RootKit hell

[MyMacAroon]

I have an active WINS server, it seems that whatever malware this is, it has crept in to every app, so I have added just one of them Apple has reset my Macs multiple times and doesnt seem to care that the gatekeeper failed, even on my brand new M1, iPhone 12 Pro, and more, I lost my small business trying to get everything back to normal, but even in the apple store directly after reinstall, the netbois was active. I was MDM locked out of my 2 week old computer. Best Buy said its a Rootkit, but legit, I'm losing my mind, because my media changes, Anti virus isn't picking up on the problem, but as you can see from the photo below there is an obvious issue, this is just one of the many photos. 

Script Editor.zip

[Porthos]

I'd recommend submitting a support ticket with details about your concerns and any issues you're seeing, along with the output of our Mac support tool:

https://support.malwarebytes.com/hc/en-us/articles/360038519834-Upload-logs-to-your-ticket-using-the-Malwarebytes-Support-Tool-for-Mac

 

Edited July 2, 2021 by Porthos

[alvarnell]

We've started a long weekend, so staff won't be back at work until Tuesday. They were running a week or so behind before now due to the pandemic and other factors, so it might be some time before you receive a response to what @Porthos has suggested.

I'm guessing that the file you tried to update was the Script Editor app, but it's not available to us here. Perhaps this discussion can be better handled in the Newest Mac Threat forum where uploads are available to a few Malware Hunter users.

Not sure what you mean by Gateway failure, but until the most recent versions of macOS, Gateway only checks new applications the first time they are launched. Would be useful to know what macOS you are running.

[Porthos]

Just now, alvarnell said:

uploads are available to a few Malware Hunter users.

It seems to have been deleted by the user or staff.

[alvarnell]

42 minutes ago, Porthos said:

It seems to have been deleted by the user or staff.

Yes, the probably thought it was malicious and might possibly be.

[MyMacAroon]

I removed the other attachment (I didn’t realize that others would be able to open it and I don’t want to be responsible for anyone else ever going though this). All of my computers are suppose to be running 11.4, but my devices still will only NetBoot, when downloading the version is different, my sons Acer picked up Mutuodo (spyware) with MS defender. My macs though, have been a mess- My VPNS are rerouted, preinstalled apps won’t “install” because they weren’t downloaded from the App Store. After 6 months of trying to figure out how to fix this- apple still hasn’t helped at all. I reached out to Malwarebytes Customer Support- I lost access to my previous email when they were helping me, so I reached out again with a new one and it’s been about 2 weeks. I’m at a complete loss. 

[alvarnell]

17 hours ago, MyMacAroon said:

I removed the other attachment (I didn’t realize that others would be able to open it and I don’t want to be responsible for anyone else ever going though this).

As I mentioned earlier, you can safely upload that file to the Newest Mac Threat forum if you would like selected users and the staff to analyze it for you.

[MyMacAroon]

Please see attached, how accurate the zip files are though is debatable. 

Contacts.zip Calendar.zip

[MyMacAroon]

Malwarebytes.zip

[MyMacAroon]

I installed Webroot, 142 threats (probably more), during its first run, seconds later (I cleared the logs) 17 more, my M1 stopped working- I went into recovery mode and got this error, I shut down and now it just tells me to contact apple support after I erased my Macintosh HD disk. Internet recovery is acting like a local recovery and everything else is “localized strings” even my Mac addresses 

 

[alvarnell]

On 7/4/2021 at 3:40 PM, MyMacAroon said:

Please see attached

Unsure why you uploaded those here and what it is you want us to see? 

As I keep saying, if you think they may be malicious you need to upload them to a different forum where normal users cannot download therm: 

https://forums.malwarebytes.com/forum/193-newest-mac-threats/

[alvarnell]

The Malwarebytes 4.10 that you uploaded yesterday is identical in size to what I get when I download it from Malwarebytes and passes all the tests for signature and hidden executables, so I have to conclude it's not been modified.

[MyMacAroon]

Hello, 

I uploaded 3 zips yesterday, today I uploaded the photos of Webroot finding 17 + “malicious“ files (as previously stated it was more but I cleared the logs), along with this, my M1 stating that in internet recovery mode that it couldn’t download Big Sur because I didn’t have a firmware recovery partition. 
 

I also provided screenshots of the size differences from what I was uploading vs actual file size…. 
 

Am I missing something? 

[alvarnell]

1 minute ago, MyMacAroon said:

I also provided screenshots of the size differences from what I was uploading vs actual file size….

All three downloaded files match your figures, so I wouldn't worry at all that the Forum server is displaying them as smaller files. Was there something else you need evaluated about these files?

[MyMacAroon]

5 minutes ago, alvarnell said:

The Malwarebytes 4.10 that you uploaded yesterday is identical in size to what I get when I download it from Malwarebytes and passes all the tests for signature and hidden executables, so I have to conclude it's not been modified.

Ours my look like the same size but I can assure you that they’re not. 

[MyMacAroon]

10 minutes ago, alvarnell said:

All three downloaded files match your figures, so I wouldn't worry at all that the Forum server is displaying them as smaller files. Was there something else you need evaluated about these files?

I guess the concern is that when I was running the support app for Malwarebytes, it stated to specifically exclude those files. 
 

When talking with apple, a lot of my files would be either removed or changed, for instance, my M1 “remoteServices.apple.com” would need to add a “configuration” fresh out of the box- Bestbuy called it a rootkit and Webroot can’t resolve some issue in /Var/path/root (I say path bc I would need to reference the photo) along with this- “Cloud” logins on my banking app, “Unix” logins on my Microsoft account, the list just goes on and on- I don’t fully open the files, I change them into “read only” and then I view them in quick look - as you can see from the photos “echo”- echo is a tool used in plain txt document by hackers for scripting- it’s an interactive/ accidental scripting by the user- all of which falls in line with what I’ve been experiencing. Like, 6 months ago, I didn’t even know that my computer had a MAC address- nor did I care. (Big mistake) 

[MyMacAroon]

I realized that I was sharing my full name in a lot of the photos, I deleted and have reattached. 

[alvarnell]

No, it says to ignore Contacts and Calendar access, if prompted, not the files themselves. I was not prompted when I ran the script.

Can't comment on M1 configuration as I haven't purchased one yet. I would not accept any explanation from BestBuy based on previous experience. Rootkits are extremely uncommon with regard to macOS and have been made eincreaingly more so with the introduction of SIP and separate macOS volumes in Big Sur and all but impossible in Monterey.

It's way past bedtime and I can't begin to sort out what you are trying to show with all those quicklook snaps. I'll just note that "echo" is a command to display what follows to the user and the few I noted don't resemble anything malicious.

[alvarnell]

6 hours ago, MyMacAroon said:

Ours my look like the same size but I can assure you that they’re not.

Is there something in all those screenshots that attempts to prove that? Finder seems to think they are both exactly 821,852 bytes. That's yours on the left:

 

[MyMacAroon]

24 minutes ago, alvarnell said:

Is there something in all those screenshots that attempts to prove that? Finder seems to think they are both exactly 821,852 bytes. That's yours on the left:

 

I really appreciate you looking into that, however, that isn’t my photo on the left. The photo that I posted says 658kb on the finder tab and what I uploaded to be 642kb, mine wasn’t in military time, and that wasn’t the background of my upload. I took a screenshot of my post and attached it here. I don’t even know if any of this matters, but I do know that I there is an active, unsolicited web server. 

May I ask what you think it might be in your experience? I definitely haven’t signed up for any web servers, nor do I have any idea what it is that I should be trying to do to remove it. My old isp found a HTTP server adding a configuration to my router, and my current one found the same, without a doubt there is an issue and I don’t know what to do about it. 

[MyMacAroon]

5 minutes ago, MyMacAroon said:

I really appreciate you looking into that, however, that isn’t my photo on the left. The photo that I posted says 658kb on the finder tab and what I uploaded to be 642kb, mine wasn’t in military time, and that wasn’t the background of my upload. I took a screenshot of my post and attached it here. I don’t even know if any of this matters, but I do know that I there is an active, unsolicited web server. 

May I ask what you think it might be in your experience? I definitely haven’t signed up for any web servers, nor do I have any idea what it is that I should be trying to do to remove it. My old isp found a HTTP server adding a configuration to my router, and my current one found the same, without a doubt there is an issue and I don’t know what to do about it. 

This is assuming that you didn’t open up the attachment and create a new finder screenshot for the one I posted/ change your time format, and add a “?” Next to the name. Because mine was also in zip format. (It didn’t occur to me until now that is probably what your screenshot is) 😅

[MyMacAroon]

I am not a techy person, what I do know I learned in the past 6 months going though all this- I could send you screenshots all day of the weird things that happen, like not being able to download standard apps that are built into the OS, however I would be wasting your time. 
 

- All of my computers NetBoot

- Per the first photo I posted, I have an active web server. 
- Per Webroot, over 100+ issues, IO Reg, and wasn’t able to remove an issue in the root container. 
 

if anyone can help with telling me what they would need to determine what do, that would be awesome.

[treed]

I'm not able to follow any of this. We need to reset to zero and start from the beginning. What specific behaviors are you seeing that you believe indicate that your Mac is infected?

A few specific points:

• The copies of Contacts and Calendar that you posted are unmodified copies of the legit versions of these apps from macOS Big Sur 11.4. I don't understand why these were posted.
• The copy of Malwarebytes for Mac is an unmodified copy of the legit app. Again, I don't understand why this was posted.
• The echo command is a legitimate Unix shell command.
• The screenshots where you've highlighted things found in the script-mbst-log.txt file are normal. This file is a log of what our support tool has done, and is in no way an indication of malicious activity
• I can't comment on anything that Webroot might have detected or removed without details, but your screenshot showed it (?) deleting .Trash and Caches, and neither of these are malicious, nor should they be deleted.

[MyMacAroon]

4 hours ago, treed said:

I'm not able to follow any of this. We need to reset to zero and start from the beginning. What specific behaviors are you seeing that you believe indicate that your Mac is infected?

A few specific points:

• The copies of Contacts and Calendar that you posted are unmodified copies of the legit versions of these apps from macOS Big Sur 11.4. I don't understand why these were posted.
• The copy of Malwarebytes for Mac is an unmodified copy of the legit app. Again, I don't understand why this was posted.
• The echo command is a legitimate Unix shell command.
• The screenshots where you've highlighted things found in the script-mbst-log.txt file are normal. This file is a log of what our support tool has done, and is in no way an indication of malicious activity
• I can't comment on anything that Webroot might have detected or removed without details, but your screenshot showed it (?) deleting .Trash and Caches, and neither of these are malicious, nor should they be deleted.

Hello, 

Thank you for taking the time to respond. Honestly, for the most part I have no idea what it is that caused, or what to look for here. 
 

1.) In the first photo, I have a WINS server attached to my devices- I have attached a few screenshots from my VPN’s logs for additional reference on how my devices are communicating. 
 

2.) the logs are for the most part very standard stuff- however, Unix is used in Cpanels, and I don’t have DDNS for a domain. The Unix socket is also the same socket for my root container (root user is not enabled), I don’t have Apache, Google, Firefox etc installed on my computers. Webroot also mentioned a treat in the /Var/root/path file that it was unable to resolve. Echo is a legit command, but as I mentioned, I don’t have a Cpanel for my home, furthermore, the logs indicate that C++ is coding language, 2 group containers, a subsystem and LDAP V3 that is hidden. - the logs also mention an IOreg - almost like the built in beta has been activated without my approval. 
 

3.) Cache and cookies are temporary files, and can be deleted from time to time (to either reset your falcon cookie like I was trying to do- or just for performance Cookie signings with AWS or even WINS is a real thing.) 
 

4.) my devices are pairing with one another without prompt. My Apple TV, phones, computers, iPads and etc (all of which have different Apple ID’s) 

 

If you have any insight into what to do, or how to remove this sever, I am all ears and seriously need help, I’m losing my *****. I’ve had all of my devices wiped and or replaced, I’ve changed ISP’s, and I still can’t seem to get rid of whatever this is. 
 

 

[MyMacAroon]