Skip to main content
A Mac OS X Rootkit Uses the Tricks You Haven’t Known Yet 3 - Benefits of the Host Privilege

A Mac OS X Rootkit Uses the Tricks You Haven’t Known Yet 3 - Benefits of the Host Privilege

This part of the Black Hat presentation by representatives of the Team T5 Research is dedicated to nuances of host privilege on Mac OS X and what can be done with it. In particular, the ways of granting such permissions to a normal user are highlighted. Additionally, the experts describe a method for bypassing the kernel module verification and show the process of loading kernel module in a demo.

John Dee
John Dee
A Mac OS X Rootkit Uses the Tricks You Haven’t Known Yet 2 - Detecting a Process Hidden by Rubilyn

A Mac OS X Rootkit Uses the Tricks You Haven’t Known Yet 2 - Detecting a Process Hidden by Rubilyn

Taiwanese researcher Sung-ting Tsai, aka TT, now delves deeper into the ins and outs of process hiding on Mac OS X, in particular through the use of the Rubilyn rootkit. The flip side of the coin, that is, detecting a process that had been hidden, is analyzed as well to show how user mode can be helpful in this context. For the purpose of visualization, there are demos demonstrating these tricks in action.

John Dee
John Dee
You Can’t See Me: A Mac OS X Rootkit Uses the Tricks You Haven’t Known Yet

You Can’t See Me: A Mac OS X Rootkit Uses the Tricks You Haven’t Known Yet

During their presentation at Black Hat Asia 2014, researchers from Team T5 Sung-ting Tsai and Ming-chieh Pan demonstrate some tricks for advanced process hiding in Mac OS X. In essence, this is activity powered by a rootkit, such as Rubilyn, which can make an arbitrary process not visible in the standard way. TT and Nanika also highlight methods for direct kernel task access and gaining root permission.

John Dee
John Dee
Remove Flipora search (static.flipora.com) from Safari/Firefox/Chrome on Mac

Remove Flipora search (static.flipora.com) from Safari/Firefox/Chrome on Mac

The Flipora service hosted at static.flipora.com is an old timer in the shady web environment. Whereas there seems to be a bunch of effort put into it by whoever is in charge, this provider applies a tactic of aggressive user involvement, with shades of misinformation in place as well. This tutorial of ours is going to highlight the main adware injection techniques and will provide a fix for this security problem.

John Dee
John Dee
Remove MacSmart ads from Mac OS X (Safari, Chrome, Firefox removal)

Remove MacSmart ads from Mac OS X (Safari, Chrome, Firefox removal)

Mac users have been finding themselves in the uncomforting situation of MacSmart ads popping up on random websites. This is in fact an adware problem because the administrators of visited sites have nothing to do with the sponsored content. Instead, a hard-to-remove browser add-on compatible Safari, Chrome and Firefox generates the advertisements and price comparisons. Since this issue has a distinct malicious coloring, it has been thoroughly analyzed by the MacSecurity team and is fully described in this article, with clear removal steps provided as well.

John Dee
John Dee
Remove Only Search virus (Only-Search.com) from Safari/Chrome/Firefox on Mac OS X

Remove Only Search virus (Only-Search.com) from Safari/Chrome/Firefox on Mac OS X

Out of the entire mass of Mac infections currently in the wild, adware apps prevail by far. These are samples of intrusive code which affect one’s web browsing by inserting advertisements in websites or redirecting the user’s traffic. Only Search exemplifies the latter group of adware. It substitutes browser preferences in order to make the victim go to its landing page, only-search.com, off and on. The present post includes technical details about the threat and provides a repair method to restore the normal Internet surfing.

John Dee
John Dee