Keylogger on my Mac

Discussion in 'Mac Apps and Mac App Store' started by PhillT, Mar 28, 2010.

  1. PhillT macrumors newbie

    Joined:
    Sep 8, 2009
    #1
    I installed a trial version of MacScan yesterday, and it found a key logger called KeyBag 1.8:mad:

    I googled KeyBag and found it is an application that you can buy to keep logs on employees or family members computers. It also seems that popular opinion is that the only way it can get on your machine is if someone physically installs it. Well, that was not what happened to me. There are only two people in our house, and neither of us installed it, so it can only have come in an email, a torrent, or a software download, and then self installed.

    Up until yesterday, I have felt pretty secure with my Mac and running Shields Up occasionally, and MacScan even less often.

    That has now changed. ClamX is now in the dock set up to update & scan daily in the wee small hours, with it's Sentry configured to check everything coming in. MacScan will be run very regularly from now on.
    Luckily for me, my bank is smart, and I enter our pin by clicking on keyboard on the screen, so key logger proof, but I do use my credit card online on the odd occasion, so I will be entering to CC number now by copy & paste method from a secure .doc file. (Also key logger proof)

    I would like to know if anyone else has had a key logger or similar just show up out of the blue?
     
  2. Hellhammer Moderator

    Hellhammer

    Staff Member

    Joined:
    Dec 10, 2008
    Location:
    Finland
    #2
    Is that MacScan free or trial (shareware)? There are many scanning apps that scans and says there is a virus and then asks you to buy a cleaning software to remove it but in fact there is no virus, it's just a scam to get the user buy that app.

    I would do a clean install of OS X if you really think there is a keylogger but as you said, it must be installed (requires admins pass) and I doubt you've actually installed it. MacScan is just lying
     
  3. PhillT thread starter macrumors newbie

    Joined:
    Sep 8, 2009
    #3
    MacScan is commercial software.

    As comforting as it would be to think that MacScan was cheating, the fact is that the key logger is sitting in a quarantine folder on my desktop right now.
     
  4. Hellhammer Moderator

    Hellhammer

    Staff Member

    Joined:
    Dec 10, 2008
    Location:
    Finland
    #4
    Do you have a backup? If you don't do one now and perform a clean install of OS X
     
  5. Hmac macrumors 68020

    Joined:
    May 30, 2007
    Location:
    Midwest USA
    #5
    Keybag 1.8 is commercial software too. I've never heard of it installing itself as part of a torrent or other questionable download and I can't google anything about it either. AFAIK, you pretty much have to intentionally install it. Have you checked your downloads folder or your web browser history around the dates on the Keybag? Have you found any Keybag logs anywhere on your computer?

    If you're worried about it, and I would be, I'd call or email ProtecMac and I'd post the issue on their forum page.

    My suspicion is that someone else sat down at your computer and installed it.
     
  6. PhillT thread starter macrumors newbie

    Joined:
    Sep 8, 2009
    #6
    Hellhammer, yes, I use Time Machine every 24 hours, but why would you do a re-install if the key logger has been found and quarantined?

    Hmac, I cannot be sure when I got it. The file name is Cache.db and it was Created on 12/2/10 at 10:47 PM I have searched for files with that date in them, and the list is as follows:-

    ImageServicesInstaller.zip (This one came from >>
    http://www.macosxautomation.com/services/download/ << and it states on the page that Admin Password is required to install, so I am suspicious of this one for sure)

    Cache.db This is the Key Logger KeyBag 1.8) (created 10.47pm)

    061-7594 (This is a Mac update)

    061-7594.English.dist (This is a Mac update)

    Duplicates (This folder is empty, is used by a Duplicate Files finder app.)

    index.plist (This is a Mac update)

    ProductMetadata.plist (This is a Mac update)

    Updates (This is the enclosing folder for Mac updates)

    My situation is such that the only person that could have installed it with an admin password, is me, and I sure as hell did not do it knowingly.

    My wife and I live alone, we are pushing 60 and are both new to Mac.
    The only visitors we have are oldies like us, and NONE of them know how to use a Mac. Our computers are in our office, and no one but us go in there.

    The only other weakness I can see is our wireless router, on which I run WPA2 encryption, so should be ok ???

    How would I go about finding a log file if there is one?

    The other ting I thought might be possible is that MacScan has made an error. I can open the key logger with text edit, and post the text here if that is safe to do, and of any use in confirming what it is?
     
  7. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #7
  8. PhillT thread starter macrumors newbie

    Joined:
    Sep 8, 2009
    #8
    Thanks for the link,.... very interesting and has gone some way to reducing my fears of a security breach. I have nevertheless forwarded a copy of the suspect file to Protemac for assessment, and am awaiting their reply.
     
  9. cipher29 macrumors regular

    Joined:
    Mar 6, 2009
  10. Hellhammer Moderator

    Hellhammer

    Staff Member

    Joined:
    Dec 10, 2008
    Location:
    Finland
    #10
    Backup your data by copying the data (NOT Time Machine) you want to the external drive and then reinstalling OS X. Then transfer the data back and you have no keylogger anymore
     
  11. dyn macrumors 68030

    Joined:
    Aug 8, 2009
    Location:
    .nl
    #11
    You can have services for just a user account or for every user on that system. Some of the services you can download at macosxautomation.com are for just 1 user and some are for every user on the system. Stuff for every user on the system will be put inside a systemfolder which can only be done by an admin user. This is why you are prompted for the admin password to install some of the services. If you read before you install them it will tell you that it requires the admin password and why. In the password dialog box you can hit the little triangle, doing so will reveal what item is requesting the admin password.

    Additionally you can install a Quicklook plugin called "suspicious package" which enables you to quicklook .pkg files and such to reveal its contents.
     
  12. PhillT thread starter macrumors newbie

    Joined:
    Sep 8, 2009
    #12
    Supposing there is a key logger in a .pkg, is it really likely to say "Key Logger"?
    Would it not be more likely to be disguised as something else?
    I have not the knowledge to know what is supposed to be in the .pkg file unfortunately, but thanks for the tip.
     
  13. dyn macrumors 68030

    Joined:
    Aug 8, 2009
    Location:
    .nl
    #13
    It can be disguised as anything but the quicklook plugin will tell you what is going to happen if you run it. It will tell you what is going where, what scripts are in the package and whether it needs the admin password. If you want you can even take a look at the scripts and see what they are going to do. Of course, you'll need to have the appropriate knowledge, it's not something everybody is able to understand. You can get more info on their website: http://www.mothersruin.com/software/SuspiciousPackage/
     
  14. Arrandale macrumors regular

    Joined:
    Feb 24, 2010
    #14
    Maybe, but seems a bit far fetched.

    Sometimes when you download third party apps from places like softpedia or macupdate you get crud like this alongwith. it's better to be wary of what you install.
     
  15. Jasave macrumors newbie

    Joined:
    Sep 4, 2010
    #15
    I use this Staff monitoring software to monitor my staff. I have around 12 workers.
     
  16. chrono1081 macrumors 604

    chrono1081

    Joined:
    Jan 26, 2008
    Location:
    Isla Nublar
    #16
    +1 for false positives.

    At least your not running Symantec/Norton. Anyone who claims those are good never worked in IT. They false positive more then anything (and don't find anything that DOES infect your computer) This is all windows not mac anyway so you have nothing to worry about.
     
  17. chrono1081 macrumors 604

    chrono1081

    Joined:
    Jan 26, 2008
    Location:
    Isla Nublar
    #17
    After reading that post on the apple board Id say you have nothing to worry about and Id ditch macscan. A lot of the times certain software will "find" things just to keep you thinking its useful. Sham AV's and antispywares do this all the time.
     
  18. DiggDug macrumors newbie

    Joined:
    Aug 12, 2010
    #18
    Are you sure your wife or girlfriend didn't install it to see if you were having less than desirable conversations over the net? As a tech I have had many women ask me how to find out if their husbands are chatting/emailing with other women.
     
  19. twistedchick macrumors newbie

    Joined:
    Feb 10, 2011
    #19
    Keylogger ARDAgent?

    During the middle of reading this thread I dwnloaded MacScan and at the end of it I don't trust the results. I believe there maybe a keylogger on my putes. I'm more interested in determining that one is actually there rather than stopping it well at least for now.....here's what I've doing:

    1. I checked the activity monitor and didn't see anything all that strange

    2. Ran in term "sudo logKextClient” and got “sudo: logKextCient: command not found”

    3. Ran in term "ps aux" and one thing popped out that made me interested:
    /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAg
    /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Ma

    I don't what I'm really supposed to be looking for in the terminal so any help would be totally appreciated. :confused: This stood out bc of the ARD security hole that is listed all over the net. Plus it's supposed to be part of remote login & I haven't remotely logged into my own machine in a long long long time.

    btw- I do have LittleSnitch installed and I checked for rules that may have been created to allow communicxn to a foreign device, but I didn't see anything weird.

    Thanks for any help or ideas u have to offer.
     
  20. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #20
    What evidence do you have that leads you to believe a keylogger is installed?
    Has anyone else had physical access to your computer, to install one?
    Keyloggers don't install themselves. Someone has to actively install it.

    Mac Virus/Malware Info
     

Share This Page