2013-12-31

#Apple #iMac #badBIOS #malware

12.15: summary:
. my 2008 imac seemed infected by opening pdf's,
and I suspected it was #badBIOS malware;
because, it gave my dvd player troubles:
it made the os x installer disk unreadable,
and it also seemed to be coming from firmware,
as even after I reinstalled the OS via download,
and hadn't opened any more pdf's or javascript,
I still seemed to get infected again .
. my troubles started with finding a new pdf library,
and I ended up finally replacing my sick mac
with a chromebook featuring verified boot!

10.3: mis.cyb/mac.vmware.xu.firefox
.ftp(foreign dev site)/maxing cpu:
. this mac is running the mac's pdf viewer
and various linux virtual machines (vm)
[xu = uniX Ubuntu linux vm]
within the Vmware Fusion hypervisor app
(it also does Windows but it's been a long time
since I've used Vista or XP on this mac).
. I was googling for software developer books,
and found a lot of pdfs at one foreign site;
I'm getting mostly unhindered access,
with only a few times it demands a login .
. then at 6:04am,
 not only did it ask for a login,
but it also began commandeering my cpu
and making my text editor very slow .
. while I was logging this, at 6:12am,
there was a 2nd wave of cpu hijack,
that was also affecting the mac speed .
. for the latest successful download,
I used linux to see it was a working pdf,
but it caused linux to need a restart;
so, I tried it again via mac's pdf viewer
and that did work but with slow scrolling
unless I made the pages very tiny .

10.12: mis.cyb/mac
/infection meant only to kill my zombie?:
. what if my mac was already infected,
and while I assumed I was just looking at books,
my mac was actually a zombie,
trying to infect every site it visited,
so the admin of the pdf library site
sent a counter-infection to disable my zombie mac;
so it would stop infecting the net .
. the reason to suspect that my mac
already had malware a long time,
is that the mac never notified me of updates
until the recent malware infection
started competing for my machine .
. the whole reason I got the
upgrade to OS X Mountain Lion
is so it would auto-update,
or autocheck for updates,
and it never did either until this catastrophe
(when I did ask it to check for updates,
it did have some waiting,
so I'm sure the Friendly mac was sick ).
[12.15:
. the first time I suspected my mac was infected
was after installing some software into a
virtual machine running Windows Vista .
. I also have a long history of opening pdf's
which I found via google searches .
. I've also shared the mac's usb card reader
with a laptop running Ubuntu linux,
and dual-booting Windows XP .
. the #badBIOS usb firmware malware 
can install a rootkit within the mac's
motherboard's BIOS and peripheral chip firmwares .]

10.9: todo.cyb/sec
/does reformat flush malware from usb stick?:
[13: also depends on where the malware is coming from!]
[12.15: no:
. malware may be in the firmware of
the usb stick's or sd card reader's microcontroller .]

mis.cyb/mac.vmware.xu/freeze with white screen:
. not an easy time getting mac to restart:
it keeps coming back to the recover menu?
pull plug for 2 min,
and restart without external drive plugged in,
and try cmd-alt-pr, but it shows a flashing folder icon
and seems to be going nowhere?
restart again without doing that ... ok .
. vmware is slow to restart the crashed linux .

mis.cyb/mac.vmware.xu.firefox
/resuming crashing pages causes slow-down:
. try to restart firefox with
crashed pages relaunched:
causes another freeze, ... but it came back
although things are still going slow .

mis.cyb/mac.vmware.xu.firefox.save
/frozen for a minute:
. still into downloading huge library of pdf's .
. downloading the next book is so slow
the save dialog is frozen for minute .

mis.cyb/mac.vmware.xu.firefox.save
/failure due to source file could not be read:
. firefox said the download could not be saved;
because, the source file could not be read,
and it said I should talk to the admin
-- it appears my librarian [the site with free books]
is also my "admin" [12.15:
. when firefox said "source file"
it meant the download was in my system's "tmp" folder,
and in order to save to my usual downloads folder
I would need read-access to that tmp folder
which apparently I no longer have because
the malware was able to change the permissions,
as if it were my admin .]

mis.cyb/mac.vmware.xu/vm is frozen:
. started writing in log,
collecting google url's from firefox,
and then xu froze again .

mis.cyb/mac/freeze with beachballing:
. mac's finder was not responding
and dictionary`close was unresponsive ?
try restart .

mis.cyb/mac/too slow even after restart:
. after restarting, mac is slow;
many permissions needed fixing,
and then I tried to verify the filesystem
before trying to copy for backup
which may not have helped the speed problem .

mis.cyb/mac.timemachine.restore
/allows only overwrite of backup with bad disk:
. opening a pdf with one of those apps
seems to have affected mac's TimeMachine (tm),
(that is the mac's backup utility).
. I can't restore at all!
[ and after several days of re-infection,
I wouldn't be able to download a new OS either .]
. it lets me select [restore from tm drive],
but then it says I selected [restore from mac drive],
and it intends to overwrite my tm drive .
[. part of that may have been a misunderstanding,
but then when choosing the destination
(ie, where to apply the restore to),
it would let me see only the tm drive
when I wanted to see only the mac's drive .]

news.cyb/mac/there is an update to apply:
. restarted into admin's acct,
and it said yes when I asked if
update software was needed;
maybe that will patch the malware I have ?

mis.cyb/mac.superdrive
/trouble recognizing some blank disks:
. cd and dvd player doesn't load unburned disks,
it spits them back out .

mis.cyb/mac.superdrive
/trouble burning may be from malware:
. how long has my cd drive been broken?
looking on the Apple store for a new burner
I see that there are many unhappy reviews:
there are surprising durability issues,
suggesting malware is the problem
not Apple's hardware quality .

mis.cyb/mac/restart from recover card fails:
. tried cmd-r with sd card#2 plugged in,
[that card has an OS X recovery partition]
and got the flashing folder icon again,
so then I tried option-restart and got nothing .

mis.cyb/mac
/having disk helps get to recover mode dialog:
. I put the os x disk in, and did cmd-r,
and it said hello which language,
but then took me into recovery mode,
and it's letting me reinstall from download,
(I vaguely recall being prevented from
doing that last time)
[ the problem was a child dialog was
hiding behind its parent dialog,
and I needed to respond to the child
to get a response from the parent .]
-- I found I could reinstall the OS
right after discovering I couldn't do
restore from tm drive .

10.4: mis.cyb/mac.recover.reinstall os
/trouble with hidden dialog overcome:
. when you go into mac's recover mode
you have the menu for restore or reinstall osx .
. when I tried to do a reinstall
it said my internet was down,
and then when I got it back up,
I'm back at the same menu for selecting install
but now the continue .button is greyed out,
so I hit command [close window] or esc or something
and it asks if I want to restart
or if want to choose a drive to restart from,
I choose to select drive
and instead of getting that
I see a dialog that had been hidden before:
it's the reinstall dialog saying
"the internet seemed down,
and if you got it up again,
here's a retry button to press ."
. so then os x is downloading  .
. the reason the continue button was greyed out,
is because it was expecting me to
respond to a child dialog;
but, it was placing the child behind the parent .
. that might be a malware manipulation
rather than being the mac's fault
(I'm in linux most of the time on mac).

10.4: news.cyb/mac.vmware
/acting ok after reinstall os:
. mac's acting ok for the bank vm
so the problem is not an infection of
the Vmware Fusion app itself .

mis.cyb/mac.vmware.xu 
/infected vm is still infecting wo net:
. try to open malware-crashed vm
to see if bad things still happen
even after vm restarts:
infected vm is still infecting
even without [obvious] access to net .

mis.cyb/mac/very slow after reinfection:
. trying mac's dictionary again, it was very slow
but the finder is doing better:
. while a folder copy was too slow
it did remain responsive for
receiving the undo button press
-- I couldn't tell if it was slow from malware,
or from the copy job being so large,
so that's why I quit it,
but that undo only made things worse,
everything was unresponsive,
the activity monitor seems to show no cpu
 (if its display is not frozen)
as if malware spends most time in a hoggy process
 that just halts .
. timemachine is running unexpectedly
as if the system files are changing;
what changes did it see?
-- todo: 
. find an app to find all recent changes .

mis.cyb/mac.timemachine
/forgot to see if reinstall fixed tm:
. before starting up the infected xu,
I should have checked to see if the tm restore worked .
... anyway if it was ok before,
then after opening xu or vmware
 it's messed up again now:
I can only restore backwards:
using the bad drive to overwrite my backup  .

mis.cyb/mac
/reinstall starts off with strange drawing:
. mac is done with reinstall,
but it starts up funny:
it opens with the top 1/4 of the desktop's image
scrambled, like it was a broken video connection .
I've seen that before but when?
not after a fresh install, right ?

news.cyb/mac.timemachine.restore
/possibly fixed by reinstall:
. before the reinstall
timemachine's restore seemed broken,
as it would not let me
select the proper destination .
. but it still shows as source "mac hd"
even though I selected the tm drive,
but at least now it's letting me
choose mac hd as the destination .

10.5: mis.cyb/mac.dvd burner
/failed first disk but not 2nd:
. try the dvd burner again,
it sounds like its trying to read the first part
but it's damaged so it retries for a dozen times
and then spits it out,
but that was just a damaged one?
[ no, that "unreadable" would be writable later;
anyway:]
the next one I try shows up writable,
so it's not the drive's fault
[12.15: yea?:
. maybe the malware failed to mess it up again,
or maybe the malware changed strategy ...] .

mis.cyb/mac.dvd burner/4hours and only half done:
. started burning dvd at 4:11, and at 8:00
it's only 56% done;
but, it's still making progress,
also the screen saver isn't working anymore .

mis.cyb/mac.dvd burner
/verify burn is slow too? malware is still here!:
. bad sign: the verif is taking a long time .

mis.cyb/mac.dvd burner
/verif is less than half done after 1.5 hour:
. at 12:35, it is 13% done
and at 14:00 it is 42% done .

mis.cyb/mac.dvd burner/quit verif:
. verif is too slow and not needed
so start up the vmware,
and test by copying cd to drive .

10.6: mis.cyb/mac.dvd burner
/problematic disk now ok:
. the blank dvd that was unreadable
is now recognized as writable .

mis.cyb/mac/updates/notification stale:
. mac still has a message saying
updates are available
and then when I click on it,
it opens app store which tells me
no updates are available .

10.8: mis.cyb/mac
/rare software notification may have been malware:
. I never before remember
the mac politely telling me
that updates were available;
and then when the app store opened
it claimed no updates?:
maybe that was malware adding that notification
so that I would have a button to launch more malware?
[12.15: maybe the malware has a sense of humor:
. one malware was hiding notifications,
so the next malware politely puts them back
but not in working order, just to say
"honey, I'm home!" .]

10.6: mis.cyb/mac/malware might not be removed:
(thumpy heart while reviewing mac log):
. given the strange behaviors after reinstall,
I worried that malware did something to my firmware
that is not fixed by a reinstall .
. is it safe to do banking on this machine?

10.7: mis.cyb/mac.vmware.xu.ko'edit
/freeze with beachballing:
. at 8:27, my keyboard is sick:
a double-enter keying adds a bracket;
then at 9:33 this:
first the freeze applied to ko'edit's cursor,
then I could cmd-tab into the mac,
but it was beachballing anything I touched on the mac,
so I did a hard reset .
... later it occurred to me
that I didn't consider how epub format
could be loaded with malware too:
. I had assumed only pdf format could be tricky;
but, a compromised pdf-to-epub converter
could be made to insert into the epub
javascript malware that was stored in the pdf .
. another theory is that
a reinstall didn't really help, because
there was a firmware re-write, [12.15:
so the only fix would be to
reprogram all the firmware on the motherboard
and on all usb devices .]

proj.cyb/mac/finally get to recover mode:
. restart mac into recover mode:
. it shows a flashing folder icon?
insert os x disk in drive;
it spits it out?
restart with recover mode and disk insert;
this time I'm able to get into recover mode;
but, it still spits out mac os disk?
anyway, I'm in: verify mac's hd [hard drive],
-- that has a progress bar
so if the next restart is taking too long
then I can see that it's not because of
auto-verifying after hard reset .

10.7: proj.cyb/mac
/verify found many dir's are permission'd as non-dir .

proj.cyb/mac/permissions
/changed only in itunes resources:
. see permissons of itunes.app/contents/resources/
(2dozen files in each language-oriented subfolder).
[see picts of which english resources
were mal-permission'd]
. some language versions had fewer files affected
than the english resource folder .
. apparently even if you don't use itunes
messing that up takes a long time to fix .
[ actually,
my itunes library had approx. 25 items]

proj.cyb/mac/after perm's fixed, verify hd again .

10.8: mis.cyb/mac.vmware.xu
/need to replace vm:
. I think the malware was epub javascript
and that my vm is still infected,
but it might take time to launch a heap attack
so I can likely still get out of mac ok;
once I shut down vm and restart mac,
I can copy a new vm and things should be fine .

mis.cyb/mac.vmware.xu.ko'edit
/infection from outside vm:
( I got into this new vm at 12:30,
it's now 13:41
) . I had just read the todo about
reporting the malware site to mywot,
and was reaching for the adds folder
to get the address,
when the mac beachballed .
. this is a fresh vm,
that has seen only gmail being used.
. I was reminded that this malware source
studies a lot of AI [artificial intelligence],
and could have a supervisor watching me .

mis.cyb/mac
/recover mode thought main drive was "media":
. mac had gone to sleep, and when I awoke it
I found it had shutdown my vm,
and the mac was beachballing,
so I restarted in recovery mode,
without pulling the external drive;
[that is where my vm's are located] .
. that was interesting to try; because,
what I found was surprising:
the disk utility said
my mac's hd was named "media"
(disk2 is the recovery partition):
. here is how it should normally look:
. so I restarted in recover mode again,
[ with the external drive removed? ]
and that flushed things back to normal .
. I set it to repairing permissions
instead of just checking them;
because, I was sure they would be wrong .
mis.cyb/mac
/the permission repair was "stopped by user"?:
. maybe I just clicked on it; so, try again,
and keep the cursor away from the stop button .

10.8: mis.cyb/mac
/malware may have aborted os reinstall:
. again it said user cancelled permission repair?
try the os reinstall:
when I come back it is starting over again
asking for my account again? this is a trick,
just escape from that window,
and below it you can see the progress on the download,
everything is ok;
but then it reverts to restore menu screen,
which might be a trick too,
just let it sit for hours and see if it restarts .
. in the mean time,
my chromebook with verified boot is heaven .

10.11: mis.cyb/mac.recovery.install os
/shouldn't have finished dialog?:
. maybe the mac cracker didn't have the ability to
stop the mac os download,
and it was only by re-running the
[start os download] dialog,
(and getting me to cancel it)
that could lead to that dialog's mgt
being able to cancel the dowload .
[12.15: so wishful:
. I would come to my senses soon .]

10.8: proj.cyb/mac/
recover mode only without external drive:
. reboot into recover mode:
not happening?
pull external drive and reboot:
ok? verify disk .

10.9: mis.cyb/mac/permissions
/grapher utility not reachable:
. for verifying permissions of utility/grapher,
it said operation not permitted .

10.16: cyb/mac/the pdf failure:
. the mac was infected from opening infected pdf's
either in mac's pdf viewer
or with vmware's linux viewer . [12.15:
. even if the malware was removable
(can you wipe rootkits out of all firmware
of all USB or IDE devices?)]
 it was not worth taking to the shop because
it would routinely freeze from a GPU crash;
it didn't crash when I first got it,
but then new software upgrades
were apparently overheating the GPU;
the recent OS that caused the freezes
was improved by having the GPU
do more work for the CPU,
instead of the GPU handling only the graphics;
and my favorite mac application, vmware fusion,
apparently made good use of the GPU,
with the help of the newer versions of OS X .

10.10: news.cyb/mac

/upgrade motherboard to end freezes?:

upgrading cpu only is chancy:
. yes the motherboard is replaceable;
but,  it is more expensive than a Qubes laptop:
 24" intel imac Bad logic board, 
can be replaced for the price of a new computer:
 $975.00 ..  $1,150 .

some think the mac's freezing is caused by heat:
. after malware symptoms, I'm getting the idea that
crackers exploit the gpu crashes
to gain control of the system .
. but they could be using the GPU without crashing it
and it is their overuse of it
that could be causing it to overheat .
. "(I installed the "Hardware Monitor" software,
which consistently shows that the crashes happen when
the GPU temperature gets to 56 degrees centigrade.)
. he installed fan improvements
but they were not enough to keep the heat down;
so, he warns, if you buy a new motherboard,
it will get fried too .
[12.15: however,
. some did claim to get relief from extra ventilation:
they actually carved out the back of their iMac,
and covered the hole with some metal screen .
. but I wasn't sure this mac was worth that trouble:
I suspected the motherboard may have be ruined
by malware embedded in its firmwares;
and even if I didn't mind my mac being
used as part of a malware botnet,
what if my ventilation scheme didn't work?
. then we are back to GPU freezes
requiring frequent annoying restarts .
"( After the GPU has crashed,
it is sometimes possible to login to the machine using SSH
and run command line commands.
This shows that the CPU is still running
and Mac OS X is still OK,
it's just the GPU that has crashed.)
. os x should be pre-empting the gpu after some time,
and fall back to a gui that is not gpu-controlled,
or in some other way stop waiting on the gpu,
and start responding to input .
[12.15: correction:
. it can't just restart a crashed GPU because
the GPU could be holding parts of program code
not just GUI code .
. that means the best it could do is
save your data and restart the whole system
-- annoying random restarts .]

some think a 2hour wait is about cooling:
"( once the logic board has been replaced
wait until the sytem has been off for 2hours
before powering up the system )
. if they opened and replaced some parts,
the unit is already sufficiently cooled;
what could take 2 hours is a capacitor discharge,
or some other static build up needs to dissipate .

10.10: web.cyb/mac/

convert imac to lcd monitor:


. is it possible to convert an Intel iMac
to an external monitor without hacks?
Yes, but only if the older iMac is a
27-inch iMac, [I have a 24"].
. these 27-inch models can simply plug into
a male-to-male Mini DisplayPort (or Thunderbolt) cable
with the other end into any flavor of Mac
that supports Mini DisplayPort or Thunderbolt.

Newer iMacs do target (disk) display mode:
Target Display Mode (TDM)?
TDM allows you to use a supported iMac
as an external display for another Mac computer
using Mini DisplayPort or ThunderBolt cables.
. the earliest support was [before my imac's time]:
iMac (27-inch Late 2009)
something like vnc may help: screenrecycler .
... but,
you have to get the mac working again,
and my imac's graphics card is a problem .
. finally, although a huge screen like the imac 24"
is useful for complicated projects,
most of the time it uses too much energy and heat,
and the pixels are so large
that you have to put it 3 feet away,
and look at it with dark glasses .
. if you're still interested in that experience
see [cyb mac imac convert to lcd display].pdf,
from a guy who writes only French .
users.skynet.be/fa835376/pas a pas.pdf
(google translate said it was too large)

10.8: todo.cyb/mac/

should show infection to Apple: [obs]

. Apple may be interested in
what a pdf did to their "microkernel":
it's able to turn off the os reinstall .
[12:
. recently it occurred to me that
they would only be interested if
they had any hope of fixing things:
for real security,
they need to run a real microkernel,
and if they think mach is a microkernel,
then they need to run a nanokernel!
I intend to move to Qubes OS,
a user-friendly distribution of Xen
which is a microkernel-based "bare-metal" hypervisor .]

10.13: muse.cyb/mac
/MyMacaInfo has sent you a message:
. twitter messaged me from MyMacaInfo;
maca is a hormonic superfood .
[ "maca" reminded me of "mac abstinence" ]