Yosemite malware?

macmacmacr

macrumors regular
Original poster
Dec 23, 2014
114
2
I have Yosemite 10.10.5 and I am certain that my Mac has malware which allows data to be removed from my system.

Some examples are when I go to a web site like IBM.ca to register and look for positions my log in IBM acount has been removed.
another example is when I user Firefox it would not remove an email account even though I erased the browser cache and performed a refresh to default option found in "troubleshooting Informaiton"

I would like to know if anyone has a method to verify the operating system. for example If I was to reinstall the Yosemite O.S. is there are SHA 512 hash I could perform on the the installation operating system or If I have no open applications what processes should the system have running?

Thanks
 

simonsi

macrumors 601
Jan 3, 2014
4,850
734
Auckland
If you obtain the 10.10.5 installer from the App Store then it will verify itself with Apple, no further checks are needed. If you get it from elsewhere then all bets are off.
 

vexorg

macrumors 6502a
Aug 4, 2009
595
49
Not sure why you'd go anywhere else but apple for OS X, it's free with your mac, and about as trustworthy as you can get.
 

Weaselboy

Moderator
Staff member
Jan 23, 2005
30,183
9,865
California
I would like to know if anyone has a method to verify the operating system. for example If I was to reinstall the Yosemite O.S. is there are SHA 512 hash I could perform on the the installation operating system or If I have no open applications what processes should the system have running?
If you download the OS from the App Store it has a hash inside the DMG that verifies itself before it runs. But as far as running some sort of hash against the installed OS, I can't think of an easy way to do that. I suppose you could compare the hash for things like mach_kernal and different system files to known good copies.

Try this... install and run the app Etrecheck once. That will create an anonymized report of everything running on your system as well as list any launch/startup items. Post that report here for us to take a look and we can tell you if there is anything third party running that looks suspicious.
 

vexorg

macrumors 6502a
Aug 4, 2009
595
49
Is there no windows type SFC program for OS X? SFC verifies all the core OS files are intact for windows.
 

macmacmacr

macrumors regular
Original poster
Dec 23, 2014
114
2
Apple provides SSH for some of its updates as well as PGP authentication "http://support.apple.com/kb/HT1620" It is not good enough to download a Operating system and say its OK because it installs.

Since Mountain lion the activity monitor displays the incorrect total processes %, showing values over 100% This suggest a hidden process and it has not been corrected in Yosemite. Another strange omission is that Apple updates in snow leopard allowed a user to easily obtain all installed updates in the operating system. Mountain Lion to Yosemite do not have this option.

If you obtain the 10.10.5 installer from the App Store then it will verify itself with Apple, no further checks are needed. If you get it from elsewhere then all bets are off.
 

Weaselboy

Moderator
Staff member
Jan 23, 2005
30,183
9,865
California
Apple provides SSH for some of its updates as well as PGP authentication "http://support.apple.com/kb/HT1620" It is not good enough to download a Operating system and say its OK because it installs.
That is because those updates can be downloaded outside the App Store from an Apple web page. But App Store downloads do the have the embedded hash I mentioned and are safe.

What you can do is DL the OS installer then compare the SHS hash to what others are reporting on the Internet. If others are reporting the same hash as you, you have some assurance the installer is intact.

a673c2c6d967f4da2934b7d6cf3736936970b194

I found a post that says this is the SHA hash for Yosemite 10.10.2. If you Google that string you will find quite a few posts on various forums reporting the same thing.

I think that is a close as you are going to get for what you are after.
 

vexorg

macrumors 6502a
Aug 4, 2009
595
49
Since Mountain lion the activity monitor displays the incorrect total processes %, showing values over 100%
It is possible to get over 100% with the new intel processors, the turbo modes and multi-cores make it not so simple to judge where 100% should be.
 

macmacmacr

macrumors regular
Original poster
Dec 23, 2014
114
2
That is because those updates can be downloaded outside the App Store from an Apple web page. But App Store downloads do the have the embedded hash I mentioned and are safe.

What you can do is DL the OS installer then compare the SHS hash to what others are reporting on the Internet. If others are reporting the same hash as you, you have some assurance the installer is intact.

a673c2c6d967f4da2934b7d6cf3736936970b194

I found a post that says this is the SHA hash for Yosemite 10.10.2. If you Google that string you will find quite a few posts on various forums reporting the same thing.

I think that is a close as you are going to get for what you are after.
Ahhh yes. I am aware of this but what I would expect is Apple provides this information so everyone without searching can say SHAxx value matches Apples value
 

macmacmacr

macrumors regular
Original poster
Dec 23, 2014
114
2
Others have been known to provide installers via torrents, sometimes with their own little "extras" thrown in...
How do you know when you go to Apple store your machine hasn't been redirected to another miscellaneous site?
 

simonsi

macrumors 601
Jan 3, 2014
4,850
734
Auckland
How do you know when you go to Apple store your machine hasn't been redirected to another miscellaneous site?
Provenance. ie the App store code and my OSX came from Apple and was verified, subsequent downloads are verified so if one was intercepted that verification would fail. Once you download OSX or a component from elsewhere that provenance is broken and all bets are off. Apple does not want you getting its code from elsewhere (why would they), so no need to provide the hash. Once a download has been verified there is no need to verify the installed code, where would a discrepancy come from if by definition NOT included in the verified download???
 

Tech198

macrumors G5
Mar 21, 2011
14,649
1,842
Australia, Perth
How do you know when you go to Apple store your machine hasn't been redirected to another miscellaneous site?
Don't download OS X .torrents in the first place?

You'd know,, your web browser would open... Apple would ask you with pop up to verify install of such malware, if getting it from the web. which i hope u wouldn't enter your password for.

If anything need to be called from the internet to take control it must be installed, thus the user must enter their password, if they do that anyway, then all security bets are off, your on ya own. as u accepted it.

As far as i know there is no way around Apple's popup. unlike Windows where u could "in theory" provide a some fake UAC, u cannot do that on a mac... its a genuine Apple dialog. unless the OS X itself was malicious, which means u never got it from a trusted source like the App Store in the first place.

If u stick to Apple's methods, then it secure, but outside of that, your left to defend for yourself.
 
  • Like
Reactions: simonsi

vexorg

macrumors 6502a
Aug 4, 2009
595
49
There are places like China that do have the power to intercept and redirect you without the mac knowning (great firewall and canon).

Earlier this year they hijacked the facebook.js files to re-route users to anti-China sites. It would be very simple for them to detect an app store request or IP and you end up downloading for not Apple. Very unlikely in any other part of the world.
 

simonsi

macrumors 601
Jan 3, 2014
4,850
734
Auckland
Any ISP can theoretically redirect in this way, however outside China/Korea highly unlikely to be done.
 

vexorg

macrumors 6502a
Aug 4, 2009
595
49
Ok, I'll correct that: There are places like China that do intercept and redirect you without the mac knowning (great firewall and canon).
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.