如果您的Mac运行异常并且您怀疑存在 Rootkit,那么您需要开始下载并使用几种不同的工具进行扫描。值得注意的是,您可能已经安装了rootkit ,但您甚至不知道它。
使 rootkit 与众不同的主要区别因素是它使某人远程管理员可以在您不知情的情况下控制您的计算机。一旦有人可以访问您的计算机,他们就可以简单地监视您,或者他们可以对您的计算机进行任何他们想要的更改。您必须尝试几种不同的扫描仪的原因是众所周知,rootkit 很难检测到。
对我来说,如果我什至怀疑客户端计算机上安装了 rootkit,我会立即备份数据并执行操作系统的全新安装。这显然说起来容易做起来难,我不建议每个人都这样做。如果您不确定自己是否有 rootkit,最好使用以下工具来发现 rootkit。如果使用多种工具都没有出现任何问题,那么您可能没问题。
如果找到了 rootkit,则由您决定删除是否成功,或者您是否应该从头开始。还值得一提的是,由于OS X是基于UNIX的,许多扫描仪使用命令行并且需要相当多的技术知识。由于此博客面向初学者,因此我将尝试使用最简单的工具来检测Mac上的 rootkit 。
Mac 的恶意软件字节
可用于从Mac(Mac)中删除任何 rootkit 的最用户友好的程序是Malwarebytes for Mac。它不仅适用于 rootkit,还适用于任何类型的Mac病毒或恶意软件。
您可以下载免费试用版并使用长达 30 天。如果您想购买该程序并获得实时保护,费用为 40 美元。它是最容易使用的程序,但它也可能不会找到真正难以检测的 rootkit,所以如果你能花时间使用下面的命令行工具,你会更好地了解是否不是你有一个rootkit。
Rootkit 猎人
Rootkit Hunter是我最喜欢在Mac上用于查找 rootkit 的工具。它相对容易使用,输出也很容易理解。首先,进入下载页面(download page),点击绿色下载按钮。
继续并双击.tar.gz文件将其解压缩。然后打开一个终端(Terminal)窗口并使用 CD 命令导航到该目录。
在那里,您需要运行 installer.sh 脚本。为此,请使用以下命令:
sudo ./installer.sh – install
系统将提示您输入密码以运行脚本。
如果一切顺利,您应该会看到一些关于安装开始和正在创建的目录的行。最后,它应该说Installation Complete。
在运行实际的 rootkit 扫描程序之前,您必须更新属性文件。为此,您需要键入以下命令:
sudo rkhunter – propupd
您应该会收到一条短消息,表明此过程有效。现在您终于可以运行实际的 rootkit 检查了。为此,请使用以下命令:
sudo rkhunter – check
它要做的第一件事是检查系统命令。在大多数情况下,我们希望这里有绿色的 OK(OKs)和尽可能少的红色警告(Warnings)。完成后,您将按Enter 键(Enter),它将开始检查 rootkit。
在这里,您要确保所有人都说Not Found。如果这里出现任何红色,那么您肯定安装了 rootkit。最后,它会对文件系统、本地主机和网络进行一些检查。最后,它会给你一个很好的结果总结。
如果您想了解有关警告的更多详细信息,请输入cd /var/log,然后输入sudo cat rkhunter.log以查看整个日志文件和警告说明。您不必太担心命令或启动文件消息,因为这些通常都可以。最主要的是在检查 rootkit 时没有发现任何东西。
chkrootkit
chkrootkit是一个免费工具,可以在本地检查 rootkit 的迹象。它目前检查大约 69 种不同的 rootkit。转到该站点,单击顶部的下载,然后单击(Download)chkrootkit latest Source tarball以下载 tar.gz 文件。
转到Mac上的“(Mac)下载(Downloads)”文件夹,然后双击该文件。这将解压缩它并在(uncompress it)Finder中创建一个名为chkrootkit-0.XX的文件夹。现在打开一个终端(Terminal)窗口并导航到未压缩的目录。
基本上,您 cd 进入Downloads目录,然后进入 chkrootkit 文件夹。在那里,您输入命令以制作程序:
sudo make sense
您不必在这里使用sudo命令,但由于它需要 root 权限才能运行,所以我已将其包含在内。在该命令生效之前,您可能会收到一条消息,指出需要安装开发人员工具才能使用make命令。
继续并单击安装(Install)以下载并安装命令。完成后,再次运行命令。您可能会看到一堆警告等,但请忽略这些。最后,您将键入以下命令来运行程序:
sudo ./chkrootkit
您应该会看到如下所示的一些输出:
您将看到以下三个输出消息之一:未感染( not infected)、未测试(not tested)和未找到(not found)。未感染表示未找到任何rootkit签名,未找到表示要测试的命令不可用,未测试表示由于各种原因未执行测试。
希望(Hopefully)一切都没有被感染,但如果你确实看到任何感染,那么你的机器已经被入侵了(machine has been compromised)。该程序的开发人员在README文件中写道,您基本上应该重新安装操作系统以摆脱 rootkit,这基本上也是我的建议。
ESET Rootkit 检测器
ESET Rootkit Detector是另一个更易于使用的免费程序,但主要缺点是它仅适用于OS X 10.6、10.7(OS X 10.6)和 10.8。考虑到OS X现在快到 10.13,这个程序对大多数人没有帮助。
不幸的是,在Mac(Mac)上检查 rootkit 的程序并不多。Windows还有很多其他功能,这是可以理解的,因为Windows用户群要大得多。但是,使用上面的工具,您应该对您的计算机上是否安装了 rootkit 有一个不错的了解。享受!
How to Check Your Mac for Rootkits
If your Mаc is aсting strangely and you suspect a rootkit, then уou’ll need to get to work downloading and scanning with several different tools. It’s worth noting that you could have a rootkit installed and not even know it.
The main distinguishing factor that makes a rootkit special is that it gives someone remote administrator control over your computer without your knowledge. Once someone has access to your computer, they can simply spy on you or they can make any change they want to your computer. The reason why you have to try several different scanners is that rootkits are notoriously hard to detect.
For me, if I even suspect there is a rootkit installed on a client computer, I immediately back up the data and perform a clean install of the operating system. This is obviously easier said than done and it’s not something I recommend everyone do. If you’re not sure if you have a rootkit, it’s best to use the following tools in the hopes of discovering the rootkit. If nothing comes up using multiple tools, you’re probably OK.
If a rootkit is found, it’s up to you to decide whether the removal was successful or whether you should just start from a clean slate. It’s also worth mentioning that since OS X is based on UNIX, a lot of the scanners use the command line and require quite a bit of technical know-how. Since this blog is geared towards beginners, I’m going to try to stick to the easiest tools that you can use to detect rootkits on your Mac.
Malwarebytes for Mac
The most user-friendly program you can use to remove any rootkits from your Mac is Malwarebytes for Mac. It’s not just for rootkits, but also any kind of Mac viruses or malware.
You can download the free trial and use it for up to 30 days. The cost is $40 if you want to purchase the program and get real-time protection. It’s the easiest program to use, but it’s also probably not going to find a really hard-to-detect rootkit, so if you can take the time to use the command line tools below, you’ll get a much better idea of whether or not you have a rootkit.
Rootkit Hunter
Rootkit Hunter is my favorite tool to use on the Mac for finding rootkits. It’s relatively easy to use and the output is very easy to understand. Firstly, go to the download page and click on the green download button.
Go ahead and double-click on the .tar.gz file to unpack it. Then open a Terminal window and navigate to that directory using the CD command.
Once there, you need to run the installer.sh script. To do this, use the following command:
sudo ./installer.sh – install
You’ll be prompted to enter your password to run the script.
If all went well, you should see some lines about the installation starting and directories being created. At the end, it should say Installation Complete.
Before you run the actual rootkit scanner, you have to update the properties file. To do this, you need to type the following command:
sudo rkhunter – propupd
You should get a short message indicating that this process worked. Now you can finally run the actual rootkit check. To do that, use the following command:
sudo rkhunter – check
The first thing it’ll do is check the system commands. For the most part, we want green OKs here and as few red Warnings as possible. Once that is complete, you will press Enter and it’ll start checking for rootkits.
Here you want to ensure all of them say Not Found. If anything comes up red here, you definitely have a rootkit installed. Lastly, it’ll do some checks on the file system, local host, and network. At the very end, it’ll give you a nice summary of the results.
If you want more details about the warnings, type in cd /var/log and then type in sudo cat rkhunter.log to see the entire log file and the explanations for the warnings. You don’t have to worry too much about the commands or startup files messages as those are normally OK. The main thing is that nothing was found when checking for rootkits.
chkrootkit
chkrootkit is a free tool that will locally check for signs of a rootkit. It currently checks for about 69 different rootkits. Go to the site, click on Download at the top and then click on chkrootkit latest Source tarball to download the tar.gz file.
Go to the Downloads folder on your Mac and double-click on the file. This will uncompress it and create a folder in Finder called chkrootkit-0.XX. Now open a Terminal window and navigate to the uncompressed directory.
Basically, you cd into the Downloads directory and then into the chkrootkit folder. Once there, you type in the command to make the program:
sudo make sense
You don’t have to use the sudo command here, but since it requires root privileges to run, I have included it. Before the command will work, you might get a message saying the developer tools need to be installed in order to use the make command.
Go ahead and click on Install to download and install the commands. Once complete, run the command again. You may see a bunch of warnings, etc., but just ignore those. Lastly, you will type the following command to run the program:
sudo ./chkrootkit
You should see some output like what is shown below:
You’ll see one of three output messages: not infected, not tested and not found. Not infected means it didn’t find any rootkit signature, not found means the command to be tested is not available and not tested means the test was not performed due to various reasons.
Hopefully, everything comes out not infected, but if you do see any infection, then your machine has been compromised. The developer of the program writes in the README file that you should basically reinstall the OS in order to get rid of the rootkit, which is basically what I also suggest.
ESET Rootkit Detector
ESET Rootkit Detector is another free program that is much easier to use, but the main downside is that it only works on OS X 10.6, 10.7 and 10.8. Considering OS X is almost to 10.13 right now, this program won’t be helpful for most people.
Unfortunately, there aren’t many programs out there that check for rootkits on Mac. There are a lot more for Windows and that’s understandable since the Windows user base is so much larger. However, using the tools above, you should hopefully get a decent idea of whether or not a rootkit is installed on your machine. Enjoy!
