Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Checking for potential keyloggers

MacBook Pro, Mac OS X (10.7.5), Activity Monitor (10.7.4), Terminal (2.2.3)


I want to make sure my computer doesn't have a malicious keylogger infecting it. I searched the discussions on this site and I found this one - keylogger detection - I didn't really understand it, particularly the parts about using Terminal or what they refer to as kernels or "man", but the comment marked Solved concludes that keyloggers can only (or most likely) get on manually or through sharing services (which I presume are under System Preferences > Sharing, which I don't use anyway).


Well, just to be sure, I've been looking up the programs in my Activity Monitor:

User uploaded file

User uploaded file

User uploaded file

User uploaded file

User uploaded file

It's a little hard to keep track because the list keeps getting longer or shorter. I found this list - Description of Mac OS X processes : by triviaware - and according to it, none of these programs are malicious.

However, some of the programs in Activity Monitor aren't listed on the webpage I found (e.g. Device Detector, kernel_task, Safari Web Content, and any program beginning with Sophos) and some of them seem to appear several times in Activity Monitor (e.g. CVMCompiler, distnoted, launchd, UserEventAgent, xpchelper).


My question is:

  1. Can anyone recommend a method of detecting keyloggers?
  2. Do any of these programs look suspicious?
  3. Can anyone explain Terminal?

MacBook Pro, Mac OS X (10.7.5)

Posted on Feb 7, 2016 9:35 AM

Reply
3 replies

Feb 7, 2016 10:22 AM in response to SamOsiris

Sophos is so called 'security software' that has been installed, personally I don't think you need it but it is your call. OS X attempts to prevent known malware from running so the antivirus scanner is probably not required (these normally waste resources like RAM, processor time that you can be used elsewhere). Some companies require these items to be installed, it could help if you share a lot of files with Windows users.


kernel_task is the first process the system launches on boot - don't mess with it - it is 'process zero' everything else is basically running on top of that.


If you search around here you will find many other ways to potentially detect key loggers, frankly they are all involved & you may be better off erasing the OS & resetting all your passwords if you believe the machine is compromised.


You may get better help here by explaining why you think a key logger is installed, OS X should be secure if you follow some basic guidelines like avoid using an admin account to work inside (use a standard user account instead) and don't install random software from the internet.

If the Mac is left unattended in a public place anyone may be able to install software if the admin password is known. Unattended Macs should require a login password, be shutdown when left or have the screensaver set to require a password.


The 'kextstat' command in that post you linked to is listing 'kernel extensions' these are very low level 'plugins' that have the ability to alter the OS for all users. Keyloggers may use that as a method to access the keyboard input, but there are probably other ways a key logger could still run.


Charles Minow was suggesting that the kextstat list was read, looking for lines that do not contain 'com.apple…'


In Terminal enter

kextstat

…and hit return


Post any lines that do not contain com.apple…

Feb 8, 2016 3:26 AM in response to Drew Reece

These are the only ones that didn't start with "com.apple."


129 0 0xffffff7f80777000 0x7000 0x7000 com.sophos.nke.swi (9.4.0) <4 1>

130 0 0xffffff7f80770000 0x5000 0x5000 com.sophos.kext.sav (9.4.0) <5 4 1>


What does erasing the OS mean?


Well, the only software I download is from Software Update, Microsoft and Adobe updates, and I always look those up before actually downloading, though it's been a while since I got notifications from Software Update or Adobe on my computer. And I don't take my laptop away with me where someone can install software.


As for why I'm investigating the possibility of a keylogger - I had a Safari window open by itself underneath the one I was using without my knowing it, and it left about seven or eight items in my History, so I know the window was transitioning between webpages. Since then I've started exploring the possibility of any kind of malware:

reallifecam pop-up

Adware file? - com.microsoft.office.licensing.helper.plist

Accidentally clicked on an OkeyShare link

Feb 8, 2016 11:10 AM in response to SamOsiris

SamOsiris wrote:


These are the only ones that didn't start with "com.apple."


129 0 0xffffff7f80777000 0x7000 0x7000 com.sophos.nke.swi (9.4.0) <4 1>

130 0 0xffffff7f80770000 0x5000 0x5000 com.sophos.kext.sav (9.4.0) <5 4 1>


As already explained you have Sophos software installed so there is really no reason to suspect these are anything but normal.


SamOsiris wrote:

What does erasing the OS mean?

Deleting everything on the computer & reinstalling everything. Yes it is drastic but sometimes you have to start over. In this case I do not think you need to do that…


SamOsiris wrote:


As for why I'm investigating the possibility of a keylogger - I had a Safari window open by itself underneath the one I was using without my knowing it, and it left about seven or eight items in my History, so I know the window was transitioning between webpages. Since then I've started exploring the possibility of any kind of malware:

reallifecam pop-up

Adware file? - com.microsoft.office.licensing.helper.plist

Accidentally clicked on an OkeyShare link


Keyloggers do not open windows underneath Safari. You may be misunderstanding what they do - they log what you type so others can glean information about you. If they could open windows underneath Safari & type things they would be caught all the time. That is also a pointless act for a 'keylogger' - if it has access to the system it can easily download webpages without your knowledge & do many things that are far worse & far more profitable.


What you describe sounds like what terrible adverts do on terrible websites. Javascript can open new browser windows and can set them to minimise & open more windows etc. History is exactly that - things that have opened in the browser even via popups, so even if you close them they may still get in your history.


I'd strongly suggest you stay away from searching for 'possible Mac malware' unless you know what you are doing. Many less reputable sites will try to sell you antivirus scanning junk & various 'clean up' or performance tools under the guise that malware has hacked you. These sites make money from gullible users, often via simple javascript tricks that make your browser look 'locked' (the same page opens over & over). There are many of these cases described on this site too. Search engines also filter the adverts you see based on your search history, so the more malware you search for the more anti malware junk apps you will see advertised (read up on 'filter bubbles' https://en.wikipedia.org/wiki/Filter_bubble)


In Safari's preferences > Security tab, enable 'block pop-up windows' if it is not already active (some tricks can get around how Safari blocks popups - it's a cat & mouse game).


You can also disable javascript for Safari but most of the internet now relies on it so you will find many sites don't load correctly without it.

Basically you can either:

  • Manage it site by site (via a javascript blocking extension)
  • Enable javascript and put up with some sites making horrible popups (don't go back to those sites).
  • Disable it totally & turn it on only when you have no other choice, or use another browser for the javascript sites.

You may also consider content blockers (ad blockers). They can stop adverts loading, some adverts can contain these malicious scripts that open many popups. NOTE: not all adverts are malicious and malicious scripts don't all come from ad networks, it is just one popular method at the moment.



Personally I don't see anything abnormal here, the internet can be a wild place, backup & apply updates to protect yourself, avoid installing apps unless you absolutely trust the source.

Checking for potential keyloggers

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.