Jump to content
shaunihead

Northensoftworks Cache Cleaner

Recommended Posts

Hi - I've been having some worrying data leakage - MB not picking anything up.

I have a version of Northernsoftworks Catalina Cache Cleaner installed since March.

I ran chkrootkit and it wanted to install commandline tools - popup prompt. This was before MB was installed on that machine.

Whilst in the process of installing those tools the system notification showed it was also downloading an update to them. So both at the same time.

When I check for an update on Cache Cleaner it throws an error.

Any thoughts on if this has transported Malware onto the Mac... if so, can I recover from this without a full rebuild?

Thanks

S

Share this post


Link to post
Share on other sites
Posted (edited)

I'll guess that you downloaded Catalina Cache Cleaner directly from Northernsoftware back in March. The latest version is 15.0.4 dated Feb 9 of this year, so it should not need to be updated. As to the error you see when checking for an update, I reported that to them when I had 15.0.0 and never heard back, so have been re-downloading since then. I still get that error when checking today.

Where did you obtain checkrootkit from and what version? Are you using something like MacPorts or Homebrew or some other site. The current version of chkrootkit is 0.53 dated Feb 11 2019. If you downloaded the source directly from chkrootkit.org and compiled it, then yes, it does require that Apple CommandLineTools is installed. What version of macOS are you running?

Note that chkrootkit contains almost no macOS checks, only a few of the Darwin unix commands. There really haven't been any serious rootkit attacks against macOS in years, mostly due to System Integrity Protection provided in recent OS versions that prevent such things. 

What leads you to believe you have "transported Malware onto the Mac"? You haven't reported anything out of the ordinary here.

Edited by alvarnell

Share this post


Link to post
Share on other sites

Thanks alvarnell.

I used the chkrootkit from within the Catalina Cache Cleaner - running it prompted the install command line tools.

My concern is around keylogging - when I update my email on a secure website I get spam with that update. The site should not have a problem but I have raised it with them. I am jittery because of this identity leakage and have no other signs externally. Of course anything odd or beachballing on a fresh install Mac (including SMC/NVRAM resetting).

I've not installed chkrootkit from elsewhere and MB seems happy but the data leakage continues, though it is only a weekly email. I am OK to fix up chkrootkit with a better version if that is an action I should take.

I am frustrated at the leak and now resetting things everywhere. Any steps to confirm things are OK appreciated.

chkrootkit result.doc

Share this post


Link to post
Share on other sites
Posted (edited)

Yes, the first time you run CCC's chkrootkit it has to compile it. Thereafter it shouldn't require that step. The version provided with CCC is 0.50 from 2014, but I doubt that anything has been added that would affect macOS. I compared your results with 0.53 in Mojave and these were the only checks added, many being Linux:

  • Searching for Linux/Ebury - Operation Windigo ssh... not tested
  • Searching for Mumblehard Linux ... nothing found
  • Searching for Backdoor.Linux.Mokes.a ... nothing found
  • Searching for Malicious TinyDNS ... nothing found
  • Searching for Linux.Xor.DDoS ... nothing found
  • Searching for Linux.Proxy.1.0 ... nothing found
  • Searching for CrossRAT ... nothing found
  • Searching for Hidden Cobra ... nothing found
  • Searching for Rocke Miner ... nothing found
  • Checking `asp'... not infected
  • Checking `bindshell'... not infected
  • Checking `lkm'... chkproc: not tested
  • Checking `rexedcs'... not found
  • Checking `sniffer'... stf0 is not promisc
  • XHC0 is not promisc
  • en3 is PROMISC
  • ipsec0 is not promisc
  • utun2 is not promisc
  • Checking `w55808'... not infected
  • Checking `wted'... unable to open wtmp-file wtmp
  • Checking `scalper'... not infected
  • Checking `slapper'... not infected
  • Checking `z2'... not tested: not found wtmp and/or lastlog file
  • Checking `chkutmp'... not tested: can't exec ./chkutmp
  • Checking `OSX_RSPLUG'... searching for /Library/Internet Plug-Ins/QuickTime.xpt
  • searching for /Library/Internet Plug-Ins/plugins.settings not infected
     

I added something to my reply above that you probably missed:

Quote

Note that chkrootkit contains almost no macOS checks, only a few of the Darwin unix commands. There really haven't been any serious rootkit attacks against macOS in years, mostly due to System Integrity Protection provided in recent OS versions that prevent such things. 

Malwarebytes for Mac will almost certainly locate any known keyloggers that might have been installed on your Mac. 

Edited by alvarnell

Share this post


Link to post
Share on other sites

Awesome - yep I had missed that

What worried me most was the fact that I got the popup to install commandline tools which could have been a vehicle for installation since I had to click to proceed, and the system wanted to update it at the same time it was installing seemed odd.

Plus the chkrootkit output said no commandline tools folder.

Thanks for your help - I should not have run this CCC tool and just put MB through its paces.

Share this post


Link to post
Share on other sites

I get that same error and have never been able to explain it. The "strings" command line tool is clearly at that location and chkrootkit uses it a total of 121 times to check the contents of other files, so I don't understand why it fails during the sshd check. I can run it manually from Terminal, so there must be something else wrong with the chkrootkit process for examining that file.

FYI, strings checks for ASCII (alfa-numeric) code in a file so that chkrootkit can compare it with known malware ASCII terms.

Share this post


Link to post
Share on other sites

To add to what Al mentioned, note that the chkrootkit page's list of detected rootkits only includes ONE that was a Mac threat, and that one (OSX.RSPlug.A) has been dead for a LONG time. RSPlug started infecting Macs back in 2007, and continued up until the FBI brought them down in 2009. It has been extinct ever since, and you will not see it on a modern Mac.

I'd recommend not relying on something like chkrootkit for security on your Mac.

Share this post


Link to post
Share on other sites

Yeah - this has made me look around my whole setup and seeing things that used to be necessary but no longer are, and in fact have become a liability!

Possibly a nice topic in there somewhere; unencrypted Time Machine backups; old tools; apps not from App Store... Not using Authenticators etc.

Thanks for taking the time to confirm.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.