If your Mac is behaving strangely and you suspect a rootkit, you will need to get to work by downloading and scanning with different tools. It is worth noting that you may have a rootkit installed and not even know it.
The main distinguishing factor that makes a rootkit special is that it gives someone remote control over your computer without your knowledge. Once someone has access to your computer, they can simply spy on you or make any changes they want to your computer. The reason you have to try different scanners is that rootkits are notoriously difficult to detect.
As for me, if I even suspect that there is a rootkit installed on a client computer, I immediately back up the data and perform a clean install of the operating system. This is obviously easier said than done and is not something I recommend everyone to do. If you are unsure if you have a rootkit, it is best to use the following tools in hopes of discovering the rootkit. If nothing shows up using multiple tools, you’re probably good to go.
If a rootkit is found, it’s up to you to decide if the removal was successful or if you should just start from a clean slate. It is also worth mentioning that since OS X is UNIX based, many scanners use the command line and require quite a bit of technical know-how. Since this blog is aimed at beginners, I’ll try to stick to the simpler tools you can use to detect rootkits on your Mac.
Malwarebyte for Mac
The most intuitive program you can use to remove any rootkits from your Mac is Malwarebytes for Mac. It is not only for rootkits, but also for any type of Mac virus or malware.
You can download the free trial version and use it for up to 30 days. The cost is $ 40 if you want to purchase the program and get real-time protection. It’s the simplest program to use, but it probably won’t find a rootkit really hard to detect, so if you can take the time to use the command line tools below, you’ll have a much better idea of whether or not you have a rootkit.
Rootkit Hunter is my favorite tool to use on Mac to find rootkits. It is relatively easy to use and the output is very easy to understand. First, go to the download page and click on the green download button.
Go ahead and double-click the .tar.gz file to unzip it. Then open a Terminal window and navigate to that directory using the CD command.
Once there, you need to run the installer.sh script. To do this, use the following command:
sudo ./installer.sh – install
You will be asked to enter your password to run the script.
If all went well, you should see a few lines about starting the installation and creating directories. In the end, it should say Installation completed.
Before running the actual rootkit scanner, you need to update the properties file. To do this, you need to type the following command:
sudo rkhunter – propupd
You should receive a short message indicating that this process has worked. Now you can finally do the actual rootkit check. To do this, use the following command:
sudo rkhunter – check
The first thing it will do is check the system commands. For the most part, we want green OK here and like few reds Warnings as much as possible. Once completed, press log into and it will start checking for rootkits.
Here you want to make sure everyone says Not found. If anything shows up in red here, you’ve definitely installed a rootkit. Finally, it will perform some checks on the file system, local host and network. In the end, it will give you a nice summary of the results.
If you want more details on the alerts, type cd / var / log and then type sudo cat rkhunter.log to view the entire log file and warning explanations. You don’t have to worry too much about startup file commands or messages as they are normally OK. The main thing is that nothing was found when checking rootkits.
chkrootkit is a free tool that will check locally for signs of a rootkit. It currently controls about 69 different rootkits. Go to the site, click on Download at the top and then click on chkrootkit latest source tarball to download the tar.gz file.
Go to the Downloads folder on your Mac and double-click the file. This will unzip it and create a folder in the Finder called chkrootkit-0.XX. Now open a Terminal window and go to the uncompressed directory.
Basically, cd into the Downloads directory and then into the chkrootkit folder. Once there, type the command to create the program:
sudo make sense
You don’t have to use the I sweat command here, but as it requires root privileges to run I have included it. Before the command works, you may get a message saying that the development tools must be installed in order to use the give command.
Go ahead and click on To install to download and install the commands. Once completed, rerun the command. You may see a lot of warnings, etc., but ignore them. Finally, you will type the following command to run the program:
You should see output like the one shown below:
You will see one of three output messages: not infected, not tested And not found. Not infected means that it did not find any rootkit signature, not found means that the command to be tested is not available and not tested means that the test was not run for various reasons.
Hopefully everything comes out uninfected, but if you see any infections, your machine has been compromised. The developer of the program writes in the README file that you should basically reinstall the OS to get rid of the rootkit, which is basically what I suggest too.
ESET Rootkit Detector
ESET Rootkit Detector is another free program that is much easier to use, but the main drawback is that it only works on OS X 10.6, 10.7 and 10.8. Considering that OS X is close to 10.13 right now, this program won’t be useful for most people.
Unfortunately, there aren’t many programs out there that check for rootkits on the Mac. There are a lot more of them for Windows and it’s understandable since the Windows user base is much larger. However, using the tools above, you should have a decent idea of whether or not a rootkit is installed on your machine. Have a good time!