How to detect spy/keylogger software? [duplicate]

privacy snow-leopard

I have some serious suspition that my boss installed some kind of spy software. Maybe a keylogger, screen capture or something to know what I do when he's not at the office.

I have nothing to hide so I don't know if he doesn't tell me anything because he didn't find anything out of place or because I'm being paranoid and he's not spying me.

Either way I want to be sure if I'm being spied because:

  1. I don't want to work for someone he doesn't trust me me
  2. It's illegal and I won't allow anyone to store my passwords (I do access my personal email, homebanking and Facebook account during lunch breaks) and personal information.

So... how can I detect spy software in a iMac running OS X 10.6.8? I have full admin permissions know it.

I tried scanning all folders in my user's and system Library but nothing rang any bell but since I think any of this software would hide the folder (either by location or name) I don't think I'll find a folder named Employeee Spy Data

I also looked all the processes running at different moments with Activity Monitor but again... it's not like the process would be called SpyAgent Helper

Is there a list of known possible folders / processes to look for?

Any other way to detect?


Solution 1:

Any kind of rootkit worth its salt is going to be nearly undetectable on a running system because they hook into the kernel and/or replace system binaries to hide itself. Basically what you're seeing cannot be trusted because the system cannot be trusted. What you need to do is turn off the system, connect an external boot drive (don't connect it to the running system) and then boot the system from an external disk and look for suspicious programs.

Solution 2:

I'll make the hypothesis you have already thoroughly checked all the most common RAT are off or dead (all sharings, ARD, Skype, VNC…).

  1. On an external and fully trustable Mac running also 10.6.8, install one (or both) of these 2 rootkits detectors:

    1. rkhunter this is a traditionnal tgz to build & install

    2. chkrootkit which you may install through brew or macports, for example:

      port install chkrootkit

  2. Test them on this trustable Mac.

  3. Save them on an USB key.

  4. Plug your key on your suspected system running in normal mode with everything as usual and run them.

Solution 3:

One definite way to see if anything suspicious is running is to open the Activity Monitor app, which you can open with Spotlight or go to Applications > Utilities > Activity Monitor. An app can hide from plain sight, but if it's running on the machine, it will definitely show up in Activity Monitor. Some things on there will have funny names, but they are supposed to be running; so if you aren't sure what it is, maybe Google it before you click Quit Process, or you could turn off something important.

Related

Is it ok to mix 2 GB and 4 GB DIMMS in an iMac (mid 2011)?
Change default alert sound from terminal in Mac OSX
Any other major difference between iPhone and iPod Touch except telephone function?
"You can’t sign in at this time" when signing into iCloud
Terminal flashes on empty backspace with Yosemite
In TimeMachine, what happens during the "clean up" phase?
How do I turn off the automatic downloading of iOS updates?
Latest macOS Mojave update (10.14.4) and Mail.app Google accounts issue
How to bring up a precise Emoji in the iOS QuickType menu
What stops fake password prompts?
For equal cost, why would you select the MacBook Air over the MacBook Pro? [closed]
Legendary sudo rm -rf /