Advice on securely removing malware

security malware

I'm helping out a friend who thinks they may have malware on their machine. I don't know what kind or to what extent, so I don't want to boot into the system. My question is:

  • Is there a good boot time anti-malware like Avira Rescue Kit (which won't seem to boot on a Mac)?
  • Or, should I boot into the recovery partition, and run Malwarebytes?

Thanks


Solution 1:

Malwarebytes is at best terribly ineffective from my experience. Why do you suspect a rootkit? I don't think you're wrong, possibly very perceptive but just wondering why.

The problem with rootkits is they will hide all evidence of their existence especially from a rickety Malwarebytes scan. Mac malware creators must be sophisticated enough to jump some of the small hurdles Apple attempts to create so keep that in mind in terms of the persistence factor at play.

What makes you think that the malware won't go hide in your NVRAM, xartstorage (secure enclave, graphics card, SMC, create a RAMDisk, etc. to make you think that it's gone and that Recovery Mode really is an almighty kill switch and isn't just a pacifier that effectively negates all legitimate and acceptable levels suspicion.

macOS (previously styled OS X) is inherently insecure. "It just works" is not the befitting of a truly secure operating system. In which case "I expletive hate it," would probably be more likely. Focus groups probably would have found that didn't go have quite the same cachet.

To assess the potential of this type of malware:

  • Open terminal and type cat /dev/ and paste the results if you wish.
  • When you reinstall the OS in Recovery, look for an process called "unknown" the the install logs (Command L and then be sure to select the option in the top left corner to show all progress and errors).
  • You could also enable kernel debugging and read the kextlog shown as your OS boots. In full disclosure this does require a high level of modest effort so it's perfectly acceptable and possibly most productive to dismiss the possibility of a root-kit in advance.
  • Obtain a copy of the entire disk with all volumes and mount it read only to a Windows VM then try various malware scans.

Related

Can MacFusion be used under Mountain Lion?
Crashed when creating a partition - now missing drive space!
Can I use a Thunderbolt display for a macbook pro with a mini display port?
How to map CTRL + Left Arrow to Home with Karabiner-Elements
Cannot unmount disk0 resource busy
MacBook Pro (late 2013) w/ Yosemite & FileVault won't boot: LCD light only, no other activity
iPhone 6 won't connect to Windows 7
Identifying bottlenecks
How to install the OS with a new Hard drive?
Yosemite and El Capitan USB crash kills keyboard and trackpad
How can I kill a process from Terminal using the visible window name?
Texts and imessage appearing on Mac