9 Replies Latest reply: Jul 21, 2008 6:15 AM by WZZZ
WZZZ Level 6 Level 6 (12,225 points)
I know keylogging cannot be installed without downloading and using password on Mac, but just to be sure, is there a way to manually detect (e.g. through Terminal or another location) a keylogger on Tiger, i.e. one that does not involve installing an anti-keylogger program? I am wary of these since they may, themselves, be keylogging malware in disguise.

If this cannot be done, does anyone recommend a good, genuine anti-keylogger program? Thanks.

iMac G3/ 400 (early 2001), Mac OS X (10.4.11)
  • 1. Re: keylogger detection
    Limnos Level 8 Level 8 (38,475 points)
    You could use Activity monitor to check the processes running on your computer. The problem with that is there are many processes running with which the casual user is not familiar and some of them have some pretty strange names that makes you initially think there is something bad on your computer. There's probably 30 or 40 that run just as part of the OS and I don't know if there is a list of what should be on there.

    I can't remember if you're the person who posted a week or so ago but if you're really worried about this keylogging thing then I'd suggest doing an archive and install and get a clean OS.
  • 2. Re: keylogger detection
    WZZZ Level 6 Level 6 (12,225 points)
    Thanks for the suggestion to look in Activity Monitor. These keyloggers are also called "rootkits". Does this mean they would only be found in the root/administrator processes in Activity Monitor? Maybe it isn't so simple, but if that's so wouldn't that narrow down the list quite a bit?

    No, I didn't post about this recently, but even though I'm not aware of ever having downloaded/installed anything, would just like to know I'm clean. Not enough reason to do an A&I.
  • 3. Re: keylogger detection
    BDAqua Level 10 Level 10 (116,480 points)
  • 4. Re: keylogger detection
    WZZZ Level 6 Level 6 (12,225 points)
    Thanks Limnos and BDAqua for ideas, links. I am still investigating "Lil Snitch" (on the downside it seems like it might be a little too busy or interrupting), but would still like to know if I can simply go into Administrator/Root in Activity Monitor and look for anything suspicious there, or could a Keylogger embed itself too deeply for that simple kind of detection?
  • 5. Re: keylogger detection
    Charles Minow Level 6 Level 6 (9,190 points)
    WZZZ wrote:
    but would still like to know if I can simply go into Administrator/Root in Activity Monitor and look for anything suspicious there, or could a Keylogger embed itself too deeply for that simple kind of detection?


    You'd have to have a pretty good idea of what's legit and what's not if it's installed as a daemon. You may have to use Google or the Terminal to look up the various daemons and processes running to figure out if they're likely to be legitimate. But if I was making a keylogger for nefarious purposes, I'd give it a name that sounded helpful, and maybe even lie in the man page about what it does.

    To look up a process in the Terminal, type "man" followed by its name. For example:

    <pre class="command">man blued</pre>

    will give you the bluetooth daemon's man page.

    And if the keylogger was installed as a kernel extension, it wouldn't show up in the process list anyway. You might see it by running the kextstat command in the Terminal window if they don't try to hide it.

    Finally, one way to slow down keyloggers would be to turn off "Enable access for assistive devices" in the Universal Access control panel. That makes it easier for programs to log key strokes (for example, that's how TextExpander works).

    charlie
  • 6. Re: keylogger detection
    WZZZ Level 6 Level 6 (12,225 points)
    Charlie, thanks for all that information.I don't know Terminal that well. What would I look for to tip me off it's a keylogger once I open the Man page? (Or as kextstat?)

    This has been answered before, but just to get your take on it: looking around, I have gotten the impression, perhaps mistaken, that keyloggers can enter PC's via viruses. With no viruses, yet, for Mac is it still true, to your knowledge, keylogging (apart from a physical installation), can only be installed through deliberate downloading and installation with password through "social engineering" cons?
  • 7. Re: keylogger detection
    BDAqua Level 10 Level 10 (116,480 points)
    would still like to know if I can simply go into Administrator/Root in Activity Monitor and look for anything suspicious there, or could a Keylogger embed itself too deeply for that simple kind of detection?


    I doubt any key logger would announce itself to simple detection. It'd be easy enough for it to attach itself to a regular Process and therefore be invisible as it were.
  • 8. Re: keylogger detection
    Charles Minow Level 6 Level 6 (9,190 points)
    WZZZ wrote:
    Charlie, thanks for all that information.I don't know Terminal that well. What would I look for to tip me off it's a keylogger once I open the Man page? (Or as kextstat?)


    Looking at the man pages isn't so much looking for keyloggers, but it's a way to familiarize yourself with what's really a part of the OS. The tough part is that there are some processes that don't have man pages. For example, there's a daemon called bfobserver that's part of Apple's Xcode developer tools that has no man page. So, for that you'd have to look at Google to find out what it is.

    The same goes with kextstat. You'd be looking for something that obviously doesn't belong. Here's the output from the iMac I'm typing this on:

    Index Refs Address Size Wired Name (Version) <Linked Against>
    1 1 0x0 0x0 0x0 com.apple.kernel (8.11.1)
    2 29 0x0 0x0 0x0 com.apple.kpi.bsd (8.11.1)
    3 45 0x0 0x0 0x0 com.apple.kpi.iokit (8.11.1)
    4 46 0x0 0x0 0x0 com.apple.kpi.libkern (8.11.1)
    5 43 0x0 0x0 0x0 com.apple.kpi.mach (8.11.1)
    6 24 0x0 0x0 0x0 com.apple.kpi.unsupported (8.11.1)
    7 1 0x0 0x0 0x0 com.apple.iokit.IONVRAMFamily (8.11.1)
    8 1 0x0 0x0 0x0 com.apple.driver.AppleNMI (8.11.1)
    9 1 0x0 0x0 0x0 com.apple.iokit.IOSystemManagementFamily (8.11.1)
    10 1 0x0 0x0 0x0 com.apple.iokit.ApplePlatformFamily (8.11.1)
    11 41 0x0 0x0 0x0 com.apple.kernel.6.0 (7.9.9)
    12 1 0x0 0x0 0x0 com.apple.kernel.bsd (7.9.9)
    13 1 0x0 0x0 0x0 com.apple.kernel.iokit (7.9.9)
    14 1 0x0 0x0 0x0 com.apple.kernel.libkern (7.9.9)
    15 1 0x0 0x0 0x0 com.apple.kernel.mach (7.9.9)
    16 18 0x35fda000 0x10000 0xf000 com.apple.iokit.IOPCIFamily (2.2) <11>
    17 10 0x35ff0000 0x4000 0x3000 com.apple.iokit.IOACPIFamily (1.2.0) <11>
    18 3 0x36044000 0x3e000 0x3d000 com.apple.driver.AppleACPIPlatform (1.0.10) <17 16 11 6 3>
    19 0 0x360c3000 0x4000 0x3000 com.apple.driver.AppleIntelCPUPowerManagement (1.6.7) <11 6 4 3 2>
    20 0 0x360d1000 0x5000 0x4000 com.apple.BootCache (27) <6 5 4 3 2>
    21 3 0x36121000 0x33000 0x32000 com.apple.iokit.IOHIDFamily (1.4.13) <6 5 4 3 2>
    22 0 0x361a1000 0x3000 0x2000 com.apple.driver.AppleAPIC (1.2.0) <11>
    23 1 0x361f0000 0x3000 0x2000 com.apple.iokit.IOSMBusFamily (1.0.1) <5 4 3>
    24 0 0x3bc51000 0x5000 0x4000 com.apple.driver.AppleACPIEC (1.0.10) <23 18 17 11>
    25 0 0x3bc59000 0x4000 0x3000 com.apple.driver.AppleSMBIOS (1.0.12) <11>
    26 0 0x3bd4a000 0x4000 0x3000 com.apple.driver.AppleACPIButtons (1.0.10) <21 18 17 6 5 4 3 2>
    27 0 0x3bdea000 0x3000 0x2000 com.apple.driver.AppleACPIPCI (1.0.10) <18 17 16 11>
    28 0 0x3be26000 0x3000 0x2000 com.apple.driver.AppleHPET (1.0.0d1) <17 6 5 4 3>
    29 0 0x3be65000 0x5000 0x4000 com.apple.driver.AppleRTC (1.0.5) <17 5 4 3 2>
    30 1 0x3bea3000 0x3000 0x2000 com.apple.driver.AppleEFIRuntime (1.0.5) <17 6 5 4 3>
    31 10 0x3bfcd000 0x21000 0x20000 com.apple.iokit.IOUSBFamily (2.7.7) <6 5 4 3>
    32 0 0x3c01b000 0xe000 0xd000 com.apple.driver.AppleUSBUHCI (2.7.5) <31 16 5 4 3>
    33 2 0x3c081000 0xd000 0xc000 com.apple.iokit.IOATAFamily (1.7.1f4) <5 4 3 2>
    34 0 0x3c09b000 0x8000 0x7000 com.apple.driver.AppleIntelPIIXATA (1.16) <33 16 11>
    35 2 0x3c0ee000 0x6000 0x5000 com.apple.iokit.IOAHCIFamily (1.0.3) <5 4 3 2>
    36 0 0x3c102000 0x7000 0x6000 com.apple.driver.AppleAHCIPort (1.0.7) <35 16 5 4 3 2>
    37 0 0x3c14e000 0x6000 0x5000 com.apple.driver.AppleEFINVRAM (1.0.5) <30 11 5 4 3>
    38 7 0x3c1a4000 0x16000 0x15000 com.apple.iokit.IOStorageFamily (1.5.1) <6 5 4 3 2>
    40 4 0x3c1e8000 0x16000 0x15000 com.apple.iokit.IONetworkingFamily (1.5.1) <6 5 4 3 2>
    41 0 0x3c28e000 0x12000 0x11000 com.apple.driver.AppleUSBEHCI (2.7.7) <31 16 5 4 3>
    42 0 0x3c315000 0xf000 0xe000 com.apple.iokit.IOAHCIBlockStorage (1.0.7) <38 35 11>
    43 0 0x3c467000 0x3f000 0x3e000 com.apple.iokit.AppleYukon (1.0.12b1) <40 17 16 5 4 3 2>
    44 5 0x3c547000 0x32000 0x31000 com.apple.iokit.IOFireWireFamily (2.6.0) <5 4 3>
    45 0 0x3c5a3000 0x19000 0x18000 com.apple.driver.AppleFWOHCI (2.9.10) <44 16 6 5 4 3>
    46 0 0x3c61f000 0x2000 0x1000 com.apple.iokit.IOUSBUserClient (2.7.6) <31 11>
    47 0 0x3c6c6000 0x9000 0x8000 com.apple.driver.AppleUSBHub (2.7.7) <31 11>
    48 4 0x3c71e000 0x17000 0x16000 com.apple.iokit.IOSCSIArchitectureModelFamily (1.5.5) <11>
    49 0 0x3c756000 0x4000 0x3000 com.apple.iokit.IOATAPIProtocolTransport (1.5.1) <48 33 11>
    51 3 0x3c888000 0x8000 0x7000 com.apple.iokit.IOCDStorageFamily (1.4) <38 5 4 3>
    52 1 0x3c8b0000 0x16000 0x15000 com.apple.iokit.IOSCSIBlockCommandsDevice (1.5.5) <48 38 11>
    53 1 0x3c8d3000 0x5000 0x4000 com.apple.iokit.IODVDStorageFamily (1.4) <51 38 5 4 3>
    54 0 0x3c8f7000 0x12000 0x11000 com.apple.iokit.IOSCSIMultimediaCommandsDevice (1.5.5) <53 52 51 48 38 11>
    56 0 0x3c993000 0x6000 0x5000 com.apple.iokit.SCSITaskUserClient (1.5.5) <48 38 11>
    57 0 0x3c9ef000 0x5000 0x4000 com.apple.driver.XsanFilter (2.7.50) <38 11>
    58 0 0x3ca70000 0x3000 0x2000 com.apple.driver.AppleUSBComposite (2.7.7) <31 11>
    59 0 0x3cad9000 0x2000 0x1000 com.apple.driver.AppleUSBMergeNub (2.7.7) <31 11>
    60 1 0x3cba2000 0x5000 0x4000 com.apple.iokit.IOUSBHIDDriver (2.7.7) <31 21 11>
    62 2 0x421e6000 0x34000 0x33000 com.apple.iokit.IOBluetoothFamily (1.9.5f4) <11>
    63 1 0x42225000 0x5000 0x4000 com.apple.driver.AppleUSBBluetoothHCIController (1.9.5f4) <62 31 11>
    64 0 0x422f0000 0x3000 0x2000 com.apple.driver.CSRUSBBluetoothHCIController (1.9.5f4) <63 62 11>
    65 0 0x3ce53000 0x3000 0x2000 com.apple.driver.AppleLPC (1.2.1) <16 5 4 3>
    66 4 0x3ce5a000 0x1b000 0x1a000 com.apple.iokit.IOGraphicsFamily (1.4.8) <16 6 5 4 3>
    67 3 0x3ce75000 0xf000 0xe000 com.apple.iokit.IONDRVSupport (1.4.8) <66 16 6 5 4 3>
    68 0 0x3ce84000 0x4000 0x3000 com.apple.driver.AppleBacklight (1.4.3) <67 66 16 11 5 4 3>
    69 1 0x3ce88000 0xe000 0xd000 com.apple.driver.IOPlatformPluginFamily (2.7.3d4) <11>
    70 2 0x3ce96000 0x8000 0x7000 com.apple.driver.AppleSMC (1.3.0d1) <17 6 5 4 3>
    71 0 0x3ce9e000 0x9000 0x8000 com.apple.driver.ACPISMCPlatformPlugin (2.7.3d4) <70 69 17 16 11 5 4 3>
    72 2 0x3cea7000 0x5000 0x4000 com.apple.iokit.CHUDKernLib (5) <11 6 2>
    73 0 0x3ceac000 0x7000 0x6000 com.apple.iokit.CHUDUtils (5) <72 11>
    74 2 0x3ceb3000 0xf000 0xe000 com.apple.iokit.IOFireWireAVC (1.9.7) <44 11>
    75 1 0x3cec2000 0x1f000 0x1e000 com.apple.iokit.IO80211Family (163.1) <40 6 5 4 3 2>
    76 0 0x3cee1000 0x123000 0x122000 com.apple.driver.AirPortBrcm43xx (242.46.50) <75 40 16 6 5 4 3 2>
    77 0 0x3d01a000 0x4000 0x3000 com.apple.driver.AppleIRController (76) <60 31 21 11>
    78 2 0x3d020000 0x6000 0x5000 com.apple.iokit.IOHDAFamily (1.3.7a23) <5 4 3 2>
    79 0 0x3d026000 0x7000 0x6000 com.apple.driver.AppleHDAController (1.3.7a23) <78 16 5 4 3 2>
    80 2 0x3d032000 0x1fc000 0x1fb000 com.apple.NVDAResman (4.5.6) <67 66 16 11 5 4 3 2>
    81 0 0x3d22e000 0x1ae000 0x1ad000 com.apple.nvidia.nv40hal (4.5.6) <80 16 11>
    83 0 0x3d3e0000 0xb000 0xa000 com.apple.iokit.CHUDProf (5) <72 11>
    84 1 0x3d3eb000 0x2000 0x1000 com.apple.kext.OSvKernDSPLib (1.0) <5 4>
    85 4 0x3d3ed000 0x17000 0x16000 com.apple.iokit.IOAudioFamily (1.6.0b7) <84 31 11>
    86 1 0x3d404000 0x4e000 0x4d000 com.apple.driver.AppleFWAudio (2.2.0fc9) <85 74 44 11>
    87 0 0x3d452000 0x3000 0x2000 com.apple.driver.AppleMLANAudio (2.2.0fc9) <86 74 44 11>
    89 1 0x3d45b000 0x42000 0x41000 com.apple.driver.DspFuncLib (1.0.0a1) <85 5 4 3 2>
    90 0 0x3d49d000 0x22000 0x21000 com.apple.driver.AppleHDA (1.3.7a23) <89 85 78 5 4 3 2>
    91 0 0x3d4c0000 0x52000 0x51000 com.apple.GeForce (4.5.6) <80 67 66 16 11 5 4 3 2>
    92 0 0x3e513000 0x4000 0x3000 com.apple.driver.AudioIPCDriver (1.0.2) <85 5 4 3 2>
    93 0 0x3f5b9000 0x8000 0x7000 com.apple.iokit.IOFireWireIP (1.5.4) <44 40 6 5 4 3 2>
    94 0 0x3f5c1000 0x3000 0x2000 com.apple.DontSteal_Mac_OSX (6.0.1) <70 6 4 3 2>
    95 1 0x3fb89000 0x9000 0x8000 com.apple.iokit.IOSerialFamily (9.0.0d30) <6 5 4 3 2>
    96 0 0x3fb92000 0x9000 0x8000 com.apple.iokit.IOBluetoothSerialManager (1.9.5f4) <95 11>
    98 0 0x40c0e000 0xa000 0x9000 com.apple.nke.asp_tcp (4.4.4) <6 5 4 3 2>
    99 0 0x40c1c000 0x42000 0x41000 com.apple.filesystems.afpfs (8.1.0) <6 4 3 2>
    109 0 0x55168000 0xb000 0xa000 com.apple.filesystems.msdosfs (1.4.9) <6 5 4 2>
    119 0 0x545d2000 0x5000 0x4000 com.apple.filesystems.cddafs (2.2.4) <51 5 4 3 2>


    Notice how I don't have any non-Apple extensions. Now, suppose someone wanted install a keylogger kernel extension. Now, it's possible that they might just use their own signature, instead of com.apple.*. But that would be a dead giveaway, so the next thing to do would be to see if maybe one of the extensions links against something non-sensical, like an audio driver linking against a networking library.

    For example, if you look at item 87, which is com.apple.driver.AppleMLANAudio, you'll see that it links against libraries 86,74,44, and 11. Look back through the list and you'll see that three of those are audio drivers, and the fourth is a kernel library.

    But then, your keylogger could maybe just log keystrokes and not do the actual uploading: leaving that to another process that doesn't even have to run all the time.

    So, yes, practically speaking, it's really pretty difficult to tell for certain if you have a keylogger installed. One approach some people use is to create a database of the checksums of certain files on a system, then periodically re-check them to see if even one byte has changed. There's a utility called tripwire that I've seen used that does that. If one of these files is changed, you'll get an email with a warning that it's changed. It can't tell you how or why, just that its signature has changed (and the old and new sizes).

    This has been answered before, but just to get your take on it: looking around, I have gotten the impression, perhaps mistaken, that keyloggers can enter PC's via viruses. With no viruses, yet, for Mac is it still true, to your knowledge, keylogging (apart from a physical installation), can only be installed through deliberate downloading and installation with password through "social engineering" cons?


    It would also be possible if you had a vulnerable service turned on. Suppose your computer is connected to the Internet without a firewall and you turn on Remote Login in the Sharing Prefs pane. If you have no password, or a really easy one to guess, someone could log into your computer and install a keylogger without your knowledge. In fact, it's actually pretty likely it could happen. I used to have people "knock on the door" all the time until I switched ssh ports.

    Another popular one these days is that people are exploiting computers with Apple Remote Desktop or Vine Server turned on. These services allow someone to log into and share the desktop on one computer from another. But if you don't have your computer sufficiently secured, there's always a chance someone will find it and try to exploit it.

    So, that's kind of a long-winded way of saying that while the most likely way to get a keylogger is by downloading and installing a piece of software, it is possible that, if you allow any of the sharing services, you open your computer up just a tiny little crack, and no social engineering is needed. But it's probably less likely.

    charlie
  • 9. Re: keylogger detection
    WZZZ Level 6 Level 6 (12,225 points)
    Charlie, thanks so much for all of that. This ended up being a small tutorial and I'm very grateful you took the time to explain things in such detail.

    I guess there's no simple answer. One can pick the bottom fruit by doing the obvious checking and cross checking (assuming enough technical knowledge for that), but it seems, as you suggest, no relatively sophisticated intruder would make things that simple.

    We've never had any of the sharing options turned on so, at least, that closes out that as a possibility.

    It becomes easier, as time goes by and so many, even necessary, things are done now over the internet, to lose control over all of this private information.