Restore a potentially compromised iMac - best course of actions

security restore virus

Long story short, a friend of mine received a "unrecognized IP successful login" alert on a Microsoft mail account he owns. The conditions of the "hack" (timing, password used etc) are such that the only viable option other than a "false positive" alert (which is still very likely) is that the password was somehow stolen from the client - an iMac - used to create the account in a very short timespan (the "compromise" date is just 5 minutes after the original account creation) - if you like, you can find more details in this question on Information Security.

Anyway, the point is that if there was a compromise, then there must be some keylogger or similar malware on the machine. I did some basic search but found nothing. Also tried to install Little Snitch, but the network filters didn't show anything suspicious.

That said, since I can't find any infection to remove nor I can be sure that the alert my friend received was a false positive, I was planing to "restore/reinstall/format" the machine, even if that means sacrificing all the data contained on it. But I must admit my ignorance... even if I also own an iMac I never had the need to restore it after some compromise, so I don't really know how to proceed.

I am therefore asking for suggestions about the best approach here. I assume I will have to download an operating system iso somewhere on Apple site and then use that to restore the system but I am not sure. This page seems to indicate that I should enter "Restore Mode" and work up from there.... but... does that mean that the "restore" component is still tied to the currently installed OS and could have been compromised too in a way that could give an infection the ability to survive the "wipe"?

Sorry if those questions seems a little confused or paranoid, but having found no trace of the alleged infection I am now starting to evaluate any possibility.


Here's how to detect keyloggers:

Run this command in terminal: kextstat

Something like this should appear:

Index Refs Address            Size       Wired      Name (Version) UUID <Linked Against>
    1   90 0xffffff7f80a46000 0x9d90     0x9d90     com.apple.kpi.bsd (16.5.0) D4161E07-43B8-4D47-ABFE-7DF2D693ED9A
    2    8 0xffffff7f80dff000 0x3940     0x3940     com.apple.kpi.dsep (16.5.0) 6B33C49C-82D8-4830-AC91-ECF9B9EE3A8C
    3  116 0xffffff7f80a04000 0x21040    0x21040    com.apple.kpi.iokit (16.5.0) E2BA46F4-C06A-4ACE-81E5-D9A4B6E061AA
    4  122 0xffffff7f80a26000 0xd200     0xd200     com.apple.kpi.libkern (16.5.0) 21ABA52A-C45A-4A1B-8824-F6EB5295ADDE
    5  110 0xffffff7f80a00000 0x3dd0     0x3dd0     com.apple.kpi.mach (16.5.0) E18B885B-776C-4F3A-88D4-C823FAFE12A1
    6   61 0xffffff7f80a34000 0xbbf0     0xbbf0     com.apple.kpi.private (16.5.0) F0CD0AC2-92DF-4FF9-80A5-21B68641D28E
    7   71 0xffffff7f80a40000 0x5890     0x5890     com.apple.kpi.unsupported (16.5.0) 4AE97C68-EB51-4545-A2EB-007EE5A66503
    ...
  140    0 0xffffff7f81f9e000 0x9000     0x9000     com.apple.filesystems.autofs (3.0) E79E1801-8AB8-3BB1-A1F2-3CA5F9C7C648 <139 7 6 5 4 3 1>
  142    0 0xffffff7f8272a000 0x18000    0x18000    com.apple.driver.AGPM (110.23.17) 3E92E313-274C-3175-A659-2CB88F03A707 <115 108 99 89 12 6 5 4 3>
  143    0 0xffffff7f823f4000 0x5000     0x5000     com.apple.driver.AppleHWSensor (1.9.5d0) AFB68EC7-205B-3499-B796-DAE93A4BA543 <5 4 3>
  144    0 0xffffff7f83463000 0x5000     0x5000     com.parallels.virtualhid (1.0.3 3) B0C355DF-4268-359B-9654-0A67F4305F7B <37 5 4 3 1>

So my first 143 kexts all start with com.apple, so they should be safe (unless somebody uses Apple's bundle id, so look closely at each of one and see if there's something wrong with the name) and I have installed parallels, so it should be safe too.

Next check if one of the extensions links against something that doesn't make sense, like an audio extension linking with a networking library. You can see what they are linked to by looking inside the angle brackets <>. For example, item 114 (com.parallels.virtualhid) links to item 1, which is com.apple.kpi.bsd. as 1 is inside the angle brackets (<37 5 4 3 1>)

If you find something suspicious, remove it, but before you go on be sure that you have the right kernel extension. Disabling the wrong kernel extension can make life really hard. They are usually found in System/Library/Extensions and end with the extension .kext.

Now if you really want to completely reinstall macOS, follow these steps:

  1. Copy the files that you need to another place
  2. Boot into recovery mode:
    Shut down your computer, then power it up while holding Command-R.
  3. Erase your computer:
    Select "Disk Utility" from the menu
    Disk Utility Click on Erase and confirm the dialogs (May take a while to erase) Erase
  4. Reinstall macOS
    Select "reinstall macOS"
    reinstall
    Follow its instructions
  5. Complete!

Note that installation may take a long time, especially when your internet connection is slow as it actually downloads the OS from the internet.

Related

Increasing height of 27" iMac
iMovie - freeing up space
macOS numbers formula range problem
Auto-completing words in any program
Will the absence of connected charger increase the cycle count?
As an indie developer, what do I put in the contact section of the "Agreements, Tax, and Banking" in iTunes connect?
How to Convert a Webex ARF File on OSX (a Mac)
No memory available on my iPhone 6?
Is it possible to disable a default keyboard shortcut for a special character, without the use of third-party software?
Does Time Machine also restore files from older backups not present in newer ones?
How can I transfer a Live Photo from one .photoslibrary file to another?
How to find cause for iTunes not exporting library XML?