Malware? Network activity is constantly running even w/browser closed

Discussion in 'macOS' started by thermodynamic, Aug 15, 2010.

  1. thermodynamic Suspended

    thermodynamic

    Joined:
    May 3, 2009
    Location:
    USA
    #1
    I'm running an Intego X6 full scan right now, but something is amiss:

    1. Activity Monitor shows 19 packets in/sec, 22 packets out/sec, currently at 26024 packets in and 24996 out since rebooting maybe 10 minutes ago)
    2. iStat shows 4k in/out per sec
    3. My router's activity light incessantly blinks
    4. My router won't light up at the initial login, so the issue only happens with my current user account

    When disabling all internet activity through Intego's firewall, my router also stops. Amusingly, Activity Monitor continues to show packets being sent and received. (I didn't see anything in Activity Monitor that would show me which process(es) are using the network as well...)

    I can't seem to find any PID or process names out of the ordinary, but usually there should be no activity when there's no activity.

    I do keep OS X updated as often as possible, but that doesn't mean something wicked this way comes...

    Are there apps I can use that will tell me what process is sending these mystery packets?
     
  2. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #2
    ...that's not that much traffic...
     
  3. kresh macrumors 6502a

    kresh

    #3
    Little Snitch
     
  4. thermodynamic thread starter Suspended

    thermodynamic

    Joined:
    May 3, 2009
    Location:
    USA
    #4
    It adds up.

    And if I were the type to write malware, I'd be conscious enough to try to make it as inconspicuous as possible. Keeping traffic flow light would be a logical way to reduce suspicion. 4k after 60 seconds is 240k. Given the whole of my post is under 1k... (1 letter being 1 byte and my response is comprised of less than 1024 letters...)

    And there shouldn't be any traffic to begin with. Since this involves a computer on the internet and not the amount of mold spores gathering on the block of cheese in my refrigerator, ANYTHING out of the ordinary could be something, and no platform is impregnable to begin with...

    Then again, maybe I am being paranoid... but this hasn't happened before, therefore something has happened.

    Thanks much! It's a shame Intego X6 doesn't have distinct means to trace which applications or threads are accessing the network or internet, but maybe I hadn't looked deep enough yet... the scan froze, so I stopped and restarted it... I'm installing Little Snitch right now. Hopefully my paranoia is unjustified... and it could be nothing, but I'd rather safe. Ironic as I've kept the internet up the last 3 hours... :D
     
  5. miles01110 macrumors Core

    miles01110

    Joined:
    Jul 24, 2006
    Location:
    The Ivory Tower (I'm not coming down)
    #5
    The bolded passages illustrate how little you understand what you're talking about. You may be right about having something on your machine, but your reasoning is nowhere near the mark. See what connections LS blocks and get back to us if there's something you don't recognize.
     
  6. iVoid macrumors 65816

    Joined:
    Jan 9, 2007
    #6
    Even if you just have a single ethernet cable between your mac and the cable modem, it's still a local area network. Any LAN has various housekeeping tasks that have to happen to keep the network up and running.

    You'd see similar amounts of data even between a computer and a LAN switch or just between two devices not sending data to each other.

    If little snitch doesn't show anything, I would worry.
     
  7. thermodynamic thread starter Suspended

    thermodynamic

    Joined:
    May 3, 2009
    Location:
    USA
    #7
    Well, nobody's perfect and you're right...

    On the plus side, Little Snitch does show mDNSResponder constantly transmitting data. It occasionally receives data as well.

    Occasionally 'Finder via nmblookup' shows up directly underneath 'mDNSResponder' as well.

    After installing and rebooting, there was a Google service that LS told me about. I denied it, because I never installed any Google app on my PC.

    Above the process list, in 'Connection History', I appear to get some IPv4 addresses (e.g. 224.0.0.251) and the occasional IPv6 address (e.g. ff02::fb).

    Doing a google search, amusingly, the following resource appeared:

    http://forums.macrumors.com/showthread.php?t=967013

    Clicking on the link the other person put up, that could very well be the root cause. So what's going on is very likely harmless; if I do suss out anything more worrisome I'll certainly respond with the information.
     
  8. Consultant macrumors G5

    Consultant

    Joined:
    Jun 27, 2007
    #8
    As already explained, what you described is not malware. Here are some information about OS X virus (there are none):

    Giz Explains: Why OS X Shrugs Off Viruses Better Than Windows
    http://i.gizmodo.com/5101337/giz-explains-why-os-x-shrugs-off-viruses-better-than-windows

    The Mac Malware Myth
    http://www.roughlydrafted.com/2009/01/29/the-mac-malware-myth/

    The Unavoidable Malware Myth
    http://www.roughlydrafted.com/2008/...-apple-wont-inherit-microsofts-malware-crown/

    How to check for Trojans
    http://www.macworld.com/article/60823/2007/10/trojanhorse.html
     
  9. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #9
    In Safari Preferences, Security pane, the "Warn when visiting a fraudulent website" checkbox will trigger downloads from a google service. This is the database of fraudulent sites, or updates thereof.

    I'm pretty sure I've seen this download occur even when Safari isn't running. I suspect there's a launchd daemon involved.

    This is easily testable.
     

Share This Page