Does my Macbook have malware?

Question

Level 1

19 points

Does my Macbook have malware?

I'm seeing unknown devices in my install log when in recovery mode. It switches from localhost to Macbook Pro to Stacies-iPhone. I don't know a Stacie?

The transition in the log file that has me worried...

....
Jul 29 21:49:06 MacBook-Pro Installer Progress[192]: Ordering windows front
Jul 29 21:49:06 MacBook-Pro Language Chooser[419]: Mac is connected to power, not shutting down
Jul 29 21:49:06 MacBook-Pro mobileassetd[417]: SUPreferenceManager: Service connection invalidated!
Jul 29 21:49:06 MacBook-Pro mobileassetd[417]: SUPreferenceManager: Connection proxy failure with error:Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named com.apple.softwareupdated was invalidated: failed at lookup with error 3 - No such process." UserInfo={NSDebugDescription=The connection to service named com.apple.softwareupdated was invalidated: failed at lookup with error 3 - No such process.}
Jul 29 21:49:06 MacBook-Pro mobileassetd[417]: SUPreferenceManager: Service connection invalidated!
Jul 29 21:49:06 MacBook-Pro mobileassetd[417]: SUPreferenceManager: Connection proxy failure with error:Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named com.apple.softwareupdated was invalidated: failed at lookup with error 3 - No such process." UserInfo={NSDebugDescription=The connection to service named com.apple.softwareupdated was invalidated: failed at lookup with error 3 - No such process.}
Jul 29 21:49:06 MacBook-Pro mobileassetd[417]: SUPreferenceManager: Service connection invalidated!
Jul 29 21:49:06 MacBook-Pro mobileassetd[417]: SUPreferenceManager: Connection proxy failure with error:Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named com.apple.softwareupdated was invalidated: failed at lookup with error 3 - No such process." UserInfo={NSDebugDescription=The connection to service named com.apple.softwareupdated was invalidated: failed at lookup with error 3 - No such process.}
Jul 29 21:49:08 MacBook-Pro opendirectoryd[196]: [session] Received a network change notification
Jul 29 21:49:08 MacBook-Pro opendirectoryd[196]: [session] Received a network change notification
Jul 29 21:49:09 Stacies-iPhone opendirectoryd[196]: [session] UID: 205, EUID: 205, GID: 205, EGID: 205, PID: 201, PROC: locationd ODNodeCreateWithNameAndOptions request, SessionID: 00000000-0000-0000-0000-000000000000, Name: /Search, Options: 0x0
Jul 29 21:49:09 Stacies-iPhone opendirectoryd[196]: [session] ODNodeCreateWithNameAndOptions failed with result 2000
Jul 29 21:49:10 Stacies-iPhone opendirectoryd[196]: [session] Received a network change notification
Jul 29 21:49:10 Stacies-iPhone Language Chooser[419]: LCA: most frequent language: en

MacBook Pro 16″

Posted on Aug 2, 2023 4:16 PM

Reply

Answer 1

etresoft

Level 9

56,680 points

Aug 6, 2023 2:10 PM in response to dr_storm

dr_storm wrote:

I guess if my computer was chatting with some nearby network device named Stacies-iPhone, that device must have followed me around. For I saw the same log messages in separate recovery restarts in two locations separated by 30 miles.

Not necessarily. Those network names are cached. If you had ever encountered Stacies-iPhone with a certain IP address, then your computer would always assume that said IP address was Stacies-iPhone until it decided to renew its cache. Erasing your hard drive is one way to reset the cache. There are easier ways. The easiest method is to just ignore it.

Reply

Answer 2

etresoft

Level 9

56,680 points

Aug 2, 2023 6:11 PM in response to dr_storm

dr_storm wrote:

Does my Macbook have malware?

No.

Don't look at the install log in recovery mode.

Even if your Mac were chock-full of malware, there is no possible way that the malware would show up in recovery. So there is some other explanation. Don't worry about it. Use default settings. Any changes from defaults, and any 3rd party "security" software you install will only reduce your security.

Reply

Answer 3

leroydouglas

Level 10

199,404 points

Aug 2, 2023 6:07 PM in response to dr_storm

dr_storm wrote:

I'm seeing unknown devices in my install log when in recovery mode. It switches from localhost to Macbook Pro to Stacies-iPhone. I don't know a Stacie?

The transition in the log file that has me worried...

....

Jul 29 21:49:06 MacBook-Pro Installer Progress[192]: Ordering windows front

Jul 29 21:49:06 MacBook-Pro Language Chooser[419]: Mac is connected to power, not shutting down

Jul 29 21:49:06 MacBook-Pro mobileassetd[417]: SUPreferenceManager: Service connection invalidated!

Jul 29 21:49:06 MacBook-Pro mobileassetd[417]: SUPreferenceManager: Connection proxy failure with error:Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named com.apple.softwareupdated was invalidated: failed at lookup with error 3 - No such process." UserInfo={NSDebugDescription=The connection to service named com.apple.softwareupdated was invalidated: failed at lookup with error 3 - No such process.}

Jul 29 21:49:06 MacBook-Pro mobileassetd[417]: SUPreferenceManager: Service connection invalidated!

Jul 29 21:49:06 MacBook-Pro mobileassetd[417]: SUPreferenceManager: Connection proxy failure with error:Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named com.apple.softwareupdated was invalidated: failed at lookup with error 3 - No such process." UserInfo={NSDebugDescription=The connection to service named com.apple.softwareupdated was invalidated: failed at lookup with error 3 - No such process.}

Jul 29 21:49:06 MacBook-Pro mobileassetd[417]: SUPreferenceManager: Service connection invalidated!

Jul 29 21:49:06 MacBook-Pro mobileassetd[417]: SUPreferenceManager: Connection proxy failure with error:Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named com.apple.softwareupdated was invalidated: failed at lookup with error 3 - No such process." UserInfo={NSDebugDescription=The connection to service named com.apple.softwareupdated was invalidated: failed at lookup with error 3 - No such process.}

Jul 29 21:49:08 MacBook-Pro opendirectoryd[196]: [session] Received a network change notification

Jul 29 21:49:09 Stacies-iPhone opendirectoryd[196]: [session] UID: 205, EUID: 205, GID: 205, EGID: 205, PID: 201, PROC: locationd ODNodeCreateWithNameAndOptions request, SessionID: 00000000-0000-0000-0000-000000000000, Name: /Search, Options: 0x0

Jul 29 21:49:09 Stacies-iPhone opendirectoryd[196]: [session] ODNodeCreateWithNameAndOptions failed with result 2000

Jul 29 21:49:10 Stacies-iPhone opendirectoryd[196]: [session] Received a network change notification

Jul 29 21:49:10 Stacies-iPhone Language Chooser[419]: LCA: most frequent language: en

old issue, new issue, what changed?

Why are you in Recovery mode?

Is this a new Mac?

Is this Mac managed or bound to some Enterprise, JAMF, MDM, active directory list (?)

Do you see a Profile in

>System Settings>Privacy & Security>Profiles

Intro to mobile device management profiles - Apple Support

Use configuration profiles to standardize settings on Mac ...

Reply

Answer 4

etresoft

Level 9

56,680 points

Aug 5, 2023 2:39 PM in response to dr_storm

dr_storm wrote:

Any relation to Etrecheck?

Maybe a little bit. 😄

Maybe malware is a misnomer. I was thinking more of an 'Evil Maid' type of boot sector/sequence attack.

Malware would be better. At least malware exists.

Doesn't it seem strange to have the installer go from localhost to Macbook Pro to Stacies-iPhone? There is likely a good explanation but I'm at a loss what it might be given the evidence and would be shocked if it's not nefarious.

Nope. Devices are always chatting with each other for all kinds of reasons. Pretty much all networking logic was designed 40-50 years ago and has been patched many times over to try to function in the modern world. It's absolutely not nefarious. It's a miracle that it still works at all.

Reply

Answer 5

etresoft

Level 9

56,680 points

Aug 6, 2023 6:33 PM in response to dr_storm

dr_storm wrote:

Are you saying that my computer connected to a LAN host named Stacies-iPhone at some point and since then DHCP assigned me that same address?

I have no idea. You seem to have some kind of unusual network setup. Take everything I've said so far, and multiply it by 100.

The only thing I can tell you more is that malware is most definitely never "hidden" anywhere. Malware is very visible and obvious. It is extremely unusual for malware to even attempt to pretend to be anything else. It is absolutely trivial to find, see, and remove. It has absolutely nothing to do with what you are looking at.

Reply

Answer 6

dr_storm Author

Level 1

19 points

Aug 7, 2023 1:06 PM in response to etresoft

To conclude this discussion, I wanted to explicitly thank @leroydouglas and @etresoft for offering up their time and experience. I feel more comfortable now knowing that malware is an unlikely explanation for what I saw in install.log.

Reply

Answer 7

dr_storm Author

Level 1

19 points

Aug 5, 2023 1:02 PM in response to leroydouglas

Thank you @leroydouglas for replying! Apologies for the delayed response...the moderator kept blocking my posts without explanation so I didn't know this dumbed down version actually got through.

Quick answers:

It's a 2019 Macbook Pro bought new by me.
It's not managed as it's my personal device with no profiles listed under Profiles.
Nothing changed beyond a failed update (see below) so I don't know the vintage of the 'issue'. The presence of "Sophies-iPhone" was under the radar so it wasn't an 'issue' per se. Sadly, time machine doesn't back up logs so I don't know when this started (whatever this is?!). Could you recommend any files that might hold a clue?
1. The only anecdotal evidence I have that something may've been off is that a) I would temporarily lose control of my mouse cursor every once in a while for a few seconds and b) colleagues on slack that are 12 hours ahead reported seeing me online at weird hours.

WRT recovery mode and what changed: My original post included much more information but got blocked because b8a software-related questions are not allowed it seems. The only reason I stumbled upon this is because a v4 install got hung up a 1/3 of the way after login despite many attempts to fix. To diagnose the problem I turned to recovery mode and looked for answers in install.log. That is when I saw "Stacies-iPhone". I can post the install.log in its entirety if that would help.

The 'issue' persisted even when reinstalling an earlier OS. It only went away after resetting NVRAM and SMC and erasing the entire disk and doing an internet reinstall of Ventuare and then upgrading from there. Thankfully pulling all my files over from time machine was okay too.

Any ideas of how to dig for clues or thoughts on what this might be would be most appreciated.

Reply

Answer 8

dr_storm Author

Level 1

19 points

Aug 5, 2023 1:19 PM in response to etresoft

Thank you for your input @etresoft! Any relation to Etrecheck?

Maybe malware is a misnomer. I was thinking more of an 'Evil Maid' type of boot sector/sequence attack.

Doesn't it seem strange to have the installer go from localhost to Macbook Pro to Stacies-iPhone? There is likely a good explanation but I'm at a loss what it might be given the evidence and would be shocked if it's not nefarious.

I second your take on 3rd party 'security' software. Although the tools from objective-see seem worth entertaining. I've also heard good things about Etrecheck ;).

Reply

Answer 9

dr_storm Author

Level 1

19 points

Aug 6, 2023 1:25 PM in response to etresoft

Nope. Devices are always chatting with each other for all kinds of reasons. Pretty much all networking logic was designed 40-50 years ago and has been patched many times over to try to function in the modern world. It's absolutely not nefarious. It's a miracle that it still works at all.

etresoft wrote:

dr_storm wrote:

Any relation to Etrecheck?

Maybe a little bit. 😄

Maybe malware is a misnomer. I was thinking more of an 'Evil Maid' type of boot sector/sequence attack.

Malware would be better. At least malware exists.

Doesn't it seem strange to have the installer go from localhost to Macbook Pro to Stacies-iPhone? There is likely a good explanation but I'm at a loss what it might be given the evidence and would be shocked if it's not nefarious.

Nope. Devices are always chatting with each other for all kinds of reasons. Pretty much all networking logic was designed 40-50 years ago and has been patched many times over to try to function in the modern world. It's absolutely not nefarious. It's a miracle that it still works at all.

Amen to that...it's a big ball of mud or the ultimate Rube Goldberg machine as we used to say when I was CTO.

I hear ya about network chatter but that explanation doesn't quite ring true. I guess if my computer was chatting with some nearby network device named Stacies-iPhone, that device must have followed me around. For I saw the same log messages in separate recovery restarts in two locations separated by 30 miles. Also, after wiping the disk and starting over it didn't come back. Doesn't that suggest another explanation might be at play or how might you explain what I saw?

Reply

Answer 10

dr_storm Author

Level 1

19 points

Aug 6, 2023 5:05 PM in response to etresoft

Understood but what do you mean 'encountered Stacies-iPhone with a certain IP address'? You are right, my computer and Stacies-iPhone share the same IP. Are you saying that my computer connected to a LAN host named Stacies-iPhone at some point and since then DHCP assigned me that same address?

% dscacheutil -q host -a name Stacies-iPhone
name: stacies-iphone.localdomain
ip_address: *********

% dscacheutil -q host -a name Macbook-Pro  
name: macbook-pro.localdomain
ip_address: **********

[Edited by Moderator]

Reply

Does my Macbook have malware?

Similar questions