Is your Mac hacked by a Rootkit?

Viruses and trojans are getting into the systems through many holes these days – Windows was particularly hit recently with DLL and EXE hijack vulnerability (although this exploit is a bit exaggerated, the notion of path finding and security concerns was present in the MSDN for years, I remember it back in the days I developed in WinAPI). Anyway, there’s even a nastier thing than the common malware – the rootkits. Did you know Mac have their own rootkits too? And a tool to scan for them.

Unlike their smaller brothers, rootkits are more low-level, sitting in your system kernel or embed in the firmware. They really are not meant to be visible, and they definitely are very hard to spot, even for the best antivirus software. And obviously, they give the hacker a great deal of access to your machine.

Since the rootkits originate from the Unix systems, they also have a Unix app to detect them. Rootkit Hunter is a simple command line tool for finding and pinpointing the affected files and locations.

Once you download and extract the archive, open the Terminal and go to the rkhunter directory (you can type cd in the command line and then drag the folder from Finder onto the Terminal, so it automatically inserts the path). To install the Rootkit Hunter, simply run this command:

sudo sh installer.sh --layout default --install

It will prompt an administrator password, which you have to type, but it won’t show any characters, so don’t worry. Ok, once that’s done, you have to update rkhunter properties file and then download the latest definitions and other updates:

sudo rkhunter --propupd
sudo rkhunter --update

When everything is new and shiny we are ready to scan our system. You do it using the following command:

sudo rkhunter -c -sk

Now it gets tricky. Rootkit Hunter is very cautious with what it sees, and marks a lot of false positives. For me, the section headlined with Performing file properties checks gives warning on every element because it fails to obtain the hash, properties and file permissions for these items. Not sure why, but it definitely aren’t malware files.

The next section, Checking for rootkits is interesting, and generally you should have “Not found” on every line. Except from Dica-Kit, for which a warning is triggered because of a file associated SSH config. The rest of the analysis has an ambiguous descriptions, however there is more informative data in the rkhunter log, which you open by the following command:

sudo vim /var/log/rkhunter.log

Remember to be cautious deleting any file, because Rootkit Hunter is basically crawling your Mac at its Unix level, and you can easily mess it up pretty badly if you remove a necessary system file. But hey, you’re not a noob, you know that :) Also, more info about this tool, analysis and detection can be found here.

So, to conclude, while Windows is still a lot more poisoned with malware than the Mac, the fact that Apple’s market share is increasing makes it inevitable that OS X viruses and trojans will come to this platform in greater numbers. But so will the antivirus software. However, because this system originates from Unix, we already have a set of very good, free tools to defend ourselves. One is this Rootkit Hunter. The other is ClamAv, but I personally prefer the iAntiVirus.

So, you could safely say Macs are safe… Right? ;)