Restore a potentially compromised iMac - best course of actions
Long story short, a friend of mine received a "unrecognized IP successful login" alert on a Microsoft mail account he owns. The conditions of the "hack" (timing, password used etc) are such that the only viable option other than a "false positive" alert (which is still very likely) is that the password was somehow stolen from the client - an iMac - used to create the account in a very short timespan (the "compromise" date is just 5 minutes after the original account creation) - if you like, you can find more details in this question on Information Security.
Anyway, the point is that if there was a compromise, then there must be some keylogger or similar malware on the machine. I did some basic search but found nothing. Also tried to install Little Snitch, but the network filters didn't show anything suspicious.
That said, since I can't find any infection to remove nor I can be sure that the alert my friend received was a false positive, I was planing to "restore/reinstall/format" the machine, even if that means sacrificing all the data contained on it. But I must admit my ignorance... even if I also own an iMac I never had the need to restore it after some compromise, so I don't really know how to proceed.
I am therefore asking for suggestions about the best approach here. I assume I will have to download an operating system iso somewhere on Apple site and then use that to restore the system but I am not sure. This page seems to indicate that I should enter "Restore Mode" and work up from there.... but... does that mean that the "restore" component is still tied to the currently installed OS and could have been compromised too in a way that could give an infection the ability to survive the "wipe"?
Sorry if those questions seems a little confused or paranoid, but having found no trace of the alleged infection I am now starting to evaluate any possibility.
Here's how to detect keyloggers:
Run this command in terminal: kextstat
Something like this should appear:
Index Refs Address Size Wired Name (Version) UUID <Linked Against>
1 90 0xffffff7f80a46000 0x9d90 0x9d90 com.apple.kpi.bsd (16.5.0) D4161E07-43B8-4D47-ABFE-7DF2D693ED9A
2 8 0xffffff7f80dff000 0x3940 0x3940 com.apple.kpi.dsep (16.5.0) 6B33C49C-82D8-4830-AC91-ECF9B9EE3A8C
3 116 0xffffff7f80a04000 0x21040 0x21040 com.apple.kpi.iokit (16.5.0) E2BA46F4-C06A-4ACE-81E5-D9A4B6E061AA
4 122 0xffffff7f80a26000 0xd200 0xd200 com.apple.kpi.libkern (16.5.0) 21ABA52A-C45A-4A1B-8824-F6EB5295ADDE
5 110 0xffffff7f80a00000 0x3dd0 0x3dd0 com.apple.kpi.mach (16.5.0) E18B885B-776C-4F3A-88D4-C823FAFE12A1
6 61 0xffffff7f80a34000 0xbbf0 0xbbf0 com.apple.kpi.private (16.5.0) F0CD0AC2-92DF-4FF9-80A5-21B68641D28E
7 71 0xffffff7f80a40000 0x5890 0x5890 com.apple.kpi.unsupported (16.5.0) 4AE97C68-EB51-4545-A2EB-007EE5A66503
...
140 0 0xffffff7f81f9e000 0x9000 0x9000 com.apple.filesystems.autofs (3.0) E79E1801-8AB8-3BB1-A1F2-3CA5F9C7C648 <139 7 6 5 4 3 1>
142 0 0xffffff7f8272a000 0x18000 0x18000 com.apple.driver.AGPM (110.23.17) 3E92E313-274C-3175-A659-2CB88F03A707 <115 108 99 89 12 6 5 4 3>
143 0 0xffffff7f823f4000 0x5000 0x5000 com.apple.driver.AppleHWSensor (1.9.5d0) AFB68EC7-205B-3499-B796-DAE93A4BA543 <5 4 3>
144 0 0xffffff7f83463000 0x5000 0x5000 com.parallels.virtualhid (1.0.3 3) B0C355DF-4268-359B-9654-0A67F4305F7B <37 5 4 3 1>
So my first 143 kexts all start with com.apple
, so they should be safe (unless somebody uses Apple's bundle id, so look closely at each of one and see if there's something wrong with the name) and I have installed parallels, so it should be safe too.
Next check if one of the extensions links against something that doesn't make sense, like an audio extension linking with a networking library. You can see what they are linked to by looking inside the angle brackets <>. For example, item 114 (com.parallels.virtualhid
) links to item 1, which is com.apple.kpi.bsd
. as 1 is inside the angle brackets (<37 5 4 3 1>
)
If you find something suspicious, remove it, but before you go on be sure that you have the right kernel extension. Disabling the wrong kernel extension can make life really hard. They are usually found in System/Library/Extensions
and end with the extension .kext
.
Now if you really want to completely reinstall macOS, follow these steps:
- Copy the files that you need to another place
- Boot into recovery mode:
Shut down your computer, then power it up while holding Command-R. - Erase your computer:
Select "Disk Utility" from the menu
Click on Erase and confirm the dialogs (May take a while to erase) - Reinstall macOS
Select "reinstall macOS"
Follow its instructions - Complete!
Note that installation may take a long time, especially when your internet connection is slow as it actually downloads the OS from the internet.