An open community
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Register Log In

Home Forums Mac Software Mac Operating Systems did OS X rootkit itself?

Print Thread

did OS X rootkit itself? #42708 11/10/16 02:27 PM
Joined: Aug 2009 Iowa Virtual1 OP
OP Virtual1 Joined: Aug 2009 Iowa	I was just working on a mac that got freshly reimaged and I was setting it up for use here. I needed to hide a storage volume so it didn't show up on the desktop unnecessarily to confuse the user. Trying to use 'setfile -a V /Volumes/volname', I got the popup from the desktop telling me I needed to install Xcode or dev tools etc. Oh yeah that's not on here yet. Hmmm come to think of it, what made it pop that up instead of simply telling me "command not found" in terminal? Curiosity mode: Activated. Code: macbook:~ root # stat /usr/bin/setfile 16777217 2393550 -rwxr-xr-x 1 root wheel 0 18176 "Nov 10 07:10:33 2016" "Jul 8 20:03:25 2016" "Nov 7 16:21:49 2016" "Jul 8 20:03:25 2016" 4096 16 0x80020 /usr/bin/setfile macbook:~ root # stat /usr/bin/getfileinfo 16777217 2393543 -rwxr-xr-x 1 root wheel 0 18208 "Nov 10 07:14:38 2016" "Jul 8 20:03:16 2016" "Nov 7 16:21:49 2016" "Jul 8 20:03:16 2016" 4096 16 0x80020 /usr/bin/getfileinfo macbook:~ root # ls -la /usr/bin/setfile -rwxr-xr-x 1 root wheel 18176 Jul 8 20:03 /usr/bin/setfile macbook:~ root # ls -la /usr/bin/getfileinfo -rwxr-xr-x 1 root wheel 18208 Jul 8 20:03 /usr/bin/getfileinfo macbook:~ root # ls -la /usr/bin \| grep setfile macbook:~ root # ls -la /usr/bin \| grep getfileinfo macbook:~ root # OK... that raises more questions than it answers! Stat and ls directed at the filename see the "files", which are probably nothing more than very basic programs that trigger the popup. (they slightly differ in size because they are likely passing in the name of the different command to the popup) BUT.... they don't show up in a general file listing. That fits my definition of a "rootkit". Whatcha think? ok ok I figured it out, but the solution is actually pretty interesting in and of itself. The files ARE there, but they're named "SetFile" and "GetFileInfo"! (they didn't show up in ls because grep is case sensitive by default, stat is NOT) Normally they never mix case in an executable like this, but in this case they are taking advantage of HFS's default behavior of being NON case sensitive, but being CASE PREFERRED. (you don't hear about that very often) You can have a SetFile and a setfile in the same folder. Probably these "frauds" get removed when devtools installs. But if you match the case exactly on a file, it will always run that one. If you don't exactly match case on a name, it has a preferred one it will select first. If there are two, you can run one, remove it, then run it again using the exact same command. Weirdness but that's how it works. Now I have to figure out a way (other than ls) to figure out which of the two is there... SetFile or setfile, since it's case-insensitive on tests... I work for the Department of Redundancy Department

Moderated by alternaut, dkmarsh, joemikeb

Link Copied to Clipboard

Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)

Responsive Width:

PHP: 7.4.33 Page Time: 0.015s Queries: 15 (0.011s) Memory: 0.5687 MB (Peak: 0.6134 MB) Data Comp: Zlib Server Time: 2024-04-20 09:26:25 UTC
Valid HTML 5 and Valid CSS