Comments on: Advanced Mac OS X Rootkits

By: ifernando

ifernando — Sun, 01 Aug 2010 11:45:23 +0000

Hello,

with Snow Leopard 10.6.4 I am obtaining an unresolved symbol:

$ sudo kextutil KRPC.kext
(kernel) kxld[com.machackershandbook.kext.KRPC]: The following symbols are unresolved for this kext:
(kernel) kxld[com.machackershandbook.kext.KRPC]: _mig_buckets

I cannot find this symbol using kextfind, however this symbol is exported in the kernel:

$ kextfind -dsym _mig_buckets
$ nm -arch i386 /mach_kernel |grep _mig_buckets
00844b00 S _mig_buckets
$ nm -arch x86_64 /mach_kernel |grep _mig_buckets
ffffff8000672e40 S _mig_buckets

How can I find the kext library to link with using the OSBundleLibraries dict?

By: Dino Dai Zovi

Dino Dai Zovi — Thu, 07 Jan 2010 03:56:51 +0000

Of course, it's possible that you have a rootkit, but it is still quite rare (especially if the machines are stand-alone and don't connect to the Internet). Here are some things that may possibly help (in order of increasing difficulty and time commitment):

Install some Mac anti-virus software
Do an "Archive and Install" re-install of Mac OS X
Do a clean reinstall of Mac OS X and restore from a Time Machine backup from the Migration Assistant after the install
Reinstall and restore from Time Machine backup only restoring your user account, re-install your apps individually
Ritualistic goat sacrifice

Again, I doubt you have a rootkit, but you could have a Mac trojan or bot on your machine. An anti-virus program should be able to take care of that. Chances are though, that your problem is something else misbehaving. An Apple store or other Mac expert should be able to help you with that. -Dino

By: Letha Deck

Letha Deck — Thu, 07 Jan 2010 01:38:09 +0000

Dino, I think I have rootkits on my two stand alone Mac notebooks. I am having a rough time getting to the ‘invisible’ drive to dislodge it. Can I destroy the root of the rootkit? Where I can get a cure?

By: Dino Dai Zovi

Dino Dai Zovi — Thu, 03 Dec 2009 14:25:06 +0000

I haven’t looked at x64 yet with this code, but there will definitely be some work into supporting it. You may have to figure out what is needed to promote a bare Mach thread into a full POSIX thread by reading through the pthread code in libSystem. The method that I found works for PowerPC and x86, but it may need some tweaks for x64. Take a look at the available calls in the commpage, there might be something useful there that can help initialize the thread correctly.

-Dino

By: plushcube

plushcube — Tue, 01 Dec 2009 12:37:22 +0000

Excellent article, Dino.
Could you tell how to implement memory injection in x86_64 arch? Your code works perfect with i386-targeted applications, but with 64-bits it’s got some issues.
I’ve added some code to make it work on 64-bit arch (another structures, some memory protection issues and so on), but now mach_thread_trampoline won’t work: __pthread_set_self call haven’t set correct value in gs register (don’t know is there some other errors in this function’s call). So calling cthread_set_self after that throws exception EXC_BAD_ACCESS (because gs:0×66 points to wrong address).
Please, give me a little hint so I’ll be able to continue research.

Thanks in advance

By: Brett Bellomo

Brett Bellomo — Tue, 01 Sep 2009 19:01:39 +0000

What makes a UNIX based rootkit less likely to crash?
–Does any sample include—a legal rootkit to use on the net–maybe one that allows more special access legally?–but one with unique Unix duties like yours..Can I have a only safe sample for my email box?
3 yrs msoft/java tests,1 ethernet,
can download now..
also if can correct other rootkits from violating net rules include that..

By: Jay

Jay — Tue, 11 Aug 2009 15:31:01 +0000

Hey Dino,
Thanks for the posted info. In addition to this do you have the slide for Macsploitation with Metasploit? If so, could those be published?

Thanks
Jay