If your Mac isn’t working properly and you suspect a rootkit, you’ll need to initiate a download and scan using a number of different tools. It should be noted that you may have installed a rootkit and not even know about it.
The main distinguishing factor that makes a rootkit special is that it gives someone remote administrator rights to control your computer without your knowledge. Once someone has access to your computer, they can simply spy on you, or they can make any changes they want to your computer. The reason why you have to try different scanners is that rootkits are notoriously hard to detect.
For me, if I even suspect there is a rootkit installed on the client, I immediately back up the data and do a clean install of the operating system. This is clearly easier said than done and it’s not something I recommend people do. If you’re not sure if you have a rootkit, it’s best to use the following tools in hopes of uncovering a rootkit. If nothing shows up when using multiple tools, you’re probably fine.
If a rootkit is found, you decide whether the removal is successful or should just start from a clean interceptor. It’s also important to reiterate that since OS X is UNIX-based, a lot of scanners use the command line and require quite a bit of technical know-how. Since this blog is geared towards beginners, I will try to stick to the easiest tools you can use to detect rootkits on your Mac.
Malwarebytes for Mac
The most user-friendly program you can use to remove any rootkits from your Mac is Malwarebytes for Mac. It’s not just for rootkits, but for any Mac virus or malware.
You can download the free trial and use it for up to 30 days. It costs $40 if you want to buy the program and get real-time protection. This is the easiest program to use, but it also can’t find rootkits that are really hard to detect, so if you can spend some time using the command line tools below you’ll have a better understanding of how to do this. whether or not you have a rootkit.
Rootkit Hunter is my favorite tool to use on Mac to find rootkits. It is relatively easy to use and the output is easy to understand. First, go to the download page and click the green download button.
Go ahead and double-click the .tar.gz file to extract it. Then, open a Terminal window and navigate to that folder using the CD command.
Once there, you need to run the installer.sh script. To do this, use the following command:
sudo ./installer.sh – install
You will be prompted for your password to run the script.
If all goes well, you should see some lines about starting the installation and folders being created. In the end it will say Complete installation.
Before running the actual rootkit scanner, you must update the properties file. To do this, you need to type the following command:
sudo rkhunter – propupd
You will receive a short message indicating that the process is up and running. Now you can finally run the actual rootkit test. To do that, use the following command:
sudo rkhunter – check
The first thing it will do is check the system commands. For the most part, we want green OK here and little red Warning the better. Once done, you will press enter and it will start checking for rootkits.
Here you want to make sure they all say Not found. If anything shows up in red here, you definitely have a rootkit installed. Finally, it will do some checks on the file system, local server and network. At the end it will give you a nice summary of the results.
If you want more details about the alerts, type cd / var / log and then type in sudo cat rkhunter.log to see the full log file and explanations for the warnings. You don’t have to worry too much about commands or startup file messages because those are normally fine. The main thing is that nothing is found when checking for rootkits.
chkrootkit is a free tool that will check locally for signs of rootkits. It is currently testing about 69 different rootkits. Go to the website, click Download at the top and then click chkrootkit Latest tarball source to download the tar.gz file.
Go to the Downloads folder on your Mac and double-click the file. This will unzip it and create a folder in Finder named chkrootkit-0.XX. Now, open a Terminal window and navigate to the uncompressed folder.
Basically you cd into the Downloads folder and then into the chkrootkit folder. Then, type the command to create the program:
sudo make sense
You don’t have to use sudo here, but since it requires root privileges to run, I included it. Before the command works, you may get a message stating that developer tools need to be installed in order to use do request.
Go ahead and click Setting to download and install commands. Once done, run the command again. You may see a bunch of warnings, etc., but ignore them. Finally, you would type the following command to run the program:
You should see some output like what is shown below:
You will see one of three output messages: not infected, not checked and not found. Uninfected means it didn’t find any rootkit signatures, not found means the command checked is unavailable and unchecked means the check wasn’t performed due to various reasons .
Hopefully everything that comes out is uninfected, but if you see any infections, your machine is compromised. The developer of the program writes in the README file that you should basically reinstall the operating system to get rid of the rootkit, which is basically what I also recommend.
ESET Rootkit Detector
ESET Rootkit Detector is another free program that is much easier to use, but the main downside is that it only works on OS X 10.6, 10.7 and 10.8. Considering OS X is almost up to 10.13 right now, this program won’t be useful for most people.
Unfortunately, there aren’t many programs that check for rootkits on Mac. There’s a lot more going on for Windows, and that’s understandable since the Windows user base is so much larger. However, by using the above tools, hopefully you will know if a rootkit is installed on your machine or not. Interesting!