General Question

blastfamy's avatar

Resolving a mac virus... Help?

Asked by blastfamy (2164points) January 2nd, 2009

I’m about to re-install OS X on my macbook. I let a friend use it on another account, and he went to god knows where. Wherever he went, it put a bot on my computer in Samba, I think that attacks my router’s firewall from the inside.

Anywhoo, I’m thinking that I should blitz the OS, and restore my user account. I have time machine backups that I started right after all of this happened. I’ve kept the machine off any network since I found out about this.

Does time machine restore (on a re-install) have any options to restore just a user, or do I have to re-load the entire system from the backup? I would just as soon not have to re-load all of my settings again…

Or does anyone have any specialty in weeding out mac bots? I think I’ve got one…

Observing members: 0 Composing members: 0

15 Answers

squirbel's avatar

lol? A bot?

What does this bot do, specifically?

I want to help, I swear. It just sounds hella fishy.

andrew's avatar

Wait, really? A mac bot? I’ve never heard of that. Are you running parallels or something?

asmonet's avatar

Lol, yeah. What?

squirbel's avatar

I looked it up – just turn off the Samba protocol.

Samba is just for communicating with Windows PC machines. It’s not a bot – it’s a vulnerability. Apple is aware of it.

Why are you cavorting around with the devil anyway? You’re gonna get cooties.

blastfamy's avatar

The bot sets a firewall rule (2 actually), that opens a direct channel to WAN between the computer’s IP and the internet. What’s more is that the admin account on the firewall cannot delete these rules: they are somehow write-protected. Restoring configs from a backup of the firewall kills the rules, until you connect the macbook again.

We also traced the source of this to a japanese manga blog (likely what my friend was using). I don’t even know what part of the system was attacked. Ergo, I think the safest thingk tot do is th blitz OS. I only think that samba was attacked because its open source code tied to windows password storage (which I unfortunatly have to use).

I would never go to those sorts of sites any way, because I know the danger…

No parallels running, @andrew.

Also, when I turned off Samba, the rule came back… still. Any ideas?

blastfamy's avatar

@Squirbel, would an install of the most recent version of SAMBA blitz the problem, or would another cleanup method be required?

I would really rather not re-install the OS if I didn’t have to, seeing as I would have to hunt down and re-install/configure much of my stuff…

squirbel's avatar

I would suggest deleting the .pref file associated with Samba – that would reset it to system defaults.

PupnTaco's avatar

Reinstalling the OS is using a chainsaw when you need an X-Acto.

blastfamy's avatar

@PupnTaco, true, but as the person who admins the network understands very little, telling him that I started fresh would be good in his eyes…

@squirbel, so you don’t think that whatever is going on modified Samba itself? That if I delete the .pref file the problem won’t persist?

PupnTaco's avatar

@ blast: that’s the typical Windows solution: nuke everything & start over. Yuck.

blastfamy's avatar

I agree, but my admin is a windows-loving maniac… and just about the only thing he’d accept is a blitzing…

Fortunately, there’s time machine…

On a side note, @squirbel…
the article you linked to recommends manually updating SAMBA. I went to the site, and it had a bunch of binaries for different UNIX distros. I didn’t see any that looked like what OS X is based on. The current list is:
which one should I pick? any suggestions?

squirbel's avatar

OSX is Darwin based.

blastfamy's avatar

so which one should I pick from the above list…?

aaronbeekay's avatar

Hiya. I’m a Mac tech.

Firstly: there are no observed Mac viruses in the wild, to the best of my knowledge as I write this. None.

The exploit linked to above appears to be a buffer flow in the Mac OS X Samba server, which is code shared across many systems: hence why you found so many versions available for download. The exploit exists in the code that is installed with the system: reinstalling will NOT fix the problem. The only thing that will close this hole is you updating to the latest version of the Samba server.

You mentioned that “The bot sets a firewall rule (2 actually), that opens a direct channel to WAN between the computer’s IP and the internet.” I’m not sure where you’re getting this: what firewall are you talking about?

If you’re directly connected to the Internet (you have a public IP address), the only firewall you between you and the ‘Net is your built-in Mac OS X firewall. If this is the case,
* and you DO need to be running the Windows sharing server (Samba), the holes in the firewall are expected and necessary: if the firewall doesn’t let Samba traffic through, then you can’t share files
* and you DON’T need to be running the Windows sharing server (Samba), then turn off Windows File Sharing and your hole is closed

If, on the other hand, you are inside a LAN (with a router/s or gateway/s or firewall/s between you and the Internet), and the firewall you are referring to is under management of your sysadmin, the issue is much more severe than just a bot: it extends into the configuration and security of your network hardware. I don’t think this is the case.

Can I have a link to the manga blog where you think you’ve found the bot, or to the executable itself if you’ve identified it? When and how do you think it runs? Have you identified its PID or location?

I’d love to help—this is interesting—but it seems like there are some fuzzy definitions of “bot” and “vulnerability” here.

blastfamy's avatar

The firewall in question resides on our router. An image of a clean rules list is here.

The rules open unblocked in/out traffic to between my IP (rules change to reflect a changed IP) and WAN. The only way to remove the rules are to restore to a config backup.

A new, fresh, account sets the rules upon first connecting to the router.

One of the notes on one instance of the rules gave a string of letters and numbers that, when googled, point only to one place – some japanese manga blog. It was later confirmed that the kid using the computer was on this site. I don’t have the URL to the site anymore.

I assumed that the problem stems from samba, because it was the only portion of OS X that I considered at all insecure. If this were the case, then I would assume that the process would be smbd.

I needed safe access to the internet from that machine, so I performed an archive and install, thinking that I could manually migrate the user-generated data files from the archive, and for my own account (there are 3), I would migrate the account wholesale. Before migration of the new account, i applied all system updates and checked the firewall. It was clean. After the update and the migration of the my old account’s folder, the rules began resetting themselves.

I then slicked the drive and installed again. At present, my plan is to manually re-install apps and settings for my account manually. The other two accounts were hardly configured at all; I’ll let their respective users perform any configs they want.

I would like very much to be able to restore the system from my time machine backup, but even the earliest backup has the problem. I started backing up after the machine had been compromised. With the information you have now, do you know of a way to fix the system (if restored from the backup) without connecting it to the internet? ( can download files from other machines).

Thanks for your help, really.

Answer this question




to answer.

This question is in the General Section. Responses must be helpful and on-topic.

Your answer will be saved while you login or join.

Have a question? Ask Fluther!

What do you know more about?
Knowledge Networking @ Fluther