-1

I am basically positive my macbook pro has been hacked and has a firmware rootkit installed on it, and at this point I have decided it is now a brick and I need to move onto a new computer. The problem is, I have years worth of files (I make music) of songs I am in the process of creating that I want to keep and move onto the new computer. I plugged in my external drive to my compromised macbook and put the files onto drive, but I am concerned that when I try to transfer them to the new computer, the rootkit will have attached themselves to the files/external drive and will end up in my new computer.

I know it seems unlikely that I have run into such a high tech hack, but for the sake of this post lets just assume my mac has been fully compromised by a firmware rootkit. Are the files I pulled off it and put on my external drive safe? If not, Is there any way to save the files without passing the rootkit onto my new computer?

Mumen
  • 1
  • 1
    Firmware rootkit == hardware or software bug? Without knowing the abilities of the specific "rootkit", there is no way to determine whether or not it can infect your external drive or the files that were copied. For infected files to be effective, they would likely need to target a specific application that has an exploitable vulnerability. If it tried to attack the drive, it would likely need to know about the exact drive/firmware, and have a way to actually do something to the target computer. All of this is very unlikely. – multithr3at3d Aug 26 '19 at 23:44
  • It would be much simpler for whoever to deliver the rootkit the same way they did in the first place. – multithr3at3d Aug 26 '19 at 23:45
  • @multi im not sure what you mean in the beginning of your comment, sorry I am not computer savvy. Whatever got into my computer survived me wiping and reformating the drive, and was running processes while my computer was asleep (woken by internal keyboard/remote access, downloading and encrypting large files that i could not open or delete, leaving comments in my console about “processing” my email , etc. Should I be concerned about the files I pulled off of the computer? – Mumen Aug 27 '19 at 00:03
  • just saying without any clear evidence, what you are experiencing probably has a logical explanation – multithr3at3d Aug 27 '19 at 01:17

1 Answers1

0

A rootkit is a program. As such, it has to be installed.

You have copied a number of files. One of them could be a copy of the presumed malware.

A malicious file by itself is not dangerous. You would need to somehow execute it. Eg. a malicious .exe is not dangerous for a Windows computer until it is executed. for instance the user double-clicks it. That's why malware will generally, once installed, try to achieve persistance by for being run (adding them to Startup folders, listing themselves on certain registry key so that other applications executes them...).

Thus, while a virus on your old computer could easily have corrupted your files, attaching to them would be complicated. Some old virus did add a copy of themselves to other executable files, so that when you ran them, it additionally infected the system, but that is very rare nowadays and, since we are not dealing with programs, should be no problem for you.

The only way for those data files to infect your new system would be that, when opening them in the new computer, the program used would process them incorrectly in such way that an attacker could make it some malicious code it controlled. If the program used didn't have such vulnerability in the way that the attacker attempted to exploit when modifying your files, it could not infect the new computer.

I would recommend you to run an antivirus over those file just in case it detected anything, but I don't think your song files would be weaponized in any way. Moreover, it seems highly unlikely that your macbook "has a firmware rootkit".

As an alternative to using those files copied from the old computer, you could restore your files from backup. You have been doing periodical backups, haven't you?

Ángel
  • 17,578
  • 3
  • 25
  • 60
  • _a malicious .exe is not for a Windows computer until for instance the user double-clicks_ unless this file is in a specific directory (e.g startup folder) or might get called by another program. – Xavier59 Aug 27 '19 at 09:27
  • Well, obviously. I have tried to clarify it. – Ángel Aug 28 '19 at 01:05