Mac Security: Identifying Changes to the File Systemby Peter Hickman
Editor's note: Before you get knee-deep into this very interesting article that discusses, among other things, a hacker's toolbox know as rootkit, I want to point out two things. First, the way "hacker" is referred to in this article is in the nefarious sense, as in "black hat," not in the playful spirit of the phrase that we usually think of. Second, keep in mind this passage from the author: "There are few rootkits tailored for BSD (the codebase underlying OS X) and none specifically for the Macintosh. Talk of Macintosh rootkits is less credible than Elvis sightings, but as we are at heart running a Unix system, a generic Unix rootkit could be deployed on your Macintosh. Just remember that security is all about planning for the worst case; it pays to be paranoid. However, the sky is not falling; not today, at least." That being said, enjoy this piece. It's fascinating.
When you use a Macintosh, or indeed any Unix-based system, it's comforting to know that your computer is more secure than Windows. It is, however, a mistake to equate "more secure" with "invulnerable." Keep in mind that the hacker who does break into your system has more skills than the average script kiddy. And when this happens, what should you be looking for? Let's assume that a malicious hacker wants one of two things:
- To steal valuable data from your computer, such as credit card numbers or passwords.
- Access to your system so that they can cover their tracks as they hack into other peoples computers.
The Anatomy of a Break-In
Although I said that our hacker will be more skilled than the average script kiddy, they often have something in common: pre-packaged software. Once they have broken into your system they will download a bundle of tools called a rootkit. The purpose of a rootkit is to secure access to your machine and cover their tracks.
When working on your computer, they need to store files and be sure that you will not stumble across them and get suspicious. To this end, the rootkit will provide replacements for several basic Unix tools such as
find. These modified programs function identically to their legitimate counterparts, with the exception of omitting reporting the existence of the directories and files that the hacker has created.
The hacker will also want to run some programs of their own and be sure that you'll not notice them. Again, they'll provide replacements for any program that can be used to monitor running processes, such as
top. Here is a list of compromised programs found in various rootkits:
adduser amd basename cat chattr checkproc chkconfig chmod chown chroot cron csh date depmod df dmesg du echo ed egrep env fgrep file find grep groups head id ifconfig ifdown ifstatus ifup inetd init insmod ip kill killall kldload kldstat kldunload ksyms kudzu last lastlog less locate logger login ls lsattr lsmod md5 md5sum modinfo modload modprobe modstat modunload more mount netstat newsyslog nologin passwd ps pstree rmmod runlevel sh sha1 sha1sum size slocate sockstat sort stat strace strings su sulogin sysctl syslogd systat tcpd test top touch uname useradd usermod users vipw vmstat w watch wc wget whatis whereis which who whoami xinetd
The list is mostly for Linux systems, but you will notice quite a lot of familiar commands in here. Of the 104 files listed, 63 of them exist on the Macintosh. Once your computer is compromised, and you cannot trust your own keyboard, what do you do?
Looking for Clues
Reining in our paranoia for a moment, let's make a point clear here: There are few rootkits tailored for BSD (the codebase underlying OS X), and none specifically for the Macintosh. Talk of Macintosh rootkits is less credible than Elvis sightings, but as we are at heart running a Unix system, a generic Unix rootkit could be deployed on your Macintosh. Just remember that security is all about planning for the worst case; it pays to be paranoid. However the sky is not falling; not today, at least.
If you think that your machine had been compromised there are tools you can use to scan your system for known rootkits such as Rootkit Hunter and chkrootkit. Rootkit Hunter runs on OS X and
chkrootkit does work on BSD-based systems, but not specifically OS X. These tools look for evidence of rootkits by a variety of means, but are in part based around the idea of checking the size, permissions, and checksum of a known target file or program, such as
ls, with a database of known good values.