General Keylogger Questions

[GGJstudios]

Quote:

Originally Posted by mookiemu

The original poster wasn't concerned about viruses, he was concerned about key-loggers.

The only way to get a keylogger on your Mac is to install it yourself, or give someone access to your Mac to install it. There is no Mac OS X malware in the wild that will install a keylogger on a Mac.

Quote:

Originally Posted by mookiemu

Who knows if there really are or aren't "viruses" for the mac.

There are no Mac OS X viruses in the wild. That is a fact. If you care to challenge that, name one. Just one.

Quote:

Originally Posted by mookiemu

But please don't say it isn't possible.

No OS is immune to malware, but it's not possible until a Mac OS X virus exists in the wild.

Quote:

Originally Posted by mookiemu

Apple has benefitted in a large way from security through obscurity. Let's see what happens if Apple ever becomes the dominant platform.

The "marketshare theory" has been debunked countless times. The Mac platform was far more obscure with OS 9 and earlier, yet there was a good number of viruses and other forms of malware that affected Mac OS 9 and earlier. Now that both market share and installed base has grown significantly (approx. 50 million users), the instances of Mac OS X malware has decreased, and there has never been an OS X virus in the wild.

[mookiemu]

Quote:

Originally Posted by Stooby Mcdoobie

Please pay attention to the date of the last post before posting in a thread. You bumped this year old thread without adding anything worthwhile to the discussion.

I apologize, I didn't realize the thread was a year old until I posted it. I got here after I removed a keylogger from a friend's system. She has decent computing practices and I was doing some research trying to find the PoC for the keylogger.
It still holds that running the "top" command from terminal can help in find keyloggers. I also found that the event viewer also does a good job of showing you when there is funny business going on. Little Snitch is also a very good tool for keeping an eye out for suspicious traffic to and from your computer.

Quote:

Originally Posted by GGJstudios

The only way to get a keylogger on your Mac is to install it yourself, or give someone access to your Mac to install it. There is no Mac OS X malware in the wild that will install a keylogger on a Mac.

I love apple and though it's not my main computing platform, I have several Apple computers and a ton of stock in that company. I want Apple to be a secure as the next Apple fan. That doesn't mean I have to bury my head in the sand. Have you ever heard of the pwn2own competitions? It's been run every year since 2007. The idea is to take over a computer gain root access and then install a piece of software on it. It's held over three days. Day one you must take over a fully patched computer with no added plugins, and no user interaction at all. The only caveat is that be connected to the wireless network. Day 2, the user has to click on a link, and common plugins are installed. Day 3, you can attach a usb drive to the computer. Every year, OSX is the first to fall and in 2009 when there were many more contestants, OSX fell on the first day. OSX has fallen on the first day, every single year after that. Charlie Miller, one of the winners, was able to remotely take over a brand new fully patched macbook with no user interaction, install a program, and write to the hard drive, in minutes! Windows didn't do much better. IOS is even worse when it comes to security and far behind the other mobile OS's. Ubuntu is always left standing, but I'm not sure if it's because of security, or because of a lack of interest from the hacking community when it comes to attacking Ubuntu machines. They don't include linux anymore. (full disclosure, linux is my main computing platform).
http://en.wikipedia.org/wiki/Pwn2Own

Quote:

Originally Posted by GGJstudios

There are no Mac OS X viruses in the wild. That is a fact. If you care to challenge that, name one. Just one.

No OS is immune to malware, but it's not possible until a Mac OS X virus exists in the wild.

The "marketshare theory" has been debunked countless times. The Mac platform was far more obscure with OS 9 and earlier, yet there was a good number of viruses and other forms of malware that affected Mac OS 9 and earlier. Now that both market share and installed base has grown significantly (approx. 50 million users), the instances of Mac OS X malware has decreased, and there has never been an OS X virus in the wild.

Apple has had their head in the sand regarding security and has done nothing about it until recently with Mountain Lion. OSX is inherently less secure and easier to exploit than most people think. If you don' believe me, just ask Charlie Miller who time after time embarrases Apple with his zero-day exploits. He contends that Apple and safari are far easier to exploit than WIndows or Linux. He should know because he proves it every year. He found several critical exploits in IOS and Apple responded by taking away his App Store license.

Here is an interview with Charlie Miller about OSX security. You can read it, or you can continue to ignore OSX security like everybody else.
http://www.zdnet.com/blog/security/q...ie-miller/2941
Here is another interview:
http://www.forbes.com/forbes/2010/04...ie-miller.html
another:
http://www.sdtimes.com/blog/post/201...your-face.aspx

One more, the Flashback trojan isn't a virus, but it did manage to infect 600,000 macs. Why? Because Apple is so smug about security that they didn't patch the Java exploit until weeks after Oracle fixed the hole.
http://en.wikipedia.org/wiki/Flashback_trojan

[GGJstudios]

Quote:

Originally Posted by mookiemu

Have you ever heard of the pwn2own competitions?

Yes, I'm quite familiar with them. That is completely irrelevant. As I said, there is no malware in the wild that will install a keylogger on Mac OS X. Also, unless a user volunteers their Mac to that competition, the likelihood that Charlie Miller (or anyone else) will hack their Mac is extremely remote.

Quote:

Originally Posted by mookiemu

Apple has had their head in the sand regarding security and has done nothing about it until recently with Mountain Lion. OSX is inherently less secure and easier to exploit than most people think.

Yadda yadda yadda. That song is a golden oldie. At this time, there is no known malware capable of infecting a Mac running a properly-updated version of Mac OS X 10.6 or later, with all security settings left at the default (at a minimum), without using 3rd party antivirus apps. Also, hacking and malware are two different things. The chances of an average Mac user having their system hacked is ridiculously remote. In about 5 years of reading claims in this forum by users claiming their Mac had been hacked, not a single one ever was.

Let's save us both a lot of typing, as this topic has been beaten to death in dozens of threads in this forum over the years. Take some time to read a few of these threads, before you waste time making the same tired arguments that have already been repeatedly shot down. Here's a small sample, to get you started:

http://forums.macrumors.com/showthread.php?t=926111
http://forums.macrumors.com/showthread.php?t=1353993
http://forums.macrumors.com/showthread.php?t=928671
http://forums.macrumors.com/showthread.php?t=371606
http://forums.macrumors.com/showthread.php?t=1333089
http://forums.macrumors.com/showthread.php?t=1360026

Quote:

Originally Posted by mookiemu

One more, the Flashback trojan isn't a virus, but it did manage to infect 600,000 macs.

First, anyone practicing safe computing as described below, was not affected at all by that trojan. Second, those that were affected represent about 1% of all Mac users. Again, the chances of an average Mac user encountering malware or a hacker is extremely remote.

3rd party antivirus apps are not necessary to keep a Mac malware-free, as long as a user practices safe computing, as described in the following link. Read the What security steps should I take? section of the Mac Virus/Malware FAQ for tips on practicing safe computing.

[mookiemu]

Quote:

Originally Posted by GGJstudios

macs can't get malware....blah, blah, blah..

OK, you win.

Meanwhile, I managed to track down the trojan/keylogger that got my friend. It creates a file in your home directory with the name .Dockset. You can't see it unless you enable hidden files or by entering "ls -a ~/" into the terminal. I found this file on my friend's computer. It shows up in "top" as .Dockset and little snitch confirms that it tries to connect to to a remote address. It creates a launch agent called mac.Dockset.deman in the "LaunchAgents" folder of the user account. The other user on her computer, her husband, didn't get infected. The LaunchAgents folder can be written to without user interaction. It seems to run everytime the user logs on, I thought I had gotten rid of it until I installed little snitch and saw more outbound activity. Apperently it's a flaw in Java, that has been corrected. I have to get my friend to keep up with her security updates. I was also able to find the PoC. My friend is a big Dalai Lama fanatic and I think she may have gotten it from visiting the Dalai Lama website which was compromised! How's that for irony.
Anyway, for those of you who are interested, I found this tutorial on monitoring your LaunchAgents folder.
http://reviews.cnet.com/8301-13727_7...lware-attacks/

[GGJstudios]

Quote:

Originally Posted by mookiemu

macs can't get malware....blah, blah, blah..

Do NOT misquote me! I never said anything like that. You damage your own credibility by fabricating lies.

Also, as already stated, such malware cannot affect users who practice safe computing, or who at least keep their Mac updates current.

Quote:

This malware is now known to be in the wild, on a website dedicated to the Dalai Lama, and the remote address contacted by the backdoor is now active. The exploit code used to drop the backdoor is the same as that used by SabPab. This is still considered to be low-risk as this is not known to be widespread and the vulnerability targeted by the exploit code is corrected by the latest version of Java.

Once the trojan is active, it tries to contact the remote address itsec.eicp.net to await instructions. At the time of writing, this address is not registered, which indicates the sample may be intended simply as a test rather than an active threat.

[gnasher729]

Quote:

Originally Posted by mookiemu

My friend is a big Dalai Lama fanatic and I think she may have gotten it from visiting the Dalai Lama website which was compromised! How's that for irony.

Maybe you should post your experience in the thread where people complain that Apple disabled Java in the Safari browser.