"trustd" Possible malware or virus??

Sigh.

I am trying to ANSWER THE QUESTION that the poster had. Are you?

The questions were "what is trustd?" And "why are the notes written in German?"

You answered the first and I answered the second. You seem to have no familiarity with Little Snitch or its notes facility. The poster has been using it for 4 years, examining the network connections in and out of his Mac. Good for him! That's how you learn. You attempted to answer but aren't even familiar with Little Snitch!

Frankly after 4 years of examining network connections he is quite aware of the complexity of MacOS. Better than most in here I'd bet! It isn't "overly complicated" by any means.

But what is incorrect is to dismiss the *possibility* of malware or claim that he has "paranoia" just because he has a sincere question! He might just want to block unwanted processes. He might be having fun playing around. He might be hardening the OS.

By the way you also do not need "extraordinary" evidence of malware. Any solid evidence will do. Malware and hacks are also not "extraordinarily rare." And if you are referring to the protections of SIP, that only debut with El Capitan a little over a year ago. Before that time it would have been far easier to replace a system process with a compromised version. Don't pretend this is hard.

Have a nice day.

Hello Bad News52,

Where are you finding these "notes"?

This looks like a process related to certificates. Sometimes people get alarmed when they go poking around in certificates to see them in all kinds of languages. That is because macOS includes root certificates from all over the world.

GeorgeSupport6411 wrote:

You talking to the OP or to me?

As can be seen by the reply header, I was replying to your post.

And do you know why mac OS is so secure?

Yes - lack of interest on the mart of malware authors. The only market that anyone, from malware authors to Apple itself, cares about is the iPhone. Virtually all of the Mac software market, legitimate or not, is just an offshoot from iOS at this point. There is a thriving adware market, but true malware is virtually non-existent. The adware is pathetically amateurish, but getting better. An actual malware exploit would be valuable on iOS, but wasted on macOS.

So you no longer use Little Snitch? What did you replace it with?

Nothing. I don't bother. I stopped using Little Snitch before the cloud really took over. These days, it really isn't useful for much. You want to know which apps are contacting random AWS servers on non-standard ports? I don't know, all of them?

Where does your expertise originate?

Long story. 🙂

You should have pointed him at the Little Snitch forums in the first place if that was the answer. You did choose to answer, so don't now pretend that this is the wrong place to ask, or he should have gone elsewhere.

As far as I can tell, the original poster abandoned this thread months ago. I didn't want to waste anyone's time. The activity that Little Snitch discovered was harmless. There was no need to research it any further.

You answered the original poster in a the most condescending way. I educated him and now you presume to lecture me. Really.

I see that you are a Level 1 community member here on Apple Support Communities. Once you reach Level 2 you will have a "Report Post" control available where you could report my posts to the Apple hosts for editing or removal. Until you reach that level, you can instead post a request to that effect in the Using Apple Support Communities forum.

Sure there are people in these discussions who are deleting things. They install "anti-virus" software they found somewhere on the internet. They spend sleepless nights worrying about their safety. They fix permissions religiously (not possible any more). This guy wasn't one of those compulsives.

Neither of us know anything about the original poster, including his or her gender.

GeorgeSupport6411 wrote:

"I see that you are a Level 1..." so that's it. We aren't on StackExchange or a developer forum, so I am perceived as some "new person." I get it.

No, you don't. You are a "Level 1". That is not a value statement. It simply means you have not earned 150 points yet. See this page for more information: Levels and Perks

That's actually pretty funny. Why would I report you?

You suggested that my reply was in violation of the Apple Support Communities Terms of Use. I don't happen to agree with that assessment, but you are welcome to your own opinion. However, as a community member with more points, I can tell you that bickering with someone other than the OP in a thread that the OP abandoned months ago, is really not an effective way to earn more points and reach level 2 where you can report someone. I don't need any more points, so it doesn't bother me. 🙂

Some of your points are valid but then you then are criticizing me for the use of "his," which absent a better one, is a gender-neutral pronoun in English. This doesn't make the OP, whether he or she a compulsive. Better?

But the OP has been using a packet sniffer for several years

I think the gender assumption is just one of many that you are making here. Little Snitch is not, in any way, a "packet sniffer". Wireshark is a packet sniffer. Little Snitch is a consumer-level firewall for outgoing connections. Because it is just a firewall, it doesn't actually have any useable information to "sniff" in the first place.

I have seen a number of cases where people get curious and start digging around into internals that they don't understand and quickly convince themselves that they have been hacked because a system root certificate from Turkey happens to be written in Turkish.

Overall, I am pretty frustrated at the high level of paranoia combined with a high level of ignorance and gullibility. It is quite common to go from one thread where someone has convinced themselves that they have been hacked to another thread where someone has followed random instructions on the internet to disable basic security protection on their machine. Both of these are repeated, daily occurrences. Mac users simply aren't suffering from hacks like this. But they are turning off basic security, installing massive amounts of adware, and then installing massive amounts of scam ware hoping it will remove the adware (hint: it won't).

I see this as well. It stands out. And there is only one like this, only one in German and it's protected? Weird. I'd keep Googling. It's malware or a bug. Either way worthy of questioning.

Of course if malware it would try to mask as legitimate. You can't accept the simple answer and must research deeper. This is why you buy Little Snitch so let's get looking!

Don't you know how malware works? Malware would replace a valid process with it's own compromised process. How do you explain the German writing? How do you explain the way Little Snitch represents this as a "protected" process versus a "system" process.

You think that attempting to look under the covers of the OS is paranoia? It could be nothing or it could represent a problem. He doesn't know unless he asks. Look if you have no answer that's fine. The rest of us with the same question (that's why I came here) will continue to investigate and maybe learn something.

Now I have a theory:

@Bad News52: It is quite interesting the notes don't correspond to the usual Little Snitch format. But the company making LS is a German company, Objective Development Software GmbH, and they use a ".at" website, in Austria. They probably didn't localize the notes for languages very well, and some German text slipped through.

The best way to really know is to contact the developer of Little Snitch and ask them!

GeorgeSupport6411 wrote:

Don't you know how malware works? Malware would replace a valid process with it's own compromised process.

Hello George,

Unless you have disabled a fair portion of the macOS security infrastructure, this would be impossible.

There are often claims here on Apple Support Communities that someone has encountered true malware or a hack. But either of those are extraordinarily rare. Technically, they are possible, but in most cases, it is just confusion due to an overly-complicated operating system. If you want to make a claim that it is something real, you need extraordinary evidence.

GeorgeSupport6411 wrote:

I am trying to ANSWER THE QUESTION that the poster had. Are you?

No, because I answered it two months ago.

You answered the first and I answered the second. You seem to have no familiarity with Little Snitch or its notes facility. The poster has been using it for 4 years, examining the network connections in and out of his Mac. Good for him! That's how you learn. You attempted to answer but aren't even familiar with Little Snitch!

I haven't used Little Snitch in years. This is not a forum for Little Snitch support. Little Snitch has their own forums (https://forums.obdev.at/) and I'm sure they would be happy to help.

Frankly after 4 years of examining network connections he is quite aware of the complexity of MacOS. Better than most in here I'd bet! It isn't "overly complicated" by any means.

😮

But what is incorrect is to dismiss the *possibility* of malware or claim that he has "paranoia" just because he has a sincere question! He might just want to block unwanted processes. He might be having fun playing around. He might be hardening the OS.

macOS, as delivered by Apple, is the most secure operating system available. It strives for a good balance between security, convenience, and easy-of-use. There is no part of the security or networking infrastructure that needs adjustment by end-users. Such attempts are far more likely to reduce security than anything else.

By the way you also do not need "extraordinary" evidence of malware. Any solid evidence will do. Malware and hacks are also not "extraordinarily rare." And if you are referring to the protections of SIP, that only debut with El Capitan a little over a year ago. Before that time it would have been far easier to replace a system process with a compromised version. Don't pretend this is hard.

It was always extraordinarily difficult, even before El Capitan. That is why true Mac malware is virtually non-existent. With SIP, Apple made is even harder.

You:

"macOS, as delivered by Apple, is the most secure operating system available. It strives for a good balance between security, convenience, and easy-of-use. There is no part of the security or networking infrastructure that needs adjustment by end-users. Such attempts are far more likely to reduce security than anything else."

Thanks for the marketing materials. You talking to the OP or to me? I've been a mac user for as long as anyone, and a user of every other OS that exists. And do you know why mac OS is so secure? Why SIP and App install restrictions exist, why it is has been ahead of the curve with respect to security for so long? Constant examination by users, researchers and bad actors poking and prodding under the covers. All those security updates to iOS, MacOS and tvOS are a response to people, many in these very discussions, discovering the many cracks and flaws that are constantly and continuously being patched by Apple. Some extremely well-hidden. I've found them myself, and I never would have if some forum expert told me to stop being "paranoid" and to stop looking because I've got "the most secure operating system available."

So you no longer use Little Snitch? What did you replace it with? How do you examine the processes on your mac. After all, you responded to a question about a daemon process. Where does your expertise originate?

And get off your horse, it isn't helpful. You should have pointed him at the Little Snitch forums in the first place if that was the answer. You did choose to answer, so don't now pretend that this is the wrong place to ask, or he should have gone elsewhere. You answered the original poster in a the most condescending way. I educated him and now you presume to lecture me. Really.

Sure there are people in these discussions who are deleting things. They install "anti-virus" software they found somewhere on the internet. They spend sleepless nights worrying about their safety. They fix permissions religiously (not possible any more). This guy wasn't one of those compulsives.

Edit: By the way, I've went back to this user name. I look new but I've been around a LONG time. Take care!

/usr/libexec/trustd is a normal Mac file, part of the system. If you are running macOS 10.11 or later (El Capitan or Sierra), that file is protected by System Integrity Protection (SIP) and cannot be modified, even with root permissions. If you are not running 10.11 or later, or have disabled SIP, you can verify the code signature on that file by entering this command in the Terminal:

codesign -dvvv /usr/libexec/trustd

If the authority is Apple, you're good.

Note that there is no known malware out there that replaces this file - or, for that matter, any other macOS file. There is malware that will install files in other places with names that imitate macOS files, but that's a totally different thing, and that's not what's going on here.

"I see that you are a Level 1..." so that's it. We aren't on StackExchange or a developer forum, so I am perceived as some "new person." I get it. That's actually pretty funny. Why would I report you?

Some of your points are valid but then you then are criticizing me for the use of "his," which absent a better one, is a gender-neutral pronoun in English. This doesn't make the OP, whether he or she a compulsive. Better?

Yes trustd is a standard binary. And SIP has been here for over a year now. But the OP has been using a packet sniffer for several years, well before SIP was introduced and with plenty of opportunity to have had a malware infection replace the binary, no matter how unlikely.

codesign is a great tool and a fairly easy method to give a user confidence in their installation. And SIP will provide even more protection as time goes by. I don't use it enough, and I don't develop for macOS.

I actually had an explanation for the odd text in the OP's software notes that caught his attention. They caught mine as well. I was able to use a hash to determine the authenticity in my own installation, I assume the OP figured it out or gave up looking. Maybe the Little Snitch forums provided is answer, or a Google search. He probably didn't get help here, since my answer was pretty late after the initial question.

GeorgeSupport6411 wrote:

with plenty of opportunity to have had a malware infection replace the binary, no matter how unlikely.

There is no known malware that behaves that way, and no reason to believe that there would have been.

I've seen enough Mac malware that I'll never say anything is impossible. However, I've seen every piece of Mac malware that has existed in the last 6-7 years, and most of the malware that has ever existed for Mac OS X. None of it does what you're speculating. There's absolutely no reason to believe that there is anything wrong with the trustd process here.

Could future malware do this? Possibly, though as has already been indicated, there are some significant hurdles to jump over in order to do so, so that's unlikely.

Could past malware have done this? Sure... but only if it has gone totally undetected, in which case it would be something like high-value state-sponsored malware that has been used extremely sparingly and thus never discovered. If Bad News52 has reason to fear an oppressive regime that may have used covert means to infect his/her computer with unique malware, and is important enough to that regime that they would spend those kinds of resources surveilling him/her, then there may be something to worry about. But not otherwise.

Thomas Reed

Director of Mac Offerings, Malwarebytes

"Overall, I am pretty frustrated at the high level of paranoia combined with a high level of ignorance and gullibility."

"...someone has followed random instructions on the internet to disable basic security protection on their machine."

Yes I get it. But in this thread nobody demonstrated such gullibility. No one is talking about disabling anything, I hope! Of course plenty of gullibility exists in other discussions, I've seen it and it's pretty sad. Ignorance is a separate issue. You don't like "ignorance?" Then educate.

"Little Snitch is not, in any way, a packet sniffer. Little Snitch is a consumer-level firewall for outgoing connections."

The Little Snitch developers market it primarily as a firewall. But did you know Little Snitch also examines packet traffic, and captures it? That is the definition of packet sniffing and that makes LS a packet sniffing tool. To make this clear: Little Snitch can capture the packets of any individual process or application. On any interface. At any time. Inbound or outbound. Even capture multiple unrelated processes simultaneously. Merely via a right click in the GUI! It is ridiculously easy. Indeed it is my primary capture tool these days to grab the traffic from an individual process, particularly terminal processes.

That said, to analyze the packets you need an analyzer, like tcpdump, Wireshark, or CPA. But we all have one of those free tools.

LS is a better tool than you think and if you are going to support users you might want to get another copy and experiment with it. Helps to see the networking clockwork of macOS, and is a great troubleshooting tool.

"I have seen a number of cases where people get curious and start digging around into internals that they don't understand..."

This is the point. It's what we should all be doing, hopefully with some guidance! Breaking things is unfortunately sometimes part of the process. Luckily it isn't too difficult to reinstall the OS. And these days, with Time Machine and other technologies, breaking something isn't the big fear it used to be.

Of course we hate to see stressed-out users. But we all had to start somewhere.

Now we have traveled far beyond the OP, and we are having a nice conversation. But I'm going to leave so I won't be responding here further. But I will read any reply. Have a good day.