Mac Security: Identifying Changes to the File System
Pages: 1, 2, 3, 4
What to Do if You Have Been Rooted
If you have been rooted, then you are truly buggered, as we say in England. All that a tool can do is confirm what you've only suspected. There's no program that will clean your system beyond identifying the programs that the rootkit replaced. But a rootkit is only the starting point, and no tool can know what the hacker might have done to your system.
Have they changed your Apache configuration? Have they placed a script in your cgi directory that's waiting to be run to re-infect you? Have they placed a key of their own in your SSH keys file to allow themselves to log in? Have they set up a cron job to see if they have been removed and automatically re-infect you?
There are just too many unknowns, and little you can do to regain control of your system unless you know each and every file that has been compromised. Unfortunately, the hacker is the only one who knows, and he's not telling. This is what you do:
- Turn your computer off.
- Disconnect it from the internet.
- Boot from your installation CD and select an install that preserves the User directories.
- Once the install is complete, copy any user data you want to keep to an external drive. Do not copy any executable files.
- Reformat your hard disk and do a completely virgin install.
- Connect to the internet and run SoftwareUpdate until there are no more updates.
- Reload the user data you saved.
- Reinstall your applications from their original CDs or download them anew.
- Make a backup.
Yes, you have just wiped your hard disk, and no, there isn't another way. If the file is executable, be it a shell script, Unix command-line tool or Macintosh application, you can no longer trust it unless you download it from a reliable source or install from CD. Even your backups are of limited use. Unless you know the exact day that your system was hacked, you do not know which backups are clean and which are compromised. So get the user data from the backups, but not the applications.
The problem now is that your system is in the same state that it was when the hacker broke in. What's to stop them from breaking in again? Nothing, if you have duplicated your original setup. So let's do a quick review:
- What services were you exposing to the internet? Windows Sharing? FTP access?
- Have you got a weak password?
- Did you tell someone what your password was?
- Did you have Internet Sharing turned on?
- Were you sharing your AirPort card?
- Did you have the firewall turned off?
Choose a better password, make it longer, with mixed case, numbers and special characters. and tell no one. Turn sharing off and the firewall on. For now, at least, turn off all of the services you can. Once you have calmed down and the hacker has given up and moved on to someone else's machine, you can turn them on if you need to.
If you have a backup that you absolutely know was not compromised, it is possible to replace each file with a clean copy. You can then hunt down any suspicious files that are on your hard disk and remove them. But let's be realistic for a moment; your Macintosh has hundreds of thousands of files. Do you know each one by name, and what they should look like? Reformat your disk, and you will sleep much better.
Using our Scripts
I have a daily cron entry that runs just after my daily backup to create a report and a new specification file. This is run from the root crontab:
0 2 * * * /usr/local/bin/mtree_check; /usr/local/bin/mtree_build
I also keep a copy of the scripts, mtree itself, and a known specification file on a USB flash drive in case I feel the need to be absolutely sure everything is OK.
Other Tools
Our exploration of mtree has provided us with a useful tool to detect a rootkit on our system, but there are others available. Brian Hill has a tool called CheckMate that checksums critical system files and can alert you when they change, all nicely packaged up as a control panel. If you do not feel confident in your scripting skills, but want to be prepared, this will help.
Of the tools mentioned earlier, only Rootkit Hunter can be downloaded, installed, and run without having to dive into the code. It also doesn't spit out error messages for no good reason. It monitors critical system files and does other checks for signs of rootkits. Although not as functional on the Macintosh as it is on Linux, it is in active development and what it does it does well.
Final Thoughts
All of this effort, and there is no rootkit for the Macintosh. It is only a matter of time before one of the BSD rootkits becomes adapted for the Mac, and hackers start to target the Macintosh more aggressively. The Macintosh is a Unix box, and Unix boxes have rootkits. The conclusion is hard to avoid. One day there will be a Macintosh rootkit, and when that day comes, we will be ready. Besides, we now have a nice tool that we can run before and after installing a new application to see what files it installs and where, which will help with cleaning up after when we uninstall it. A bonus for our paranoia.
Peter Hickman is currently working as a programmer for Semantico, which specializes in online reference works and Access Control Systems. When not programming or reading about programming he can be found sleeping.
Return to the Mac DevCenter
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 11 of 11.
-
Mac OS X Rootkits
2005-10-08 12:43:00 macCompanion [Reply | View]
See http://freaky.staticusers.net/ugboard/viewtopic.php?t=13891
And then there was Opener, but if folks updated their Mac OS X security updates, this one isn't or should not be, an issue: http://www.securityfocus.com/news/9796
Other Mac OS X Rootkits are; osxrk, Togroot and WeaponX, all of which probably can stil be found at http://www.rootkit.com
And ClamXav finds them: http://www.clamxav.com/ -
Mac OS X Rootkits
2005-10-09 06:21:54 peterhickman [Reply | View]
To be honest I never thought that opener was a rootkit as it did very little to evade detection. The problem for OS X rootkits is that they all seem to require the the victim to install the devtools and run stuff as root.
Can't quite work out why osxrk supplies a version of nc as it is already provided , at least in Tiger.
To give a feel for the lack of development we have this from the Togroot README.
Once loaded, Togroot will give you the ability to obtain root access simply by typing "/givemeroot" and typing "su", for example.
...
cp -R /path/to/togroot.kext /system/library/extensions/togroot.kext
Add sudo to the beginning if you are not currently root.
So to install a rootkit to give you root access to a system you require root access, deeply flawed in my mind.
One day there will be a credible rootkit for OS X, but today I am not too worried.
-
Mac OS X Rootkits
2005-10-12 16:38:18 hard-mac [Reply | View]
Opener never was a rootkit, very correct. Just a small POC to show what could happen on the OSX platform. It doesn't have to be installed locally as you say. NetCat was included because OS X never used to have a copy and the version it includes currently is still crippled.
peterhickman wrote: "So to install a rootkit to give you root access to a system you require root access, deeply flawed in my mind."
This is what a rootkit is, it is designed to keep root access on a box once you have it already. Not to get root, other exploits are used for this.
peterhickman wrote: "One day there will be a credible rootkit for OS X, but today I am not too worried."
As for real rootkits, Togroot is a pretty sad example. Have you looked at WeaponX yet. It's fairly powerful.
Cheers, hard-mac
Hardening Your Macintosh
http://members.lycos.co.uk/hardapple/
-
Mac OS X Rootkits
2005-10-13 13:58:41 peterhickman [Reply | View]
It's true that opener was never really a rootkit (even if it was the nearest that OS X has had to a rootkit scare). It was more of the 'look what we could do if we ever managed to root a system'.
But that said the first hurdle is to gain enough of a foothold on a system to install all the opener type tools in the first place, just because someone has gained access to your system does not mean that they have root. For me an essential part of a rootkit is the ability gain root from any foothold. Any such rootkit is to be truly feared.
Anything that will only work if it is given root on a plate is best described as proof of concept just like the proof of concept OS X viruses.
What you say is right and my go at Togroot was cheap shot but at this point I do not believe that we are facing a real threat.
For me a rootkit will allow a hacker to gain root access and so I see little threat on the horizon if they require root on a plate. Your definition does not require the ability to gain root access so you will be assessing things differently.
Perhaps we need a better taxonomy for rootkits, 'proactive rootkit' for those that can gain root themselves and 'nursery rootkit' for those that get it given to them.
Whatever species of rootkit it is, you wouldn't want it on your Mac.
-
check out ctool
2005-10-08 04:13:49 otto [Reply | View]
I know of no checksum utility that examines the structure of a file to decide what data to use for the checksum and what to exclude.
Well, I do :-)<br/>
ctool produces MD5 and SHA-1 checksums while ignoring prebinding information. Unfortunately, ctool's former homepage at http://www.macsecurity.org/tools/ctool/ has vanished, but is still available in the web archive at http://web.archive.org/web/20041009215130/http://www.macsecurity.org/tools/ctool/ . -
check out ctool
2005-10-08 09:28:07 peterhickman [Reply | View]
Interesting, but as the page states it cannot be used to verify an executable. However you could use the normal checksum to flag up that something has changed and then use ctool to show if the changes were just in the prebinding or the actual code itself.
The package itself is available from Darwin Ports at [http://packages.opendarwin.org/Tiger-Packages/ctool-1.2.3.mpkg/].
Having said that I have yet to find prebinding changes to be a problem. But it is good to know that there is a solution should it be needed. Thanks for bringing it up.
-
Prebinding and checksums
2005-10-08 00:32:43 chrisridd [Reply | View]
I was under the impression that doing checksums of Mach-O binaries was non-trivial, because the "prebinding" that's done by the OS will actually update a binary when one of the libraries it uses changes.
Do any of the checksumming utilities take account of this? My guess is not.
A mention of, or a comparative review of, tools like tripwire would be good... -
Prebinding and checksums
2005-10-08 03:21:11 peterhickman [Reply | View]
The checksum utilities assume a file is just a collection of bytes and process the whole of the file. I know of no checksum utility that examines the structure of a file to decide what data to use for the checksum and what to exclude. To be honest I can think of very few uses of such a tool.
Although prebinding could alter a binary it has not shown itself in the months that I have been using this script and installing updates and new applications.
As I do the checks daily I will see what has changed and have a pretty good idea of what has been installed / updated from the last check. Of course if I get rooted on the same day as I install a major system upgrade then I will probably miss it.
It does not ignore the prebinding.