Mac-Malware-Resolution

Malware Issue Finally Solved

I’ve learned a lot these last few weeks, dealing with malware(which I have finally vanquished). It turns out that, although my system needed some cleanup, the true problem was with my infected Time Warner Arris. Moral number 1: do not believe that a “full factory reset,” recommended by telecom techs, is as comprehensive as they would have you imagine. It did nothing to nuke what was living on my router. And caused me to waste a lot of time.

My ultimate move with Apple support, in solving my DNS redirect problem, should have been my first: to restart my computer in recovery mode(command + R) and, using the get “get help online” feature, see if the sandboxed recovery partition version of Safari experienced the same redirect problems as browsers did on the main partition–a very fast, solid way to differentiate between a router-based and computer-software based problem.

Continuing from My Previous Efforts

My prior post covered quite a bit of ground, but I had a lot of work left to do to secure/disinfect my system.

Kapersky

Before walking the directories manually, and escallating a support ticket with Apple, I tried out a number of anti-virus suites for OSX. Of these, 30-day trial Kapersky was the only one that hit on anything missed by ClamAv and MacScan, although it is gigantic, trial-only and set up browser plug-ins, “real-time” protection that interfered with my system immensely. For anybody with a fast connection to the internet, I would still say that it is probably a decent resource to run, update and uninstall immediately.

Walking the File System

Walking the directories manually, my next step, uncovered an unsettling amount of garbage–probably all quite harmless–from incomplete uninstallations of software over the last two years. It was really amazing how much junk was around, even though I have been pretty disciplined about throwing out everything I no longer use, or need, on my system. I realized, however, that I could not in one lifetime of scrutinizing and Googling, hope to find entries that were not obviously unwelcome on my system. There are just too many files to Google.

Time Warner

I called my ISP and despite their insistance that hard-resetting the router/modem would solve any hardware-based problem, they scheduled a tech to come out and replace my hardware free of charge. I suppose they understood that the modem could be hacked, but didn’t want to say so… or merely figured it was cheaper to send a level 1 tech out with a machine than it would be to spend hours of senior tech manhours dealing with my persistence.

In the meantime, I learned that the router has it’s own settings for using DNS servers, and some default configurations like blocking pings/etc. that need to be manually changed from the default, bad security settings. I had thought it sufficient to use strong passwords and change the router login. Nope. You have to get in there, and root around.

Apple Support For the Win

My next move was to contact senior support at Apple. I had already been on with junior support, and their recommendations like flusing the dns cache, etc. were all things anybody who reads stackexchange would have already tried. As getting higher level tech support goes, it was relatively easy to get escallated with Apple. You must simply persist with your ticket, over a few calls, and ignore the ham-fisted advice of level 1 technicians to wipe your hard drive and re-install OSX.

“I don’t know the vector of infection – I’m not going to delete my system and spend 16 hours reconfiguring my developer tools, just to possibly reinfect myself when I connect to my modem, or use a USB drive.

When my appointment came up around, I took the call and set up screen sharing. We set permissions on my drive, to make sure it was completely readable by anti-virus suites (something I somehow forgot to do), and re-ran anti-malware software. This yielded nothing… but allowed us to pursue the next logical step: scrutinizing the file system, particularly /Library ~/Library folders. There we found at one obvious adware folder in plain sight–which I had somehow missed. I wish I could say what it was… unfortunately the tech inissted that we work through the GUI, so I cannot just $history grep rm to find it.

Oh well.

After looking at my browser behavior, and noting some issues with certificate validation (which I later resolved on my own) we decided to try booting in Recovery Mode (Apple + R on restart). Apparently the Safari in recovery mode is sandboxed, and would not be affected by a virus installed on the regular system. This, along with the fact that my pi was exhibiting the same behavior, and no common, funny-looking processes were running on each device, convinced him that it was, in fact, a router issue.

So concluded our call, and I received a personal email from the tech explaining how to follow up with him. Apple support, in the upper tiers, rocks.

Certificates Issues

While waiting for Time Warner I managed to fix another issue I was having. Untrusted, expired certificate servers were cropping up in Firefox, although I deleted them… and I couldn’t seem to figure out a fix. I could see certificate issues cropping up using Chrome too… but nothing was expired in my Keychain Access file–and not being familiar with keychain I wasn’t aware that expired certificates are hidden by default!

The reasoning for why they are not deleted upon expiry, and allowed to remain hidden, apears to be that they are automatically distrusted… but I noticed that this was not the case when I scrutinized them “get info” –> “Trust”: they were set to “Use System Default” which mainly distrusted them, but did in fact allow for some uses. I had to set each manually to “always distrust” because despite unlocking the keychain, the option to delete system certs remained greyed out.

At any rate, doing this, and running First Aid in Keychain Access resolved the Firefox issue; the next time I deleted expired certificate servers they stayed dead. Why Mozilla maintains a separate list of certs than the one maintained used by Chrome/Safari/Opera, if the concerns of each system are not adequately seperate, is beyond me. But that’s the way it works, it seems. And now we know.