connection?
3) One day after malware was found on the windows system I tried to turn on my macbook pro. It was only after the third try that the macbook booted up. Maybe I didn't put enough pressure on the power button or it just was stuck down, for whatever reason. However, could this issue be explained by a rootkit on my macbook pro? Or is Little Snitch to blame as it modifies among other things the boot caches on os x?


I'd appreciate any help.

 

[munkery]

1) Let's assume, that my macbook has been infected with malware (rootkit, etc.) via the home network. How would I know of it and what steps would I have to follow to delete it (completely)?
Is it possible to run a system with a inactive rootkit in case it couldn't be found/deleted?

No reports of malware spreading across local networks that is cross platform at the moment so this is very unlikely.

Even if such malware was present, knowing how to remove it would require specific instructions for that malware.

I have seen Windows systems where difficult to remove bootkits (rootkit in MBR) would continually try to load into the system but AV software would prevent this from occurring. But, it is much better to completely remove the malware. Removal would require complete reinstall of the OS.

BTW, OS X is firewalled by default. It is done via the "no open ports" policy with the only exceptions being a few services broadcast on the local network that are sandboxed using mandatory access controls by default. This is actually more secure than a system that relies on a firewall, such as Windows.

2) Did anyone of you have issues with Little Snitch? My parents' pc got infected with malware not long after I had installed Little Snitch on my macbook. Do you think that these two events have a connection?

There is no connection between Little Snitch and malware on a different Windows PC.

Also, outbound firewalls don't have that much utility. Any malware that installs with elevated privileges has the capacity to create an exception for itself in the outbound firewall rules. Examples of malware in the past have done this in regard to Little Snitch.

3) One day after malware was found on the windows system I tried to turn on my macbook pro. It was only after the third try that the macbook booted up. Maybe I didn't put enough pressure on the power button or it just was stuck down, for whatever reason. However, could this issue be explained by a rootkit on my macbook pro? Or is Little Snitch to blame as it modifies among other things the boot caches on os x?

Installing software such as Little Snitch or anti-virus software is much more likely to blame because such software modifies more critical areas of the OS so that instabilities are more likely to be created if an error occurs during installation.

Rootkits require elevated privileges to install. Privilege escalation via exploitation in OS X is incredibly rare. So, you would have authenticated the install of a rootkit if one is in your system.

What have you installed on your system that required password authentication recently?

 

[casd]

@munkery: Thanks a lot for your answer.

Hm, actually I can't remember that I have installed anything that I could not identify exactly. I did install several Malware scanners (e.g. Sophos, ClamXav, Avast, etc.), Little Snitch and a few other programs. Two or three of them came from an external drive.

One more thing:
Today I had to burn some audio cds for my sister. They contain files which originally were video streams on youtube. I converted them with iTunes and burnt them afterwards. I randomly checked two of the cds as well as the download folder for malware. There was no Malware found.
However, is it possible, that the cds were infected with Malware or rather a rootkit?

 

[munkery]

You should never install more than one antivirus software.

If you have more than one installed, delete all of them.

If you feel the need to have one, then I recommend ClamXav.

Having more than one antivirus software installed is most likely the source of your problem.

 

[casd]

I hadn't more than on antivirus software on my macbook at the same time. I just installed one after the other.

Anyway, to pick up the question from my last post: How likely is it that I burnt the audio cds with malware (rootkit!) on it?

 

[MisterMe]

I hadn't more than on antivirus software on my macbook at the same time. I just installed one after the other.

Anyway, to pick up the question from my last post: How likely is it that I burnt the audio cds with malware (rootkit!) on it?

If you don't uninstall the previous utility, then each new installation adds additional antivirus software to your system.

The answer to your second question is that you did not burn your audio CDs with malware. Even if you did, then there is no way for an audio CD to infect a Mac.

 

[casd]

@MisterMe:
I never ran more than one antivirus program on my macbook. I had uninstalled any antivirus software before I installed the next.
You say that it's very unlikely that I burnt the audio cds with malware on it. I have to add that the cds were given to people running windows systems.

@munkery+rest:
Let's assume, that my macbook has been infected with a rootkit. I know I had to give admin privileges allowing that to take effect. Anyway, I just have to ask:

1) What would be your instructions to clean my system from a rootkit?
2) Could I just format my hard drives and reinstall OS X Lion and everything's fine again?
3) How would you save the files from the infected system?


I know that my scenario seems very unlikely but everything I could find out is the probability of infection while I still don't know how to handle it (in case of emergency).

 

[munkery]

1) What would be your instructions to clean my system from a rootkit?

Find out what specific rootkit it is and follow the removal instructions for that specific rootkit.

Delete all AV software that you have installed, then install only ClamXav. Select the entire HD to scan the entire system. If a rootkit is present then ClamXav should find it.

But, there is no rootkit known to be circulating in the wild at the moment.

2) Could I just format my hard drives and reinstall OS X Lion and everything's fine again?

Yes, a complete wipe and reinstall would fix the issue if one existed.

3) How would you save the files from the infected system?

Copy the files to storage media that won't be wiped when doing the reformat and reinstall.

 

[casd]

Thanks a lot for the quick response, munkery.

I've now decided to format my two internal drives and reinstall os x lion. In future, I will definitely follow your suggestions on security for os x which I found by following the link in your signature.


Oh, one more thing to add: I have two ssds in my macbook. To wipe these drives, a quick format is sufficient, isn't it (this is the only option I see in OS X Lion)?

 

[munkery]

To wipe these drives, a quick format is sufficient, isn't it (this is the only option I see in OS X Lion)?

Several options should be available during the installation process.

After boot from install media, launch Disk Utility from Utilities to view which reformatting options are available.

A quick format should be sufficient for your purpose.

 

[casd]

Thanks again, munkery.

There is one last thing (I promise):
Recently I have bought a computer magazine which came with a dvd containing a linux live system plus four antivirus applications (Avira, BitDefender, ClamAv and Kaspersky). After I had used it on the infected pc, I decided to use it also on my macbook to scan for malware. Since I couldn't use the dvd itself for that purpose for some reason, I created a bootable usb stick. I created the bootable usb stick on the infected pc running the linux live dvd (I hope that doesn't matter).

After I had prepared the usb stick, I connected it to my macbook in order to start the linux live system on it. I pressed the c key during the boot up, but nothing happened.

Is there anything I've overlooked creating the bootable usb stick?
Is it possible to modify by mistake the EFI with such a usb stick?

 

[munkery]

Thanks again, munkery.

There is one last thing (I promise):
Recently I have bought a computer magazine which came with a dvd containing a linux live system plus four antivirus applications (Avira, BitDefender, ClamAv and Kaspersky). After I had used it on the infected pc, I decided to use it also on my macbook to scan for malware. Since I couldn't use the dvd itself for that purpose for some reason, I created a bootable usb stick. I created the bootable usb stick on the infected pc running the linux live dvd (I hope that doesn't matter).

After I had prepared the usb stick, I connected it to my macbook in order to start the linux live system on it. I pressed the c key during the boot up, but nothing happened.

Is there anything I've overlooked creating the bootable usb stick?
Is it possible to modify by mistake the EFI with such a usb stick?

You have to make the bootable USB on a Mac using command line utilities to be able to boot from it using a Mac.

http://www.ubuntu.com/download/help/create-a-usb-stick-on-mac-osx

Did you unmount the USB within OS X prior to restarting the machine to boot from the USB?

Not unmounting the USB could cause issue given that I have seen this cause issues in Windows systems. The issue was resolved by completely turning off the machines, waiting 30 seconds, and then turning it back on. The machine was slow to boot the first couple reboots.

If you want to try out Linux, I suggest trying Linux Mint.

 

[casd]

Hm, ok.
The usb stick was created within the linux live system. Once I had created it, I connected it straight away to the macbook...Now I know, as you wrote, I should have created the usb stick within os x to make it bootable. I didn't have any issues so far besides one slow startup.
However, could you please give me an answer to each of my questions from the last post?

 

[munkery]

Is there anything I've overlooked creating the bootable usb stick?

This was already answered.

You have to make the bootable USB on a Mac using command line utilities to be able to boot from it using a Mac.

http://www.ubuntu.com/download/help/create-a-usb-stick-on-mac-osx

Did you unmount the USB within OS X prior to restarting the machine to boot from the USB?

Not unmounting the USB could cause issue given that I have seen this cause issues in Windows systems. The issue was resolved by completely turning off the machines, waiting 30 seconds, and then turning it back on. The machine was slow to boot the first couple reboots.

If you want to try out Linux, I suggest trying Linux Mint.

Is it possible to modify by mistake the EFI with such a usb stick?

Nothing would have happened because you pressed the C key, which allows booting from the optical drive, instead of the option key, which allows you to boot from a USB if it is properly configured from within OS X.

So, since your USB wasn't properly configured and you pressed the wrong button at boot, it is highly unlikely that the EFI was modified by mistake.

 

[casd]

Ok.
While I was waiting for an answer in this thread, I googled for issues concerning EFI and malware. On my research I found this link: https://forums.macrumors.com/threads/1416234/. I found that the comments were quite helpful, especially the statement from Snake at the end. Now I assume I couldn't do any harm to the EFI even if the usb stick was created in os x and/or I pressed the option key to boot from it.

@munkery: Thank you very much for your help! I think I could get off my paranoia trip now.