Re: Hacked Mountain Lion Disc Image
Phyllis Sterlin
The time has come to restore a MacBook to a state which can be trusted to be free from any possible unwanted software contamination. My initial investigation reveals that Apple, like Windows, is using an approach where a recovery system, which I presume to be a separate partition, is provided for the purpose of dealing with certain problems where system restoration is desired. While this might be effective in certain scenarios the situation confronting me is that I have good reason to believe that my system has been compromised. This means it has been altered in a manner that is unknown. This is presumed to have been done with malicious intention which certainly includes circumventing efforts to undo the alteration. Therefore, the use of a recovery mechanism which depends on anything present on the computer at the time of contamination is unworthy of trust. To do such must be considered bad practice. Furthermore, if I understand things correctly the recovery system present on this computer actually wants to use the inherently untrustworthy Internet to affect a recovery.
Good practice requires the use of software that could not have been tampered with which is a basic characteristic of optical media (e.g., DVD). Is it possible to use a bootable DVD to affect the restoration? If so, how is such a DVD obtained? If not, how can trustworthy media of some kind be obtained? An important consideration should be that it is necessary to restore a reliable operating system without ever connecting the computer to any kind of network.
Are you really saying there is no way to recover other than relying on the potentially contaminated software? In that, there is no way to obtain reliable media? What am I supposed to do when the SSD fails?
After downloading the installer you must first save the Install Mac OS X application. After the installer downloads DO NOT click on the Install button. Go to your Applications folder and make a copy of the installer. Move the copy into your Downloads folder. Now you can click on the Install button. You must do this because the installer deletes itself automatically when it finishes installing.
You will need a freshly partitioned and formatted USB flash drive with at least 8GBs. Leave the name of the flash drive at the system default, "Untitled." Do not change this name. Wait for the process to complete which will take quite some time.
If you're a high-value target, then you'll want to shred the Mac per local hardware destruction policies, anonymously source a replacement Mac, and move on. Yes. seriously. If you're as unable or unwilling to trust a cryptographically checked download, then you've been hacked at the BIOS or lower level, the attack will be exceedingly persistent, and you should not reuse the configuration.
If you do not have the budget to shred and replace (and particularly if you're not a high-value target), then you're going to have to trust that the BIOS and the increasingly-large multitude of other device firmware present in your configuration is intact and unaltered, and that the cryptographic verifications of the Apple downloads are sufficient, and that the cryptographic checks are correctly implemented.
You can download an installation kit from Apple via another Mac and generate an installer there, if you're inclined. If you really want to go DVD or other write-locked media, you'll need a DL-capable configuration as AFAIK the installation is bigger than a single-layer DVD can provide. See the createinstallmedia command, and there are purported DVD-creation sequences posted. Boot from that and erase the disk, then reinstall.
All that aside, most folks get corrupted by installing software and add-ons that they probably should not have (torrented software or adware-infested software from some of the "repository" web sites for instance), by choosing bad passwords or having their passwords exposed, by having Adobe Flash installed or having Oracle Java installed and web-accessible, or via insecure connections, or by somebody with direct hardware access. Not by the sorts of attacks that modify hardware or disk or peripheral device firmware; more advanced and more persistent. More than a few cases of "virus" reports around the forums are simply innocent software or hardware issues, too.
Kurt Land says "The only OS it will install ...". May I assume that "it" refers to what Apple is calling the Recovery System? While an uncontaminated Recovery System will only download proper files from the proper Apple server, I'm thinking that the Recovery System itself is installed and operated from revisable storage that is vulnerable to being hacked. Possibly it is installed into a secondary partition on the same storage device as the main OSX used to operate the computer. Under this scenario the Recovery System is also vulnerable to being maliciously contaminated with software that will do what it wants which could include downloading files from anywhere it wants.
My thinking is that a proper restoration of a maliciously contaminated system ought to include everything that could have been contaminated. In this case, that at least includes a built in Recovery System. My own policy has been to use offline media to maintain the files needed to recover a contaminated computer. The idea is that hackers, at least via the Internet, cannot infect that media.
It seems to me that wanting to do a complete recovery, meaning to recovery all of the software used to operate the computer, is a pretty normal approach to dealing with the kind of problem presented hear. This would mean that any online and operational Recovery System also needs to be restored.
By "The only OS it will install is directly from Apple's servers.", I mean if you boot from the hidden Recovery partition and erase the normal visible partition OS X is currently on, it will start the installation of OS X from the hidden partition. There isn't much on that partition, so it's only a starting point. The rest gets installed from Apple's servers.
If you want to clear the deck, restart and boot to Internet Recovery by holding down Command+Option+R. This boots to the Mac's firmware rather than the hidden partition on the hard drive, though the interface looks the same. Use Disk Utility to completely repartition the drive so it also wipes out the hidden Recovery partition. Do that by changing the default of Current to something else - anything else.
If you don't, reinstalling OS X will install the same version of OS X as what the hidden partition is. With the drive fully repartitioned, Internet Recovery will be forced to install the version of OS X the Mac came with. It will also create a new hidden Recovery partition as the same OS level.
As for any worry about recently covered firmware attacks, that is extremely unlikely. The original Thunderstrike requires direct access to your Mac by someone who both has a copy of the malware, and has the knowledge to apply it. It cannot be installed remotely or passively. Thunderstrike 2 only requires that an infected Thunderbolt device be connected to the Mac to infect it. However, the lab that developed the malware is the only place it exists and has reported it to Apple so they can devise a fix to block it. In other words, it's not in the wild.
So the chances of Thunderstrike 2 being an issue is pretty much zero. The original Thunderstrike is almost nonexistent, unless you've let unknown people have direct access to your Mac? Also, if it's a 2014 model or newer, the original Thunderstrike can't be installed. If it's older, Apple has released firmware updates for a number of Macs that block Thunderstrike.
The idea of using another computer that is trusted to download the files used for restoration fits within the budget contemplated for this job. You refer to an Installation Kit as something that must be downloaded using another Mac. It sounds like you are saying that the actual files that will be used to perform the installation, which includes being able to boot from the media, can be created by any (?) Mac. I suspect the requirement for the Mac has to do with insuring the media is formatted with a suitable file system that is bootable.
Something I would contemplate doing after a successful recovery has been completed which will include restoring the user selected applications is to create the necessary media for reacting more expeditiously to the need to make a restoration. Is there a way to create some kind of system image once a reliable and trusted system is operational that can be used to make a complete restoration?
With respect to DVD, I only meant that as an example. The unalterable property of certain DVD formats is desirable for such files. Also, it tends to be an inexpensive way to store things you put in a drawer with the hope that you will never need to use them. However, being able to store the media offline, as with any removable media, provides the kind of protection that I'm seeking. The reference to the "createinstallmedia" command reads like part of the function performed by this software is to download the necessary files. Might that be correct? If so this is worth pursuing.
The big problem we're dealing with hear is that we don't know what we don't know. Therefore, my thinking is that we must assume that whatever is possible might have been done to us. The idea of recovery is to say with a very high level of confidence that the system has been restored to a state that existed prior to any contamination. I understand your point regarding the unlikelyhood of hacking into a hidden partition but I have a hard time understanding why it should be hard to replace it. Windows now uses the concept of a Recovery System that is always online and while you don't have to it is real easy to rebuild the entire storage device when you get in the situation presented here. The basic Windows Installer will do it. Once you get to the point of doing what we're talking about hear, I'm of the mind "why not?".
b1e95dc632