How to Check Your Mac for Rootkits.
If your Mac is behaving strangely and you suspect a rootkit is present, you will have to proceed with downloading and scanning with several different tools. It’s worth noting that you could have installed a rootkit and not even know about it.
The main distinguishing factor that makes a rootkit special is that it gives someone a remote administrator the ability to control your computer without your knowledge. Once someone gains access to your computer, they can simply spy on you or make whatever changes they want to your computer. The reason you need to try several different scanners is because rootkits are notoriously difficult to detect.
As for me, if I even suspect that a rootkit is installed on the client computer, I immediately back up the data and perform a clean install of the operating system. Obviously, this is easier said than done, and I don’t recommend everyone to do it. If you are not sure if you have a rootkit, it is best to use the following tools in the hope of detecting a rootkit. If using multiple tools does not work, then most likely everything is in order.
If a rootkit is found, it is up to you to decide if the removal was successful or if you should start from scratch. It’s also worth mentioning that since OS X is based on UNIX, many scanners use the command line and require some technical know-how. Since this blog is geared towards beginners, I’ll try to use the simplest tools you can use to detect rootkits on your Mac.
The most handy program you can use to remove any rootkits from your Mac is Malwarebytes for Mac. This applies not only to rootkits, but also to any viruses and malware for Mac.
You can download a free trial and use it for up to 30 days. The cost is $ 40 if you want to purchase the program and get real-time protection. It’s the easiest program to use, but it probably won’t be difficult to detect a rootkit, so if you take the time to use the command line tools below, you’ll get a much better idea of ??whether you really have a rootkit.
Rootkit Hunter is my favorite tool for finding rootkits on Mac. It is relatively easy to use and the output is very easy to understand. First go to the download page and click the green download button.
Go ahead and double click on the .tar.gz file to unzip it. Then open a terminal window and change to that directory using the CD command.
Once there, you need to run the installer.sh script. To do this, use the following command:
sudo ./installer.sh –install
You will be prompted for a password to run the script.
If all went well, you should see a few lines about starting the installation and the directories being created. At the end, the message “Installation completed” should appear.
Before running the real rootkit scanner, you need to update the properties file. To do this, you need to enter the following command:
sudo rkhunter –propupd
You should receive a short message that this process has been completed. Now you can finally run a real rootkit scan. To do this, use the following command:
sudo rkhunter –check
First of all, it will check the system commands. For the most part, we want green OKs here and as few red warnings as possible. When this is complete, you press Enter and it will start checking for rootkits.
This is where you want to make sure they all say “Not Found”. If anything appears in red here, you definitely have a rootkit installed. Finally, it will do some checks on the filesystem, localhost, and network. At the very end, you will receive a good summary of the results.
If you want more detailed information about the warnings, enter cd / var / log and then type sudo cat rkhunter.log to view the entire log file and explanations for the warnings. You don’t need to worry too much about commands or startup file messages, they are usually okay. The main thing is that nothing is found when scanning rootkits.
chkrootkit is a free tool that checks for rootkits locally. He currently checks about 69 different rootkits. Go to the site, click Download at the top, and then click Latest chkrootkit source archive to download the tar.gz file.
Go to the Downloads folder on your Mac and double-click the file. This will unpack it and create a folder in Finder named chkrootkit-0.XX. Now open a terminal window and change to the uncompressed directory.
Usually you go to the Downloads directory and then to the chkrootkit folder. Once there, you enter the command to create the program:
sudo makes sense
It is not necessary to use the sudo command here, but since it requires root privileges to run, I included it. Before the command works, you may receive a message that the developer tools must be installed to use the make command.
Go ahead and click Install to download and install the commands. When finished, run the command again. You can see a lot of warnings, etc., but just ignore them. Finally, you will type the following command to run the program:
You should see a result similar to the one below:
You will see one of three output messages: not infected, not checked, and not found. “Not infected” means that no rootkit signatures were found, “not found” means that the command to be checked is unavailable, and “Not tested” means that the check was not performed for various reasons.
Let’s hope everything turns out to be clean, but if you notice any infection, then your machine has been compromised. The developer of the program writes in the README file that you should reinstall the OS to get rid of the rootkit, which is what I suggest.
ESET Rootkit Detector is another free program that is much easier to use, but its main drawback is that it only works on OS X 10.6, 10.7, and 10.8. Considering OS X is now nearly 10.13, this program won’t be useful for most people.
Unfortunately, there are not many programs that check for rootkits on Mac. There is much more for Windows, which is understandable since the Windows user base is much larger. However, by using the tools listed above, you will hopefully get a good idea of ??whether you have a rootkit installed on your computer. Enjoy!