Rooted

[buttersz]

Hi all, I opened this account because I couldn't find answers (easy ones anyway) on how to completely nuke a macbook, including firmware any any piece of preboot software that could be tampered with on a 16.2" MBP M1 2001.

It came with Monterey but it doesn't seem to matter, it seems to target a wide range of linux systems (the ones based on systemd). The only one where I couldn't detect it was on Puppy linux on my old PC (which I replaced with this macbook to get rid of the problem).

Basically, as soon as I boot up into the recovery volume it's there. Initially there's a bunch of symlinks in / pointing System/Library -> System/Library/private, and perhaps that's normal. I don't have enough skills to pinpoint where to look.

From what I can see, it fills up /dev with hundreds of ttys and ptys and whatnot (again perhaps normal), but in the end I found traces of something crawling the entire file system for updates and pours it all into a socket. When I ran 'set' in my terminal which was supposed to be bash by default using cshs -s /bin/bash there's a whole load of variables and scripts that first of all says BASH=/bin/zsh and script that saves the entire bash session and throws it into a socket as a binary.

Even after I turn off wifi in the UI, and shut down my routers (it sits behind two routers), if my phone is nearby and with bluetooth enabled, it seems to use a device named bridge to en0 which gets connected to the internet again. I brought down those interfaces and the activity stopped, but then was brought up again a few minutes later. There are alot of .db files in obscure cache folders which seem to be uploaded upon reconnecting.

I have little and micro snitch which the freebsd filter enabled, and incoming firewall. I've run etcher and malwarebytes which reports nothing out of the ordinary. Though microsnitch reports my webcam being enabled a lot of the time, but the light indicator is not on.

Basically, My whole Apple system is infested with malware, /usr/libexec is packed with hacky looking files. I have no clue where the root of this is. I've worked with linux and comuters long enough to know what looks healthy and what doesn't but I don't have the low level skills to catch it.

Apologise this post was a bit of a ramble. I will come back with logs when I have the time to install it again. Until then, advice is much appreciated.

 

[buttersz]

This post is the closest I've come to explaining the issue but it's very old.

https://onlinelibrary.wiley.com/doi/full/10.1002/eng2.12032

 

[leman]

You could try using the Apple Configurator to completely reset your Mac, but quite frankly, if you have reasonable suspicion that your computer is hit by such a sophisticated malware, you should probably report this to Apple and get one of their security engineers have a look at it together with you. The entire system volume is supposed to be sealed and the bootloader is supposed to be locked, so if something got access to it I'm sure Apple will be very interested in having a look.

 

[buttersz]

I suppsose you're right but I don't know how to make that happen? How can I get in touch with that kind of support?

There is a file that caught my attention. I can't recall exactly at the moment, but it shows up under something like
System/Volumes/private/var/tmp/{uuid}/Bluetooth/{uuid}/usr/firmware.imeg4, which seems smelly to me but the OS won't allow me to touch those files.

On another note, I noted 3 different openldap configurations, one which was protected with a user and a password so I can't view it's policies, but it probably explains why I sometimes can't remove files that I should be able to.

I'll come back with something more concrete tonight.

 

[kevcube]

I think this is next level paranoia. every single thing you've described is normal.

also very strange that you're familiar enough to tell that there is something watching for file system updates and dumping it into a socket, but you also don't know what the pty and tty in /dev are..

Just reboot into single user mode and remove all volumes from the filesystem then use Apple Configurator 2.

 

[buttersz]

You could be right. In fact I hope you are, but I'll try and prove you wrong. Check back in a few hours.

 

[GumaRodak]

How it could be that camera is on without light? I was believing that hardware design is not alowing this…

 

[Ryan H]

How it could be that camera is on without light? I was believing that hardware design is not alowing this…

It can't, it's hardwired to come on. Not controlled via software/firmware.

 

[buttersz]

Okay I'm back. So I wiped it clean and reainstalled the os it came with without updating. I saved a lot of data to reason about. But let's start with one corner of the cake.

 

[buttersz]

Okay I'm back. So I wiped it clean and reainstalled the os it came with without updating. I saved a lot of data to reason about. But let's start with one corner of the cake.

Early post. But here is somewhere to start:

At the very least I’m bit by the SPI bug. But it seems like there is a person on the other side as well because often when I run into something dubious looking it’s gone the next time I look. Like when I discovered this the console started blasting multiple pages per second of cleanup stuff.

I also have wake on Wi-Fi all day long while I was at work. Refer to Wi-Fi.log.

Edit: fixed bad attachment. What is Bluetooth doing with my keychain…

 

[buttersz]

the whole thing is infested with dubious looking stuff but I’ll add the install log and leave it there for now. I did this install with all routers and phones/Bluetooth devices blacked out, but we see this proxy behaviour immediately.

 

[LinkRS]

Howdy buttersz,

Perhaps it is just me, but your whole post is nonsensical. I am not following what you are describing. First off, macOS is NOT a GNU/Linux distro, in fact it is considered 'de facto' UNIX (see here: https://www.opengroup.org/openbrand/register/brand3683.htm). So it doesn't work exactly the same as you would expect with a GNU/Linux distro. As an example, unless you are upgrading macOS from a version prior to Catalina, your default shell is zsh, not bash. You could of course change it if you desire.

When you are referring to booting to recovery mode, are you referring the default recovery mode that allows you to reinstall macOS, or something else? Recovery mode typically is still a GUI based interface, you can launch a terminal however (more of a statement vices a question LOL).

What happened to make you think your system is infested with malware? There aren't many macOS malware packages that are as sophisticated as you describe, so this is highly unusual if true. How could you have been infected? Did you sideload some application that you provided your admin (root) password to?

What is the SPI bug you are referring to?

With the introduction of Apple Silicon, many things have changed for recovery options for macOS. See here for a description of the various options with an M1 system: https://www.macworld.com/article/34...e-mode-and-other-boot-modes-on-an-m1-mac.html

Here is a video demonstrating some of these:

Here is another showing how to use Apple Configurator to recover a malfunctioning Mac:

Good luck!

Rich S.

 

[wyrdness]

It sounds as if you have a little knowledge and a whole lot of paranoia. I can't see anything in your posts that indicates a genuine problem. You're spouting nonsense like 'it seems to target a wide range of linux systems (the ones based on systemd).' without explaining what you're talking about. You're showing a short video of Keychain without any explanation of why you think this is a problem (clue, it's not).

And your comment "From what I can see, it fills up /dev with hundreds of ttys and ptys and whatnot" suggests that you're looking at things that you have absolutely no understanding of and then freaking out about them.

 

[kitKAC]

Early post. But here is somewhere to start:

At the very least I’m bit by the SPI bug. But it seems like there is a person on the other side as well because often when I run into something dubious looking it’s gone the next time I look. Like when I discovered this the console started blasting multiple pages per second of cleanup stuff.

I also have wake on Wi-Fi all day long while I was at work. Refer to Wi-Fi.log.

Edit: fixed bad attachment. What is Bluetooth doing with my keychain…

View attachment 2106990

I checked the System keychain on my Mac, I also have BluetoothGlobal entries in there, the Date Modified matches the date that I reinstalled macOS to fix some unfixable errors that I had on my drive.

My work Mac also has these entries which match the date that I set the machine up in 2021. It doesn't look like there's anything dodgy about these at all.

 

[buttersz]

Appreciate the feedback guys . I’ve looked back on the material I posted and it comes of abit erratic yes.

My profession is application monitoring so I’m pretty confident in my ability to tell when a system is doing something it’s shouldn’t. I need support on how to dig deeper than logs though. I’ve used otool to look at linked libs and so forth.. but then what. I used a command from stackoverflow to verify a suspicious library under PrivateFrameworks, after updating to Ventura and it came back something like Bundle is incorrect: contains no headers..

Let’s get this thread back on the rails and start with something simple. I’ll attach a file of some strange things I noted earlier and you tell me what you see.

I see:

1. Why are all these volumes mounted. This is a completely fresh USB install of Ventura.. but that old boot image is still lingering.
2. Why is Safari being referenced at that weird path in roots spindump
3. What’s going on with that data under roots accounts

Thanks

 

[kitKAC]

Appreciate the feedback guys . I’ve looked back on the material I posted and it comes of abit erratic yes.

My profession is application monitoring so I’m pretty confident in my ability to tell when a system is doing something it’s shouldn’t. I need support on how to dig deeper than logs though. I’ve used otool to look at linked libs and so forth.. but then what. I used a command from stackoverflow to verify a suspicious library under PrivateFrameworks, after updating to Ventura and it came back something like Bundle is incorrect: contains no headers..

Let’s get this thread back on the rails and start with something simple. I’ll attach a file of some strange things I noted earlier and you tell me what you see.

I see:

1. Why are all these volumes mounted. This is a completely fresh USB install of Ventura.. but that old boot image is still lingering.
2. Why is Safari being referenced at that weird path in roots spindump
3. What’s going on with that data under roots accounts

Thanks

1 and 2.

https://eclecticlight.co/2022/10/25/ventura-volume-layout/

Scroll down to "macOS 13 Boot Disk Structure (M1 internal)" and read from there.

 

[buttersz]

1 and 2.

https://eclecticlight.co/2022/10/25/ventura-volume-layout/

Scroll down to "macOS 13 Boot Disk Structure (M1 internal)" and read from there.

Thanks for the read. It seems to me MacOS is spinning out of control with devs focusing on pushing features and leaving old dirt in the gutter. I could not believe the mess after upgrading to Ventura using Software update.

I get an un-scratchable itch when I pick up this attitude from Apple fanatics.
“M1 can’t be hacked because look at this chart that shows arrows pointing to boxes with words in them”. SW will have bugs. Always. Especially new radically redesigned sw/hw. I needn’t google much to find content to support it.

MacOS is so bloated it just makes me sit back and stare at the runtime library-injections, logs, processes.. Wi-Fi being up despite being disabled in the UI.

I probably chose the wrong platform. I prefer to see 15-20 processes running on a clean boot rather than 500 all interconnected to who knows what and where. I fell for the build quality and Disney like UX, because let’s be fair, every other product feels like the spongy lettuce&tomato sandwich that’s sat in plastic wrap for two days at the bottom of your backpack, in comparison…

So here’s a big up for apple. Hardware/UX quality. YES. The MacBook Pro m1 16.2” is a hell of a machine. I haven’t even charged this thing for three days and the software is I need is just there…

… so that turned out to be a rant…it is what it is. I’m just trying to do photo work in LR but I get distracted yaknow. perhaps I should be seeing someone.

Anyways leave the thread open for a day if you don’t mind I’ll see if I can provide something tmrw. I’m a bit deep into Belgian ale em 😜

 

[kitKAC]

Thanks for the read. It seems to me MacOS is spinning out of control with devs focusing on pushing features and leaving old dirt in the gutter. I could not believe the mess after upgrading to Ventura using Software update.

I get an un-scratchable itch when I pick up this attitude from Apple fanatics.
“M1 can’t be hacked because look at this chart that shows arrows pointing to boxes with words in them”. SW will have bugs. Always. Especially new radically redesigned sw/hw. I needn’t google much to find content to support it.

MacOS is so bloated it just makes me sit back and stare at the runtime library-injections, logs, processes.. Wi-Fi being up despite being disabled in the UI.

I probably chose the wrong platform. I prefer to see 15-20 processes running on a clean boot rather than 500 all interconnected to who knows what and where. I fell for the build quality and Disney like UX, because let’s be fair, every other product feels like the spongy lettuce&tomato sandwich that’s sat in plastic wrap for two days at the bottom of your backpack, in comparison…

So here’s a big up for apple. Hardware/UX quality. YES. The MacBook Pro m1 16.2” is a hell of a machine. I haven’t even charged this thing for three days and the software is I need is just there…

… so that turned out to be a rant…it is what it is. I’m just trying to do photo work in LR but I get distracted yaknow. perhaps I should be seeing someone.

Anyways leave the thread open for a day if you don’t mind I’ll see if I can provide something tmrw. I’m a bit deep into Belgian ale em 😜

Well, that's a lot of words just to say that you were mistaken.

Yes, all software has bugs, no one is saying otherwise. I also wouldn't call macOS bloated when Apple has been ruthless about removing stuff that they feel isn't needed anymore to progress the platform (i.e. 32 Bit support, Carbon etc).

Lastly, if you come to the internet asking for help, be prepared to be told that you're wrong about things by people that might know a little bit more than you do. Otherwise, you're wasting everyone's time.