Short version: This all started because I noticed an 'allow' rule in my software firewall allowing connections to the ssh port from a single ip in china, which is on a number of "banned hacker ip" lists.
Long version:
First, regarding the install of Yosemite, you'll probably need more space in order to do anything meaningful with it. OS X gets cranky without enough free disk space to play with. A small portable hard drive would probably be a better choice than a flash drive.
So far, it's working ok with a 32gb card (obscenely slow, as expected).
As to the necessity of doing this, though... there really is none. There's no currently known malware capable of infecting Yosemite, and the last new Mac malware appeared back in November. Nothing new since then.
My original question was boiled down to the core issue I was trying to solve (building a usb boot device with 10.10, which I'm doing on a 2008 macbook running 10.10.2), but the actual laptop I'm concerned about is a 2011 macbook air running 10.9.5 (and, to be honest, even the security updates take way too long for me to install because having to reboot incurs a massive personal performance hit as I have to reopen everything I was working on (aka, a bunch of terminal and "screen" (the terminal multiplexer, like tmux) sessions)).
Quick preface to the event that made me nervous: I'm using an outbound firewall on all my macs called LittleSnitch (technically, it handles both directions, but it's raison d'etre is that it's a firewall that allows you to set rules on a per-program basis instead of per-host. For example, I can allow any of the osx core software (ex: apsd, assistantd, etc) to talk to anything in the apple.com domain, and block other programs from doing so). This allows me to see what software is trying to connect where outside of my laptop (because it pops up an allow/deny alert when something occurs that doesn't match an existing rule).
This is useful because while I do outbound filtering of most ports on the firewall between my lan and the internet, I leave 80 and 443 (and a few others) wide open because I have no choice. I'm concerned about any virus/trojan using 80/443 to call home, so LittleSnitch allows me both to watch for that, and restrict those ports to my browsers. So I'll get an alert if j.random.program tries to hit somedomain:80, which is great as long as said virus/trojan doesn't burrow into my browser and use the browser to make outbound connections.
But here's the event that really bothered me: I have LittleSnitch setup to auto-block any connection attempt made if I don't acknowledge it within 3 minutes. I recently noticed in my "unapproved rules" section (aka, rules that have hit this 3min limit and used my default block rule) that there was an 'allow' rule. Also, it was for an incoming port (also odd). The target port is 22, and it allows a single ip address. Of all my computers, this is the only one not running sshd, so the rule itself didn't have a negative effect on my security, but it raises a number of troubling questions:
- How was it added?
- Why is it marked 'allow'?
I suppose I should point out that the single ip this rule allows is in china and if you google that ip, it shows up on a number of "banned hacker ip" lists (including abuseipdb.com). I should also mention that I've never been to china, nor do I work with anyone in china, so I can't find a legitimate reason for this rule to exist.
At best, it's "possible" that, while attending a unix conference AND while my laptop was booting (the other way a rule will make it into the 'unacknowledged' section: if it occurs before you've logged in, so it can't show an alert) that my laptop was port scanned by said ip. The problem is that there's a lot of unlikeliness here, and it STILL should have shown up as a 'deny' rule instead of an 'allow'.
Finally, it's important to understand that if you did happen to get infected with something, anti-virus software will not be a cure. In the case of real malware, in most cases, an infection means you'd better erase the hard drive and reinstall everything from scratch, or restore from a prior backup. You should never let anti-virus software "remove" the malware and assume that's good enough. It might be, but there could be an awful lot riding on that "might."
Which is the core problem. On one hand, I do have backups of this laptop, but I can't point to a specific date when this may have occurred. Also, they're timemachine backups to a local NAS which is always on, so one assumes that if the laptop is infected, it's possible that said infection has added itself to any/all checkpoint timemachine backups as well. Speaking of the NAS, I have two NAS devices but their only backup is that each one contains two disks in a raid1 configuration, so even if I restore the laptop from the timemachine backups, there's potential that the NAS also contains the infection (though, I also suppose that everything outside of timemachine on both NAS devices are purely data, so barring software bugs that allow a machine to be infected by reading a jpg/nef/(ad nauseam video formats) that has been infected; the chance of infection of those is probably lower than I had originally anticipated).
I suppose this is very much a never ending rabbit hole of paranoia.
At this point, I really just want something to verify that I'm not crazy and there is indeed "something" bad that has gotten into that machine or provide me some small peace of mind by giving an all clear.
Aside from anti-virus and malware scanning, the only other method I've been able to come up with is letting the laptop sit and logging all traffic between it and the internet on the border firewall with tcpdump. I'm not generating any traffic from that laptop on my own which should make sifting through it easier, but may also reduce the amount of callbacks it's making to "home base", etc. I'm expecting software update, apsd and the like to be making calls to apple, ntpd and a few other programs making their own software update checks, and either some connections that I can't account for, or everything looking on the up and up.
I should also point out that I do not engage in any "at-risk behavior" (installing random (or worse, illegal/stolen) software, installing "browser bar" plugins)) . In fact, I've setup the browser to disable plugins by default and only run them when I specifically request (visible elements are replaced by the gray 'plugin missing' box, but will load/run said plugin (aka, flash) if clicked), so I've done my best to limit attack vectors, but this tweak to the software firewall is disconcerting (especially because LS also does it's best to watch for/avoid such things).
All of this suggests either a very sophisticated attack or I missed something and am being overly paranoid.
If you do decide to install anti-virus software in a clean system on an external drive, the only one that I would recommend using at this time is ClamXav.
I was surprised by this since I'd have thought a scanner that does "on-access" type scanning would be better for this purpose (ie, I don't want to go through all the trouble of setting up this recovery boot system, only to have it infected after a external disk that I'd like to scan is mounted (aka, you mount a disk to scan, and before you start the scanning process (or before it reaches an infected file) something silly happens like spotlight or finder reads the file and the infected file uses some bug in one or the other to infect the supposed clean boot stick).
IE, as far as I can tell, clamXav doesn't have on-access scanning so there is a slim chance of something bad happening prior to executing the scan (especially given how slow everything is running because I'm running all of this of a usb device).
In any case, thank you all for your help.
