The boss' iPad, iMac, and iPhone
I'll try to keep this brief. It looks like one of my boss' personal Mac devices, iPad/iMac/iPhone, is infected with something. He receives tons of delivery failure notifications every day for e-mail that he did not send. I've verified that these e-mails are not being relayed through our Exchange server but the reply to address is his company address. I've used wireshark to verify that the e-mails are coming from his home network. I took a laptop with a fresh Fedora install and a switch to his house. His network topology was iMac/iPad/iPhone -> Wireless router -> Cable Modem. Now it is, iMac/iPad/iPhone -> Wireless router -> Cisco switch -> Cable modem. On the switch, I mirrored the port connected to the wireless router through another port to the laptop's NIC. Then, I started Wireshark and left. The next day, I picked up the laptop and switch and took them to work, where I had a look at the Wireshark log file. Even while everyone in the house was asleep, there was SMTP traffic. It was nonstop, all night. One or all of these devices seem to be participating in a mass mailing botnet. Also, every morning, when he wakes up, the username and password that both his iMac and iPad pass to the Exchange server have been changed. This results in his Active Directory account being locked every morning until he changes the password back. I find failed logon attempts on the Exchange server's security log that are coming his home IP address. Please note that the credentials on his Apple devices are the only ones that change. His password does not get changed on the server and, as long as his account is not locked, his Windows machine at work continues to authenticate and retrieve mail without issue. So, I am just about 1000% sure that the problem is the Apple products but my posts elsewhere have been met with answers like "iOS/OS X can't be hacked", "Macs don't get viruses", and the best yet "It's your Windows servers". I don't quite understand responses like this as the testing I've done points to only my CEO's personal Apple devices. I'm new to dealing with anything made by Apple. My ex-wife had iPods and a Macbook but I pretty much stayed away from those. I'd just like to know what can be done. He tells me that he reset his iPad through iTunes and that he reset his iMac but I don't know what this reset actually does and I already have my hands full working on company owned software/hardware. It seems that the resets he's performed did not remove the infection so I'm wondering what my next step is. Does the hard drive need to be formated and the OS reinstalled? Is this something that I should do myself or would I risk voiding his warranty? Should I advise him to take his Apple products to an Apple store or maybe mail them to Apple?
iPad, iOS 4.3.3