Spyware, Malware, Hack?

Question

Spyware, Malware, Hack?

Am new to Apple Discussions. Recently reviewed log files in my anti-virus program and discovered multiple communications from my computer to servers known to be associated with malware.

Nothing found by Malwarebytes.

Started to block these addresses, and my anti-virus program crashed. Immediately disconnected from the internet and backed up log files. It appears, but am not sure, that there was some attempt to shut down logging functions.

Does anyone know of any forensic evidence I can or should seek to preserve before I do a wipe and reinstall?

MacBook, OS X El Capitan (10.11.1)

Posted on Nov 29, 2015 8:27 PM

Reply

Answer 1

Linc Davis

Level 10

209,547 points

Nov 29, 2015 10:05 PM in response to CreativeLeadership

All so-called "anti-virus" and "anti-malware" software is at best useless and should be removed. It's worse than the imaginary "viruses" would be if they really existed, which they don't.

If you suspect for other, legitimate reasons that you've been the victim of a computer crime, and you intend to take legal action, you need the services of an expert in forensic computing.

Reply

Answer 2

etresoft

Level 8

46,200 points

Nov 30, 2015 7:30 AM in response to CreativeLeadership

Hello CreativeLeadership,

I'm skeptical about your anti-virus software. All too often here on Apple Support Communities, I see people who are running anti-virus software while being infected with adware. I would need to see the exact criteria that it uses for "servers known to be associated with malware". Internet servers are bulk commodities and any particular server may host all kinds of services, from government sites to malware. There are an awful lot of scams and an awful lot of misinformation being spread these days.

At this time, the only effective, reliable, and recommended 3rd party security software is MalwareBytes for Mac. It should not be removed.

If you are concerned about what software is running in the background on your machine, I wrote a little diagnostic program to show it to you. Download EtreCheck from http://www.etrecheck.com, run it, and paste the results here. EtreCheck is perfectly safe to run, does not ask for your password to install, and is signed with my Apple Developer ID. it will list all of the software running on your machine, both good and bad. If there is something that might explain connections to "servers known to be associated with malware", it may show it.

Disclaimer: Although EtreCheck is free, there are other links on my site that could give me some form of compensation, financial or otherwise.

Reply

Answer 3

Nov 30, 2015 8:12 AM in response to Linc Davis

Linc, This is helpful, thank you. Am less worried about virus than spyware, trojans or hacks. I do need an application that logs incoming and outgoing traffic. I've used Norton, but see references here to "little snitch."

I have worked for the government, and worked overseas. The Norton software did detect and quarantine a trojan last year. At this point, am specifically interested in how to identify spyware rather than adware. I did a safe install, and have done a spreadsheet that compares this with a normal install. There are several "mdworker" running. Are these a signature or source of possible malicious activity? I run MS office, and a browser, and norton, and not a lot of other software.

I was notified a few weeks ago that my government data was part of the OPM hack. I did a thorough scrub of my Norton Log files. In October I was on a commercial hotel network, and the Norton software blocked an ARP Cache Poison attempt. The same attempt was made on my home network in November. I then began to block outgoing traffic to IP associated with malware based on a review of ThreatCrowd and similar sites.

It was while blocking IP addresses that Norton crashed. This may be evidence of a hack or attack using a "crypter." Have been offline for several days. When I logged on last night using a cable rather than wifi connection, there were two attempts to telenet into my computer from IP addresses in China.

Do you know anyone who would find value in the forensic data? Am sure I will find many who will do this for a fee, but if there is no value in the data, will just wipe the drive. Thanks again for your help.

Reply

Answer 4

Nov 30, 2015 8:37 AM in response to etresoft

Thank you for your reply. This is helpful. My anti-virus software to this point was Norton, which seemed to provide useful functionality. I note, however that their OS was hacked in 2006, and am looking for alternate solutions. I've seen several references to "littlesnitch" here. Can you comment on it's utility?

I spoke with the Norton call center in India. Since that call, and a reload of their software, a Norton SymDaemon has consuming inordinate CPU %. Not sure if this is related to compatibility with the El Capitan OS, or something else. It appears that when offine, Norton tries to link to the internet.

Can a Unix executable file be modified? Have seen discussion here and elsewhere on the "netbiosd" unix executable file and its association with outgoing communications. If, as I assume a hacker could, a unix file can be modified, I'd like to compare what is on my computer with a "clean" file.

How can I detect a keystroke logger and similar spyware on a Mac?

I tried to download etresoft, but there was a problem downloading. Please also see my response to Linc. Thank you again for your help.

Reply

Answer 5

etresoft

Level 8

46,200 points

Nov 30, 2015 9:18 AM in response to CreativeLeadership

Hello again CreativeLeadership,

Little Snitch seems to have a bad reputation here on Apple Support Communities and I think that is undeserved. I used to use Little Snitch years ago but got busy with development activities and beta versions stopped using it. But that was because I was too busy, not because of any fault in Little Snitch. But Little Snitch only monitors outgoing connections - apps "phoning home" so to speak. My official opinion at this point is that it would be very difficult to differentiate legitimate outgoing activity from malicious activity. It is better to just keep your operating system up to date, keep Gatekeeper turned on, and be very cautious whenever software asks for your password. A safe approach is to always refuse to provide your password when first prompted out of the blue. Then investigate the software or feature yourself. If you get a password prompt from an action you initiated on purpose, then it should be OK.

I used to be a government contractor myself. I'm certain that my OPM data was hacked too. But I'm not one of the lucky few who have been notified. Considering that I've moved to Canada since then, I may never be notified. But when I did do government work I had to use Symantec Endpoint Protection on my Mac, which was, at the time, the top-of-the-line corporate version of Norton. I have to say, I was not impressed. Symantec always seemed to lag on supporting Apple's OS versions. While Apple is super-secretive, they do give out advance warnings of new operating system releases (not to mention beta copies for developers). How can Symantec respond to zero-day malware threats when they have such trouble with six-month warnings from the world's biggest corporation?

OS X 10.11 "El Capitan" includes System Integrity Protection. That should prevent many, but not all, executables from being modified. Of course, there are always ways around such things. What exactly was the problem downloading EtreCheck? One of the new features of EtreCheck is that it automatically verifies the digital signatures of any Apple tasks or, more importantly, any task that claims to be an Apple task. As far as I know, EtreCheck is the first app to systematically verify these signatures. I should warn you though that Apple doesn't sign everything and some of the Apple signatures are invalid. By default, EtreCheck hides these failures. EtreCheck is the closest thing available to comparing your system with a "clean" system.

There are some other tools you might find helpful too. You already know about MalwareBytes and hopefully haven't removed it. MalwareBytes was written by a former member of Apple Support Communities who went on to bigger and better things. DetectX (http://sqwarq.com/detectx/), written by another former member of Apple Support Communities, isn't quite as good at adware as MalwareBytes, but it might do a better job of checking for other "grey area" software like scam-ware and key loggers.

The sad thing is that dealing with scammers and hackers online is just part of the new normal for Mac users. We are going to have to get used to it. I am hoping that 3rd party anti-virus and anti-malware tools will improve their Mac products. For years all they did was scan your e-mail for harmless Windows malware. Maybe now that MalwareBytes is doing such a good job, they will step up their game and we can all benefit from honest competition in the anti-malware market.

At this point however, Norton crashing isn't evidence of anything other than a bug in Norton. It is always better to connect to the internet from a hardware NAT (Network address translation) routing device like a WiFi router. But if you are directly connected to the internet, you should expect hacking attempts. As long as you don't have any sharing services turned on, you should be safe. Don't rely on the firewall. It is just a marketing gimmick. By defaults, it allows external connections to sharing services.

Reply

Answer 6

Linc Davis

Level 10

209,547 points

Nov 30, 2015 10:45 AM in response to CreativeLeadership

Do you know anyone who would find value in the forensic data?

If you're asking for a specific referral, I don't have one. In general terms, a forensic IT expert.

if there is no value in the data, will just wipe the drive.

That's rarely necessary, but it is the only way you can be sure the machine is safe to use. A compromised machine can't be trusted to detect its own compromise, so running any kind of softwarefor that purpose on the suspect machine is obviously pointless. If the software tells you that nothing is wrong, you still don't know. If it tells you something is wrong, the alarm may be false, as in the case of Norton telling you that harmless Windows malware attachments in email are malware infections.

The usual way of being infected with malware is to run unknown applications just because some stranger on a website asks you to.

Reply

Answer 7

Dec 5, 2015 2:06 PM in response to Linc Davis

Linc, Why do you believe anti-virus and anti-malware software is useless? What has appeared most useful from Norton is the firewall utility, but this seems to come with degraded performance resulting from the "SymDaemon" and other AV features. What are the threats to security on a Mac, and what reasonable measures do you recommend?

As part of my education in security risks, am told that many routers are at risk, and that a hack of a router can compromise personal information and security. Am still researching what appears to have been a hack on my computer.

Reply

Answer 8

Dec 5, 2015 3:02 PM in response to etresoft

etresoft,

Doing a detailed scrub of log files. At the time Norton crashed and I disconnected from internet and backed up log files, saw log messages suggesting some attempt was made to turn off logging functions. Saw this in "asl" files. Was told years ago that deleting log files a common tactic to cover the tracks of a hacker. I am not familiar enough with Apple Log Files to know what is normal and what is not.

A symptom or indicator of a possible hack is that several days before I was notified my government information was compromised, my mac's sound went out - the sound icon "grayed out" and could not be accessed. Then it came back on again a few days later. In reviewing log files I saved, I am seeing activity indicating processes accessing my sound files.

Have been told our router may be the source of a hack, as noted in my message to Linc Davis. I was overseas several years ago, and the family switched out the router. On my return I took preventive measures, but the "default" password may have been in place while I was gone.

Ran your tool. Significant memory usage by the AV program. As noted to Linc Davis, am most interested in the tracking of outgoing traffic through the firewall part of Norton. Hence my interest in "little snitch" if this is a better solution. Am also looking into OpenDNS as protective measure superior to AV software.

Here are some results from etresoft:

Reply

Answer 9

Dec 5, 2015 3:05 PM in response to CreativeLeadership

Kernel Extensions: (What does this mean?)

/Library/Extensions

[loaded] com.symantec.nfm.kext (7.0.1f124 - SDK 10.9) [Click for support]

/System/Library/Extensions

[loaded] com.symantec.internetSecurity.kext (7.0f124 - SDK 10.8) [Click for support]

[loaded] com.symantec.ips.kext (7.0f124 - SDK 10.8) [Click for support]

Launch Agents: (What does this mean?)

[loaded] com.google.keystone.agent.plist [Click for support]

[failed] com.symantec.errorreporter-periodicagent.NFM.plist [Click for support]

[running] com.symantec.uiagent.application.NFM.plist [Click for support]

Launch Daemons: (What does this mean?)

[loaded] com.adobe.fpsaud.plist [Click for support]

[loaded] com.google.keystone.daemon.plist [Click for support]

[loaded] com.malwarebytes.MBAMHelperTool.plist [Click for support]

[loaded] com.symantec.SymLUHelper.NFM.plist [Click for support]

[loaded] com.symantec.UninstallerToolHelper.NFM.plist [Click for support]

[loaded] com.symantec.deepsight-extractor.NFM.plist [Click for support]

[loaded] com.symantec.errorreporter-periodic.NFM.plist [Click for support]

[loaded] com.symantec.liveupdate.daemon.NFM.plist [Click for support]

[running] com.symantec.nfm.wps.plist [Click for support]

[running] com.symantec.sharedsettings.NFM.plist [Click for support]

[running] com.symantec.symdaemon.NFM.plist [Click for support]

User Launch Agents: (What does this mean?)

[loaded] com.adobe.ARM.[...].plist [Click for support]

Top Processes by CPU: (What does this mean?)

6% WindowServer

3% ps

2% kernel_task

0% SystemUIServer

0% fontd

Top Processes by Memory: (What does this mean?)

382 MB kernel_task

311 MB firefox

295 MB mdworker(8)

266 MB SymDaemon

86 MB Norton Security

Significant usage by the AV software. Uncertain if the failure of Norton error reporting a known Norton error, or could be an indicator of use of a "crypter" to bypass the software.

Running almost no SW at time of report - OS, Browser, Adobe Reader, and Norton.

Uncertain if the use by the mdworker is normal.

Reply

Answer 10

etresoft

Level 8

46,200 points

Dec 5, 2015 3:38 PM in response to CreativeLeadership

Hello again CreativeLeadership,

Don't worry about the sound icon. I'm sure that is some random bug in the operating system. That is something else that Mac uses need to get used to. Modern versions of OS X are riddled with bugs.

You have given some hints of things that you think might be hacks, but no real substantive information to go on. Regarding Norton, all I can tell you is that it will protect your computer from literally millions of old Windows malware that was never any threat to your Mac to begin with. I have no idea about whether your router was hacked or not. A log report of "multiple communications from my computer to servers known to be associated with malware" means nothing. What processes were communicating? What servers were they talking to? On what ports? Virtually the entire internet is awash in malware.

There is really very little hacking of personal computers on the internet. What hacking does take place usually works through sharing services (like Back to My Mac or similar) and weak passwords. Very few people have any information of value to sophisticated hackers. If you don't currently employ your own security staff, then you probably aren't one of those people.

Reply