Can Macs become infected with rootkits?

[DavidCar]

I've just been reading about the Sony DRM Rootkit scandal.

http://playlistmag.com/weblogs/ipodblog/2005/11/sonydeathwish/index.php

Can Macs become infected with rootkits? I never bother with low level details, so I'm not sure if it is possible if someone wanted to bother to write one for a Mac.

 

[Seasought]

According to user comments here yes they can be.

 

[robbieduncan]

Rootkits in general? Sure. If you do not take sensible precautions then any system is at risk of infection from all sorts of rubbish.

The Sony DRM rootkit only effects Windows PCs though.

 

[DavidCar]

According to user comments here yes they can be.

I don't get the impression from this article (good article, thanks) that I could catch a rootkit on a Mac as easily as the Sony rootkit is placed on a PC. I don't do root access, or network access, and I don't believe in Elvis sightings, so it seems I'm safe.

 

[DavidCar]

I'll add that one thing that caught my attention in the article sub linked to my first post is that information was being sent to Sony over the network each time the CD was played.

 

[Daveway]

Mac OS X would require that a root password be put in, however the kernel could be patched first and then the rootkit can be placed in the computer.

According to Leo L. rootkits were first developed for UNIX.

 

[robbieduncan]

I don't get the impression from this article (good article, thanks) that I could catch a rootkit on a Mac as easily as the Sony rootkit is placed on a PC. I don't do root access, or network access, and I don't believe in Elvis sightings, so it seems I'm safe.

Every single person who has that Sony rootkit said yes to installing it (well, said yes to installing something, it never said it was a rootkit). The only saving grace on OSX is that you would have enter your Administrator password as well as saying yes, whereas most users on Windows are logged in as Administrator and you wouldn't need to type in your password again.

 

[robbieduncan]

According to Leo L. rootkits were first developed for UNIX.

It makes sense when you think about it. root is the superuser on Unix, as opposed to Administrator on Windows.

 

[Celticsun1980]

I don't believe it would directly affect the Mac, I thought the system fundamentals were too different, and if it was possible then OSX would certainly ask you for your Admin Password.

And lets face it, Still to this day you can't Get a NetMD To work on a Mac, so I wouldn't worry about it... not yet anyways

 

[mdavey]

The Sony rootkit only works on Windows and Sony's use is atypical (rootkits are usually used by crackers to gain administrator control of a system, not by music companies to implement DRM).

I don't do root access, or network access, and I don't believe in Elvis sightings, so it seems I'm safe.

Safe is a relative term. Mac OS X is based on Unix and has very good user managment and segregation but all OS's have security flaws including Linux, BSD and Mac OS X. In order to install and activate a root kit, joe cracker has to have root access on your system. There are many techniques to achieve this (including simply asking the user to enter the root password) - but most often they involve covertly exploiting a security vulnerability in a system service.

Here is a technical document describing one such vulnerability (this is a very old one that Apple fixed ages ago). This particular vulnerability can be exploted by sending a series of carefully crafted network packets to the target computer, resulting in the cracker gaining access to an unpriviledged account. Once they have that, they can upload the root kit and execute it, gaining them a root account.

As mentioned in the article, such an attack would be beyond most script kiddies and so the likelyhood of your particular system being cracked is low, but crucially it isn't zero. There are some simple things you can do to further reduce the risks:
* run SoftwareUpdate on a regular basis and always install the security updates as soon as you can
* If you are a system administrator (or have a general interest in security), monitor the security mailing lists such as Bugtraq, CERT, FIRST and SecureMac.
* teach yourself about Unix and Mac OS X security
* use the techniques listed in the article (such as installing tripwire and rootkit sniffers)
* set up a proper filewall machine between your Internet router and your home network. Any old PC makes a good firewall machine and you'll find free firewall software on the Internet (try IPcop, m0n0wall or smoothwall).

 

[DavidCar]

* teach yourself about Unix and Mac OS X security
* use the techniques listed in the article (such as installing tripwire and rootkit sniffers)
* set up a proper firewall machine between your Internet router and your home network. Any old PC makes a good firewall machine and you'll find free firewall software on the Internet (try IPcop, m0n0wall or smoothwall).

I've never heard of a firewall machine. Sounds like I may need to learn a little Unix.

 

[mkrishnan]

I've never heard of a firewall machine. Sounds like I may need to learn a little Unix.

It's just a computer that sits at the top of your home network and acts as a firewall. The advantage over other firewalls is that its more flexible than the router hardware firewall (probably), and because it's running on a computer that isn't doing too much else, it is relatively less vulnerable to being disabled or modified by viruses or malware, etc....

Seems like an awful lot, to me, though. And only really beneficial if you need ports to be open. The only port open on my iBook is a UDP port for network time, and there're no ports open in the NAT "firewall" on my router.

 

[feakbeak]

To add a little more about running a computer firewall it is a good idea and nice to have the firewall between your machine and the internet as opposed to just running a software firewall locally. Besides, I find software firewalls annoying with pop-ups that you usually get with them.

I believe that a run-of-the-mill broadband router with NAT and firewall capabilities built-in is the best option as most consumers will not want to configure a spare/old box to run a software firewall. Most NAT routers come mostly locked down with all ports stealthed. You can pick up one of these at Best Buy or the like for about $50, maybe a little less. Linksys, D-Link, NetGear seem to be the big three in that market but there are many more. The only difference between them is usually the firmware but most any basic model will give the average consumer what they need and make your computing environment much more secure.

 

[DavidCar]

Linksys, D-Link, NetGear seem to be the big three in that market but there are many more.

I had some strange problems with a Netgear once. It seemed to be rerouting lots of mysterious incoming traffic and then sending it out again without it reaching the computer. I don't really need a router, but if I got another one I would want to have the most information and control available.

 

[feakbeak]

I had some strange problems with a Netgear once. It seemed to be rerouting lots of mysterious incoming traffic and then sending it out again without it reaching the computer. I don't really need a router, but if I got another one I would want to have the most information and control available.

I've used Linksys in the past and now have a D-Link router. I've also tried an Airport Express for a wireless access point but I didn't like the software tool used to configure it. Out of all of them I most like the D-Link mostly because of the firmware.

 

[DavidCar]

Out of all of them I most like the D-Link mostly because of the firmware.

Any specific feature about the firmware that you like?

 

[Mechcozmo]

I've used Linksys in the past and now have a D-Link router. I've also tried an Airport Express for a wireless access point but I didn't like the software tool used to configure it. Out of all of them I most like the D-Link mostly because of the firmware.

I hate our D-Link. It doesn't play nice when it has its DNS server disabled. See, we have a Linksys router that gives out IPs and is connected to the cable modem. The D-Link is a switch/wireless AP. Well, disable the DNS server and you cannot connect to it anymore. So it is stuck at WEP-128 until I can pull it out of the attic and do a hard reset, restore all settings, and then put it back up there.

Linksys routers I've had better luck with... nicer, better range, you can buy high-gain antennae.

 

[feakbeak]

Any specific feature about the firmware that you like?

While I don't use every feature of the router I use a fair amount of the features. BTW, I have the DI-624 for reference.

- Use DDNS feature to keep my domain name pointed at my machine at home that I run a web server off.
- Use the wi-fi capabilities with WEP enabled. They let you store up to four keys to let you switch them easily to keep it a little more secure.
- I enabled MAC address filtering so that only machines I allow can get on my network.
- I use both static and dynamic DHCP features. It is nice that when you enter the MAC address for computers (say for MAC address filtering) it has you associate it with a name that MAC address and keeps a list of them so that then if I go to configure a static DHCP entry for that MAC address I can just pick the machine name from a drop-down list and I don't have to enter the MAC address again.
- The port-forwarding options are nice and can be set to a schedule. All of the filtering options and parental control stuff can also be set to a schedule.
- The reboot from the firmware is also nice so you don't have to go over to the physical device.

Also, the interface for the firmware (web-based) is very responsive and just very well done, IMO. After configuring the router you can save off your configuration settings to a file and load them up later if you ever mess it up.

I used a couple Linksys routers in the past and their firmware was not nearly as robust or responsive. It has been a couple of years since I've used their stuff though - maybe they are better now that they owned by Cisco. I think they changed over their firmware since I last owned one. I also know you can replace the Linksys firmware with some open-source stuff now too.

As for the Airport Express I really didn't care for the fact that there was not web-interface to configure the router. You had to use a software tool to view and change the settings and then upload them to the device - this is not ideal, IMO.

Hope that helps you.

 

[DavidCar]

Hope that helps you.

It gives me some things to think about, thanks.