Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

punapeter

macrumors newbie
Original poster
Dec 6, 2011
6
0
Finland
Hello, I'm fairly new to the Mac OS X (2 months) and I already managed to get myself a keylogger from somewhere I don't know. After recovering my e-mail password it got immediately changed by someone unknown. The same happened with several online accounts I had on other places. I had installed Sophos antivirus as soon as I got my new MacBook, but it didn't seem to work very well afterall. As a last resort I decided to delete the whole hard drive, along with my portable drives aswell. This was the very first time this happened to me, it had never happened when using Windows.

Anyway, my question is; is there any other app (good preferably) than Sophos to prevent this ever happening again? Or are there any other measurements I should take into account when using this Mac in the future?

I'm seriously considering installing Windows on this Mac as the sole OS if the Mac OS X turns out being this unsafe.

I am also using Common Sense 2011 as virus protection, so don't blame me on that.
 
The only way this could have happened is if you had a weak (or no) administrator password and someone had physical access to your machine. It's more likely someone just guessed your password or answered your security questions to reset it.
 
You didn't get a keylogger. Someone hacked your email account. It has nothing to do with your computer.

Sophos should be avoided, as it could actually increase your Mac's vulnerability, as described here and here... and here.

You don't need any 3rd party antivirus software to protect Mac OS X from malware. Macs are not immune to malware, but no true viruses exist in the wild that can run on Mac OS X, and there never have been any since it was released 10 years ago. The only malware in the wild that can affect Mac OS X is a handful of trojans, which can be easily avoided with some basic education, common sense and care in what software you install. Also, Mac OS X Snow Leopard and Lion have anti-malware protection built in, further reducing the need for 3rd party antivirus apps.
 
How are you sure its a keylogger? It could have been any internet based attack.

I first thought this, but this happened twice, both times I had different ISP (and physical firewall of course). It only stopped, when I recovered my accounts on another computer.

The only way this could have happened is if you had a weak (or no) administrator password and someone had physical access to your machine. It's more likely someone just guessed your password or answered your security questions to reset it.

I had the password, and it was a mix of letters and numbers, something no-one would have ever guessed. Also, the recovery questions are unanswerable even to the people who know me very best.

You didn't get a keylogger. Someone hacked your email account. It has nothing to do with your computer. ...

I would really like to believe that, but I have a hard time doing that.

Also, the accounts have remained untouched now since I reinstalled Mac OS X. I can only explain it with the keylogger.
 
Also, the accounts have remained untouched now since I reinstalled Mac OS X. I can only explain it with the keylogger.
It's not a keylogger, unless you installed it yourself or gave your Mac to someone else to install. They don't install themselves and no Mac OS X malware in the wild can be installed without the user installing it.
 
You didn't have a keylogger. Unless you installed something with your admin password, you never had a keylogger on your system. Period.
 
It's not a keylogger, unless you installed it yourself or gave your Mac to someone else to install. They don't install themselves and no Mac OS X malware in the wild can be installed without the user installing it.

If it's not a keylogger, then how likely is it that it was hacking?

I can remember that the first account I lost was my Live Messenger. I had heard there was somekinda security problems with Java, and I blamed it on that. Then, maybe a month later I tried to log on to my gmail account; it said password had been changed 20 hours ago, and I sure knew it wasn't me. I recovered the account, everything was fine for five days. Then (five days later) I decided to log on to my old runescape account (again Java) and found out the password was changed there too (on the same day gmail had been first time breached), recovered it and find out two hours after the recovery that my gmail and runescape account had been hacked again. This is when I decided to recover these on my another Windows computer, and after it everything was fine.

I seriously have no idea how the hacker in the first place had even got a hold on my password, I'm usually very careful with them, and choose the recovery questions very carefully too.
 
If it's not a keylogger, then how likely is it that it was hacking?
If someone hacks your email account, that means they have access to any accounts you set up using that email account. They can look through your messages and find where you've registered at other sites. Then it's a simple matter to change your passwords. Change all your online passwords at the same time, starting with all email accounts. Make sure passwords are complex, with numbers, upper and lower case letters, and special characters.

I've seen dozens of threads like this, where someone thought they had a keylogger or that someone hacked their computer. In 100% of the cases, no keylogger or computer hacking was involved. Not one.
 
You didn't get a keylogger. Someone hacked your email account. It has nothing to do with your computer.

Sophos should be avoided, as it could actually increase your Mac's vulnerability, as described here and here... and here.

You don't need any 3rd party antivirus software to protect Mac OS X from malware. Macs are not immune to malware, but no true viruses exist in the wild that can run on Mac OS X, and there never have been any since it was released 10 years ago. The only malware in the wild that can affect Mac OS X is a handful of trojans, which can be easily avoided with some basic education, common sense and care in what software you install. Also, Mac OS X Snow Leopard and Lion have anti-malware protection built in, further reducing the need for 3rd party antivirus apps.

Good to know.
I never used Mac anti-virus before. Once the Adobe fake thing came out, I was a little worried and got the X barrier free version, and it didn't work at all, removed that and then got the Sophos from the App Store. I wonder why they keep it there?

I will remove it now.

Thanks for the info.
 
Good to know.
I never used Mac anti-virus before. Once the Adobe fake thing came out, I was a little worried and got the X barrier free version, and it didn't work at all, removed that and then got the Sophos from the App Store. I wonder why they keep it there?

I will remove it now.

Thanks for the info.
You're welcome. If you need help removing it, the most effective method for complete app removal is manual deletion:
 
Funny.
I just received an email with a Trojan. Mail identified as a SPAM, and obviously I will delete that kind of emails. But Sophos for the first time prompt it a message about a risk. I know this will impact other computers and not my Mac, but it is nice to clean those infected files for the good of my friends.

What antivirus do you use?
 
Funny.
I just received an email with a Trojan. Mail identified as a SPAM, and obviously I will delete that kind of emails. But Sophos for the first time prompt it a message about a risk. I know this will impact other computers and not my Mac, but it is nice to clean those infected files for the good of my friends.

What antivirus do you use?
I've never run antivirus on any Mac, but if you feel the need to run one, ClamXav is a good choice, since it isn't a resource hog, detects both Mac and Windows malware and doesn't run with elevated privileges. You can run scans when you choose, rather than leaving it running all the time, slowing your system.
 
Hello, sorry for bumping this old thread but I have another question regarding this.

Since the purchase I had lived in a belief the firewall was enabled by default, however this wasn't the case. I just recently activated it.

So, how easy is for a hacker to obtain my log in details, if I don't have the built-in firewall enabled? I didn't have a physical firewall either, only the one provided by my ISP, which should block all connections outside the "student village".
 
Hello, sorry for bumping this old thread but I have another question regarding this.

Since the purchase I had lived in a belief the firewall was enabled by default, however this wasn't the case. I just recently activated it.

So, how easy is for a hacker to obtain my log in details, if I don't have the built-in firewall enabled? I didn't have a physical firewall either, only the one provided by my ISP, which should block all connections outside the "student village".

Can I ask why you wouldn't want it turned on? It's another layer (albeit small) layer of protection.
 
It wouldn't be easy at all, and why would someone do that?

For all of the hours and hours and hours that they'd have to spend trying to figure out a way to remotely hack your Mac, what do they stand to gain from it? :confused:
 
It wouldn't be easy at all, and why would someone do that?

For all of the hours and hours and hours that they'd have to spend trying to figure out a way to remotely hack your Mac, what do they stand to gain from it? :confused:

A gaming account of mine played for years and years, worth a few bucks I reckon. However, as I entered my password recovery answers for the account, somehow the hacker had got them all. I don't know how and why this happened to just me, as I don't really play anymore, and hardly visit any gaming fan-sites that could have the malware aimed to specific game players.

There is no other explanation than a keylogger, or a very talented hacker.
 
FWIW, if you Google "runescape account hack 2011", there appear to be multiple ways to get a runescape password without knowing the users' password recovery questions.
 
They don't install themselves and no Mac OS X malware in the wild can be installed without the user installing it.

That's quite an assertion.

So nothing can be installed on my Macs that I don't install myself? I'm pretty sure there isn't a single Internet browser that even generates a warning for maliciously incorrectly sized content length headers anymore: http://code.google.com/p/chromium/i... Status Owner Summary&groupby=&sort=&id=85549

That thread above should be taught to prospective liberals at school so they understand what they're up against. This is a world where people scream to be exploited, and those who would protect you are dragged kicking and screaming back into the gutter. It's brilliant.

No malware on Macs that aren't installed by the user? You've not heard of the EFI partition, 'Secure Boot' (ahahah) and developers who want to code drivers for people...for free.

I live with malware, viruses, unexplained processes lurking on every system and they're untouchable because you know, malware writers may be too dull to have heard of write protection; but the creators of encryption know exactly why they're giving it away for free.

How you do define "malware"? I have 260,000 files installed by a clean Lion install app or the store USB drive. 240,000 of those are malware, because if I needed them I could get them.

That's not how we acquired them, is it? You mightn't be surprised at how hard they are to get rid of.

----------

http://code.google.com/p/chromium/i... Status Owner Summary&groupby=&sort=&id=85549

That thread above should be taught to prospective liberals at school so they understand what they're up against.

I could read this thread all day. It's just...it explains everything. It explains the world.

Comment 11 by ahendric...@chromium.org, Jun 13, 2011 The content length can be 0, or missing. If it is present it should be the exact size of the data being sent. Some web sites set it to an incorrect value. If it is smaller than the data being sent, we set it to 0 internally (meaning we don't know the size of the data). If it is larger than the data being sent, then it presents a potential attack vector.

It literally doesn't get any simpler than that.

But no. The screams of the exploited demanding to be continued to be exploited, changed the logic.

Chromium changed the logic back, to illogical. And you think Macs are protecting people just like the people in this thread about Chrome 12? That's quite an assertion.
 
There is no other explanation than a keylogger, or a very talented hacker.
The chances of you having a keylogger are nil, unless you installed it yourself, or gave someone access to your computer to install it. The chances of your computer being hacked is ridiculously remote. Hackers aren't interested in the average person's computer. It's too much work with too little reward. If your passwords have been compromised, the most likely scenario is someone hacked an email account (a far more common occurrence) and used that to gain access to your passwords.
That's quite an assertion.

So nothing can be installed on my Macs that I don't install myself?

No malware on Macs that aren't installed by the user?

How you do define "malware"?
Read the link I posted in the 4th post of this thread. No there is not one instance of malware in the wild that installs itself on Mac OS X without the user installing it. If you disagree, name one. Just one.
 
No malware on Macs that aren't installed by the user? You've not heard of the EFI partition, 'Secure Boot' (ahahah) and developers who want to code drivers for people...for free.

I live with malware, viruses, unexplained processes lurking on every system and they're untouchable because you know, malware writers may be too dull to have heard of write protection; but the creators of encryption know exactly why they're giving it away for free.

How you do define "malware"? I have 260,000 files installed by a clean Lion install app or the store USB drive. 240,000 of those are malware, because if I needed them I could get them.

I still can't understand a single thing from your post. This in particular baffles me. I'm guessing you can't even provide a coherent definition of malware? After all, your post exposes a gross misunderstanding of the entire concept. As GGJStudios challenged, produce even one example of a virus for the Mac, or any type of malware that does not require direct installation by the user (there's only a handful of those, as well).

jW
 
this is a long post, but I won't apologise for writing intelligently about an impossibly important issue. I understand many people would rather read many small unintelligent posts, and I respect that. But I think you should make an exception here. You won't be doing me any favours by reading to the end of this one; unless I've got stuff wrong then I thank you in advance for correcting me.

You should read it and disagree or agree intelligently, because that would be in your best interests.


Hackers aren't interested in the average person's computer. It's too much work with too little reward. If your passwords have been compromised, the most likely scenario is someone hacked an email account (a far more common occurrence) and used that to gain access to your passwords.

Whilst I obviously agree the more likely scenario is email passwords being brute forced, I think it's kind of queer how everyone in this industry will state the obvious (that a hacker wouldn't be interested in Joe Moran's lurid personal emails and pictures of him standing in front of objects, along with some pics where he's in front of some objects - they probably wouldn't even be tempted by the pics where he places himself in the same frame as some objects either) - this is all very unremarkable and not remotely worth noting.

But it's funny how someone who believes he or she may have been the victim of someone poking around their filesystems, will instantly be ridiculed by those who - quite frankly - simply know a great deal more about the exploits possible (so why they rush to 'assuage' the concerns is queer, on some level). More to the point, they rush to ridicule the OP's concern without having a clue about whether the OP is important or not.

To the OP or anyone who's ever concerned someone has been poking around, you should be. And if you're wrong? What harm is there in being concerned? You should ask yourself this because those who know even half the full extent of the exploits will scorn your concern, attempt to patronise you, demand to see evidence if they believe you cannot verify, etc. Then you can post evidence, and every time I see evidence posted by someone this is what happens: They all go silent. They're disinterested. Conversation over. Thread dead. This is fact, and I can verify everything when I assert something like this - it's just that no one requests / demands verification from me. But I live in hope...

The exploits are there. It's not even disputable. Whether or not you have anything to worry about, only you might know. I just think it's quite inappropriate - even rude - to tell someone they're as unimportant as you when the truth could be, they might be important? They might be why the exploits exist in the first place.

I don't think there's anything to hide, but I'm interested in learning why they believe there is. Everyone reacts as if there is something to hide, but the reality isn't remotely disputable: Apple is impossibly creepy. Microsoft is impossibly creepy. Linux is more creepy than anything you can imagine (but then, they just love to give you free stuff). None of this is even - news! 20 years ago people were saying this and being ignored. 10 years I guess for Apple? I don't know why everyone feels the Obvious should be hidden. The only people you could even hope to hide it from aren't going to be - relevant.

The simple truth is there's like - one - kernel. I could be stupid, but then if I am it's only because no one has been able to make a coherent counter-argument. There's one kernel. All the commercial operating systems run on Unix subsystems. Your subsystems aren't in the 'protection' of OEMs - that would be bad enough. It's a little more - open - than that. Your subsystems and the EFI boot partition are open to literally anyone with the intelligence to follow INTEL's (rather brilliant, and unbelievably comprehensive) free tutorials. They need like the smallest piece of information, and the rest is all there for them - on a platter - served to them for free, for reasons outside my imagination but then they're brighter than I am. And they're giving the world (trust me, it's all for free and you can verify this) the ability to remotely access your system, via iSCSI, PXE, FcoE or (quite literally) endless other hacker - sorry! did I say hacker? I meant System Admin - controls from remote command lines. They override your Builtin Admin account. The hackers are domain admins, so...in your face. Lion is very similar but a lot more complicated because Lion is the finest and slickest Linux distribution produced yet. And permissions in Linux is chaotic. But then I see people complaining about Disk Utility being unable to 'fix' their permissions. They're asking the wrong question/s.

Permissions don't change themselves.

A lot more people than you'd be comfortable with, can help themselves to your EFI bootloader and OS drivers.

[URL="http://www.intel.com/content/www/us/en/architecture-and-technology/unified-extensible-firmware-interface/efi-homepage-general-technology.html" said:
http://www.intel.com/content/www/us/en/architecture-and-technology/unified-extensible-firmware-interface/efi-homepage-general-technology.html[/URL]]Specifications

UEFI Specifications
The latest version of the UEFI Specification is available from the UEFI web site.

Intel® Platform Innovation Framework for UEFI and EFI Specifications
Learn more and download specification documents.

Tools and utilities

Intel® C Compiler for EFI Byte Code

Application Toolkit Project

EFI Development Kit

EFI Development Kit II

Intel® UEFI Development Kit Debugger Tool

UEFI Disk Utilities*
UEFI tools, resources, drivers and training

Training

Please contact your UEFI Firmware provider for local training in your geography. If you need to set up your own training, contact us for material.

Download presentations from recent Intel Developer Forums

Get updates by joining the EFI mailing List

Helpful resources

Independent Hardware Vendor UEFI Enabling Center
Find the latest tools resources and training to get started developing drivers and applications.

UEFI and framework history
For information on the history of UEFI and the framework, please contact us.

Secure Boot? Would you like to see what's in my EFI partition? It's not like yours. I'm not 100% because whenever I try to do "I'll show you mine, show me yours" - no one wants to. But I'd be willing to put $10,000 on a wager. We could both have identical MBA's and your EFI partition won't be like mine. And if it is, you'll have my commiserations.

It's fine, really. You just have to get used to endless crashing systems and you wouldn't want to be averse to being forced to clean install an OS once or twice a day. These people have no reason to dislike me. I just have a habit of saying pro-American statements in a way that make powerful companies unimpressed. I'd be dead if I was impressive, but I'm not. I think I'm barely a nuisance, but red tape is a bitch and Apple seems to think they're not allowed to help me...yet. I think maybe I annoyed someone a year ago. And scripts you know, they'll just go for ever. If you script them to.

Your operating systems have been scripted by genius minds who believe - and I disagree it's in their interests, but it's debatable - they need / want universal access into...every device on which their code finds it way onto. They go to such lengths to ensure they retain their infinite pathways into the world's personal / home systems - you'll simply never find all the pathways, and you could spend years being overwhelmed by "Creepiness in Depth". I firmly believe Windows, MacOS and every single Linux distribution have been structured in ways that make 'securing' them an exercise in silliness. You'll just shiver at the endless creepy, after 3 months of horror at the endless stupidity of 'expert' advice. Which goes something like this:

FORMAT. REINSTALL. MAKE SURE YOU BACK UP YOUR IMPORTANT PERSONAL DATA.

I'm a retard, but in March, I asked "What's the point of zero-filling my hard drive when new ones are corrupted instantly? I think we should be looking at the controllers, no? And this PCI stuff - whatever that is. I need to get an expert to look at that."

That Immunet thread went silent at that point. I've been treading water since then. I still need someone to look at my "PCI stuff". I'm got $$. My money is not good in this industry. I've spent over $100,000 this year. They have cash. They're doing alright, for money. My money is no good. I've been really frightened whenever that happens.

But if you're going to use them, you simply have to accept whatever level of creepy you're prepared to put up with - or stop using computers? But I don't think we need to insult people and tell them they're safe when they're using an X Window System for crying out loud - lolz.

It's almost queer on a number of levels to even have this conversation when the X Window System was designed for - quite literally - only one reason, and if end users had brains, they'd be irrationally furious (because like you said, who wants their dumb impossibly important "personal data").

------------

But of course, not everyone is Joe Moran.

Read the link I posted in the 4th post of this thread. No there is not one instance of malware in the wild that installs itself on Mac OS X without the user installing it. If you disagree, name one. Just one.

I will read it, I promise - I apologise for not having read it before posting. But in answer to your challenge, pretty sure I named 260,000.

Malware is code that is placed on your machine to afford another party unauthorised access or to 'afford' you no access. I been DDoS'ed for most of this year and it's quite breathtaking - and horrifying. Without even going 'online', my systems were crashing in 3-4 hours with 50 million files - every single one of them 'legitimate' as in "verified-by-Microsoft" (which all have legitimate uses, but not for you and definitely not for me) - but every corrupt 'anti'-virus 'solution' will give your crashing systems the Green thumbs up. And some Russian root-kit hunting utilities scream "rootkit detected" until you try and use them for more than detection. BSOD. zero-fill. reinstall. Before you say anything, I'm talking about Kaspersky, not the crooks who make rootkit-installing utilities widely promoted in AV forums around the globe.

Verified by Microsoft. These files have hashes that match the official releases. So Secunia's useless PSI will give GREEN to systems which are BSOD'ing whilst they're telling you your system is fine. But you don't want to politely point that out on Secunia's forum, by the way. They don't think it's cute when you refer Secunia to Secunia's ethics.

You can't firewall Microsoft's Windows 'firewall' defaults until it's too late to make it worth the bother, and it's all a joke because there's another 5000 defaults stacked behind; making any frantic efforts to 'secure' Windows an exercise in nausea - don't get me started on DCOM, WMI and component 'Services' 98% of which you'd be mad - mad as in insane - to leave live and active on their default settings.

But I understand, we all need to remote access our registry from the Bahamas. Trust me, I get it. 5000 examples much like that. Oh I really do appreciate what's going on. Trust me.

"What does Windows have to do with anything?"

I just don't want to bag Apple. But if you think operating systems are distinct from each other, you have a better imagination than I do. Or you need to stop getting distracted by the abstraction layers (30% chance that doesn't even make sense).

Everything in EVERY operating system that I'm aware of is almost exclusively setup to be anti-user and pro-enterprise, which I can understand (if I owned a 5000-console call centre, I'd like to control my employees' use of them as well - but the problem with functionality is that it doesn't jump up and say "now hang on, I'm only supposed to be used legitimately").

Windows (all variants), Lion, every Linux distribution on the planet, Xen and even Symbian and Android's OS for phones; are designed from top to bottom to ENSURE - they can be instantly controlled by remote admins. Even when 'offline'. It might interest you to read the FCC 'fine' print on the back of any piece of technology large enough to print it. Your technology must accept interference from the government, even if you'd prefer they interfered more with doing their jobs. They can and will interfere with you if they believe it's in their best interests; and sure, maybe some terrorists get bamboozled and that's tight. Less tight is a corrupt government using every creepy breach of your personal liberty they only managed to con from decent people who were made to be terrified - by them. They ramp up irrational fears, to shut down and silence people who - hypothetically - have a thing for quoting JFK and stuff. Seems like he had only fear to fear, himself. Look on the back of your wireless router for the FCC's informative warning! They're not hiding this from you.

So why are you hiding it from others? Seems strange to me, is all.

I still can't understand a single thing from your post. This in particular baffles me. I'm guessing you can't even provide a coherent definition of malware? After all, your post exposes a gross misunderstanding of the entire concept. As GGJStudios challenged, produce even one example of a virus for the Mac, or any type of malware that does not require direct installation by the user (there's only a handful of those, as well).

Go to your terminal. sudo su - cd to root.

type du or lsof or ls -alrG or whatever. You will be so bored you might want to scream by the time du is finished enumerating every file installed as Default when you clean install Lion. But you shouldn't scream, because you need to look at them all.

260,000 are installed onto my MBA. 400,000 - one time - I'd be fascinated to hear why MBAs with the same specs could produce non-identical comparisons.

I'm sorry to have to stipulate that you must look at all 260,000. That means open them and try and make sense of the code / function of the dubious - more outrageous - of the 260,000. 90% of them are in a language you don't speak and sure, it's really nice that Mandarin and Korean and 30 other dialects are catered for; but it's not very considerate of me and my ignorance, is it? When I only speak English? That's a question you can get banned for asking. I've never gotten an answer to it.

When you have completed this task (or when you are 1/10000th of the way through), you will have a more complete appreciation of...exactly what, obfuscation means. And I will tell you Well Done. Now go learn Mandarin and do it again. And you know, we're going to do this 30 times with each new language.

Maybe it's best just to trust Apple? I think so. But then that doesn't mean you need to insult yourself either...?
 
Last edited:
this is a long post
Waaaaaaay too long.... didn't even attempt to read it all, as so much was stream-of-consciousness rambling, but what I did glean is this:
But it's funny how someone who believes he or she may have been the victim of someone poking around their filesystems, will instantly be ridiculed by those who ...., they rush to ridicule the OP's concern
No one was ridiculed.
I will read it, I promise - I apologise for not having read it before posting.
I'll wait until you've read it and are better informed. Then we'll talk.
But in answer to your challenge, pretty sure I named 260,000.
No, you haven't named one. Quoting a number isn't naming an instance of Mac OS X malware in the wild that installs itself without user intervention.
Windows (all variants), Lion, every Linux distribution on the planet, Xen and even Symbian and Android's OS for phones; are designed from top to bottom to ENSURE - they can be instantly controlled by remote admins. Even when 'offline'. It might interest you to read the FCC 'fine' print on the back of any piece of technology large enough to print it. Your technology must accept interference from the government, even if you'd prefer they interfered more with doing their jobs
.... and finally we come to the tinfoil hat argument! I knew it was coming! :rolleyes:

The rest was a meaningless rant that has nothing to do with the topic of this thread. Please, do some reading to better educate yourself on the realities of the Mac malware environment, starting with the Mac Virus/Malware Info link I posted.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.