User profile for user: carltrol
carltrol Author
User level: Level 1
6 points

Monitoring / Supervision (visual / audio / key logging) via software intrusion or kext / rootkit?

Dear community people,

I am seriously concerned about the security of my Mac OS X system(s) (iMac, 10.11; MacBookPro, 10.10) and the integrity of the way data is processed and dealt with on it (them).

This question shall open a discussion on potential malware / spyware exploits and intrusion doors, and more importantly the ways to remove the code and prevent future intrusions.

I've done my best in researching the topic as far as it made sense to me, and although I am not a security expert, I don't see myself as a careless or unaware user.


The following part describes past security concerns in a summarized form:


[I've had weird things happen on my iMac for a rather long time, and it may certainly be that the problems which appeared first (mouse and keyboard behaving in an uncontrollable way at times, often after waking up from sleep mode) were due to some sort of OS X bug or even malware which may have been introduced by installations of unsigned software.

Back then, I've had OS X Mavericks 10.9.x running, and I did update the OS to 10.9.5 but then left it in the status quo for more than 1.5 years - as a music producer running Logic and a lot of third party plug-ins, interface drivers etc. I depend on compatibility of software updates with audio unit plug-ins of a broad range of manufacturers.

From time to time, several abnormalities could be noticed, the majority of them being observable in behavior of input devices such as Magic Mouse and Apple keyboard, even externally wire-connected Logitech mouses did that.

The most common problem here was that a right-click on the mouse produced a left-click on the screen, and some times also vice-versa (as you can do with holding down ctrl and clicking).

The problem which showed up much earlier was related to keyboard input when awakening the computer from sleep mode and being prompted for user password (unlock): I found that any key pressed on the keyboard (once!) results in an endless continuous input of characters as if keys were repeatedly being sent invisibly to the password field, and this problem could not be resolved other than by rebooting the machine - and then, it was only a matter of time until the problem returned.]


I put the above part in brackets because I don't know how probable a linkage to the recent problem is.

After completely unexpected issues of OS on my iMac (still 10.9.5, that was ~2 weeks ago) rebooting without any request (two Adobe CC apps were launching, then upon opening Spotify app the OS quit its service and directly a white screen with apple sign appeared, presumably trying to install some sort of software without having been asked or giving any notice), I wiped all data from the hard drive using Apple's disk utility software. I booted from an USB drive with El Capitan (10.11) installer (via createinstallmedia) on it and went through several deletion passes, assuming that potential mal- or spyware should have been gone by then.

Speed issues had disappeared after the clean install (which took a long time, believe me, due to the many system-bound authorizations stored on my computer) and kind of reappeared two or three days ago. I must admit that I installed a load of (legit) software though, but I paid attention only to install "trusted" packages. Most of them are audio software and plug-ins, such as Native Instruments Komplete and Waves effects etc., others are image processing software and also developer tools and utilities.

Software like the Avid Application Manager, required to launch ProTools 12, is one of the factors always slowing my system down, which has of course nothing to do with its integrity.

I guess I might have installed compromised packages somewhere but I don't find it very likely.

Furthermore, I doubt that anybody actually replaced ProTools installers on Avid's website or any other similarly trusted software product as it was done with TransmissionBT on Aug 28th and 29th (2016) ("Keydnap attack").

Still, I do believe that somehow a cleverly programmed malware code made it to my system core and hides from being discovered. The first thing I thought of was a code in form of an AppleScript because such signs randomly show up on system shutdowns. I don't know if that is a legit suspicion. Carry on reading, I'll come to the point.

One or two days ago, I shut down my computer unexpectedly (I think Carbon Copy Cloner had got stuck) and noticed potential signs of supervision software running on my system covertly. Just before the "white screen", a grey menu bar showed up on top of the screen, reading "OS X [someword]" - I had a second or so before it disappeared, but I think it read "Partner supervision" - so that would give "OS X partner supervision" (translated from German).

Possibly, this is part of Apple's DEP program for enterprises, but this is my personal computer and private system - none of the systems I own has any relationship to businesses / corporations etc. and any kind of these attacks can thus be legitimately considered as a highly criminal act.


the questions asked are:


- how can I verify what service this was, and then remove it, if positive?

- is it possible for some software to inject malicious codes in the kernel and then act as a rootkit? any help on how to effectively check for and kill such modifications and possible data logging / supervision / transmission would be appreciated. As stated, I expect possible activities in this field to be hidden proficiently from the eyes of an "average user". The concern underlaying is that some software in the style of "child supervision" misused by people with nefarious intentions might have infected my system.

- can I trace logging via opensnoop / Dtrace (for instance)?

- Is it possible that someone can install such malicious software using my Apple-ID and password, potentially stolen from the keychain?

- if the corresponding code(s) are persistent, what can I do to delete them? Can malware sources burn themselves to an "untouched" part of the drive and "resurrect" upon a clean install of the OS or update?


I'm trying to get rid of any potential exploit as soon as possible.


Thanks for your help, and for reading the description!

(I'm new to the community and hope you'll forgive me potential formal mistakes)

iMac (27-inch, Late 2013), OS X El Capitan (10.11.6), null

Posted on Sep 7, 2016 3:09 PM

Reply
1 reply
User profile for user: kidtwist73
kidtwist73
User level: Level 1
14 points

Oct 27, 2016 8:53 AM in response to carltrol

I have a very similar issue, also running software packages from audio companies. I have almost certainly been hacked, as extra users, logins and suspicious access to accounts, including access to accounts over 10 years old for companies I no longer work for. I am unsure how to keep them out as have rebooted, reinstalled, but files seem to get infiltrated again. Not just me, but the personal records of my family stored on my computer for tax etc.


What I have been looking at is the log files, which is beyond my comprehension, but lots of weird and suspicious activity. When doing a search online for Mac vulnerabilities with regards to iCloud, I found a number of software companies who have been running information sessions for a number of years about using app developers kits to, from what I can comprehend, use a wrapper around a password or authentication request to make you think you are being requested by the app. Or even use an app to generate a genuine input, which is then fed back to them..(simplistic description, but I have been trying to fix this issue for weeks and I'm tired). Further, I believe Therese are ways to force the Icloud gateway to resend details out, to an address they may have already compromised.


I have tried to utilise what I found on another forum for ways to look at launchers and logins, which gives me countless kext files, secretive programs recording data and trying to force connection of my wifi or share Bluetooth connection with my phone and secretively communicate. Also installing new users, installing themselves as root, issuing shell programs etc. Unfortunately, I don't know what to do with it since then as there doesn't seem to be someone who can advise 'yes this is malware, it's doing this, this is the way to permanently stop it' it won't matter if I reinstall my hard drive, they have my full details, apple ID, back account details, email passwords etc. They can reset everything in the same way I can. They can do everything. The only ways I have to verify my identity, they have as well. With the exception of people behind able to speak to me in person, they are now digitally indistinguishable from me.


I have even reported this to federal police in Australia. They took the report, said thanks, and that's it. They don't, and won't, do anything. Unless I know who it was. That is the extent of the cyber crime division. They take notes.


So, what we need is a list of the types of file we should be looking out for and where, and how to perform checks to find them on our system. Have I missed something? Is there an address or site for them already?

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Monitoring / Supervision (visual / audio / key logging) via software intrusion or kext / rootkit?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up