How to manually detect infections on Mac
My brother installed MS Office supposedly from a pirated site and after he ran the installer, he mentioned it launched terminal automatically and the computer did some stuff on its own.
- I ran a few scan using Reikey, Kaspersky Internet Security and Etre Check and was not able to detect anything.
- I tried running Malwarebytes, BitDefender & Avast and nothing was detected as well.
- I went to Library/LaunchAgents and nothing out of the ordinary was there.
- I checked Startup Items under Sys Pref > User > My User and it was clean as well.
- I have Lulu running to monitor my network and nothing out of the ordinary was detected.
However I do not feel comfortable since my brother mentioned he saw the installation was done automatically through Terminal, hence we're not sure if it went deep into the system which given Full Disk Access to all Anti-Virus softwares, all results came back to negative.
Hence I checked Mac > System > Library > LaunchDaemons and noticed this
And this under Mac > System > Library > LaunchAgents
Since the non-Apple files are located in System folders, I'm not sure if it is originally from Mac or unauthorised apps which I am more than happy to remove.
I am worried if this work computer may be infected with malware/trojan that the software was not able to detect and might be at risk of data breach. Can anyone advice please? Thank you so much! Terminal after restart (before restart it was showing ttysXXXX on the first line
This is the content of the suspicious installer:
The problem with getting pirated software is three fold:
- The websites that host the software will often do contain trackers, adware, spyware, malware, etc.
- The software itself can be modified to install additional malware
- Some of it is innocuous - simple scripts to open ports/back doors, log keystrokes or steal your identity.
Microsoft and IDC published a whitepaper entitled The Dangerous World of Counterfeit and Pirated Software (making it quite apropos considering it was pirated Office software) and this answer makes extensive use as a resource.
In the search for counterfeit copies of Office on the Internet (across 270 Web sites and P2P networks), we encountered malware just by visiting these sources: tracking cookies and spyware detected on our virtual PCs from 75%of the sites, Trojans and malicious adware at 14%
What this means is that just showing up to search for and download the software, you're immediately attacked using a wide array of tools like malware, adware, spyware, trackers, etc. It's a shotgun approach by the site/hackers to see what they can get from you.
Needless to say, not only are they trying to get something on your computer, the fact that they're using trackers tells us they're building a profile.
However, 60% of the downloaded software didn't come with activation keys, which meant some users had to go back to the download site at least once and sometimes repeatedly to obtain illegal keys.
This is an interesting technique...what better way to get a better "picture" of your victim than to force them to return to get activation keys or cracks. This also inherently treks them that the installation of their compromised software was successful!
Most of the CDs/DVDs came with extra software, whether wanted or not, and often the installation process displayed unusual behavior, such as music playing during installation, pop-ups showing up with Web links to dating or pornography sites, or links to other sites known to be potential security threats
Emphasis mine
Granted, you didn't get an actual CD/DVD media, but these care commonly distributed as disk images (ISO/DMG) and the "unusual behavior" is in line with what you and/or your brother saw with respect to Terminal.
This is the crux of the problem!
A simple script (bash or sh) is all that's is required to open some firewall ports or modify a user shell environment file like .bash_profile
or .zprofile
to source some malicious code every time you open a Terminal shell. These types of scripts won't necessarily show up as malware. It could be a simple script using curl
to connect to a website run by a hacker sending something as innocuous as you IP address or using scp
to silently copy a file like your key chain.
Remember, the genuine installer requires Admin credentials to run and you provide them when you enter your password. Any nefarious steps added will then be installed with admin (sudo
) privileges.
I'm assuming that the Terminal screen you're referring to is showing a login from a different TTY. (It's very difficult to see the Terminal prompt in the 4th picture). The script could have opened a backdoor to your computer.
The Risk
A good majority of people worry about data loss and they should be. Ransomware can bring you or your business to a complete halt because the perpetrators are literally holding your data hostage by making it inaccessible and unusable.
The second is identity theft (this is the bigger risk IMO). Having the installer add some scripts (even to cron
so they run periodically) to send things like browser cookies, your IP address, your bookmarks, password files (keychain) and even install keyloggers (we'll get back to this one). It would be super easy to figure out that you banked at ACME bank, did your shopping at H&K and Amazon, you have a VISA from BankOne, and a MasterCard from BankTwo and you use the same username for them all.
Keyloggers
Keyloggers are a very special type of malware. They straddle the line between bona fide malware and legitimate software. From Malwarebytes:
Although for our purposes, keyloggers operate in the context of malware, they are not always illegal to install and use. Keyloggers are a common tool for corporations, which information technology departments use to troubleshoot technical problems on their systems and networks—or to keep an eye on employees surreptitiously. The same goes for, say, parents, who want to monitor their children’s activities. Suspicious spouses are another market for keyloggers.
This means a keylogger commonly used by (for example) parents to oversee their children's' behavior while online can be utilized by a hacker to capture your keystrokes. Using a simple bash script, it would be super easy to scp
that file to a website somewhere.
Putting this altogether now, we potentially have a method to gather all of your browsing/surfing info creating a profile or a "picture" of you, your password (key chain) files, your location on the web (IP) and your passwords (and other credentials) all sent to an obscure web location. All of it operating under the radar because technically, none of it is malware; they're just scripts calling built in tools like curl
or scp
.
Mitigation
-
Make a different back up of your data! Ransomware works by encrypting your existing data with a key only your attacker knows. If your data happened to get compromised, you don't want overwrite an older, but clean Time Machine backup with bad data.
-
Wipe your drive and reinstall your OS. It's not impossible to clean this up; it's tedious and time consuming. Additionally, you'll always be wondering if you "got everything." The most efficient way to be positive that you've removed all potential threats is to wipe your drive clean and reinstall macOS (from a trusted source, of course).
-
Reinstall your Apps manually or restore from a Time Machine backup taken prior to the install of pirated software. This way you can be certain you're not bringing back compromised files.
-
Manually copy/restore data that was backed up post infection as you need it. It's very likely the data is safe, but for piece of mind, take an extra step and give it a once over before copying back to your system.
-
Change your passwords! Especially if you reuse credentials for different services. The problem here is that you don't know what was compromised - so the safest course of action is to change the password so that if it was compromised, the exposure is limited. It's very important to use different credentials for different services. Using a (paid) product like 1Password, Keeper or the open source KeePass can help you do this.
-
Going forward, consider using APFS snapshots before installing software. This will allow you to roll-back to a previously known-good state of your system.
TL;DR
The pirated software obviously did something when it was installed. The problem is, if it simply installed some scripts that copy files and installed a keystroke logger, it can circumvent detection by malware scanners and anti-virus tools.
The only efficient and surefire way to fix this is to wipe your drive clean and reinstall. The problem is, you don't know what was done, so you have to assume the worst and mitigate it from that standpoint.
Loss of data is always a big concern so having regular backups would be (again) a saving grace here. Identity theft is (IMO) more of a concern so changing your passwords to your accounts, especially ones that have critical data on you (i.e. financial, medical, taxes, etc.) is a high priority. Even though you may have to reuse login/username (lots of websites use email addresses), never reuse your password - don't make it easy for the attackers!
Finally, understand the time/effort that goes into fixing this all to save a few dollars by getting some pirated software. Hopefully I've painted a picture of the immense risk that you were opened up to, but as you go through the clean up process, you'll see how time and labor intensive this is. Your brother owes you big time on this one...I see you being treated to a very expensive restaurant visit in the near future.