How to detect spy/keylogger software? [duplicate]
I have some serious suspition that my boss installed some kind of spy software. Maybe a keylogger, screen capture or something to know what I do when he's not at the office.
I have nothing to hide so I don't know if he doesn't tell me anything because he didn't find anything out of place or because I'm being paranoid and he's not spying me.
Either way I want to be sure if I'm being spied because:
- I don't want to work for someone he doesn't trust me me
- It's illegal and I won't allow anyone to store my passwords (I do access my personal email, homebanking and Facebook account during lunch breaks) and personal information.
So... how can I detect spy software in a iMac running OS X 10.6.8? I have full admin permissions know it.
I tried scanning all folders in my user's and system Library but nothing rang any bell but since I think any of this software would hide the folder (either by location or name) I don't think I'll find a folder named Employeee Spy Data
I also looked all the processes running at different moments with Activity Monitor but again... it's not like the process would be called SpyAgent Helper
Is there a list of known possible folders / processes to look for?
Any other way to detect?
Solution 1:
Any kind of rootkit worth its salt is going to be nearly undetectable on a running system because they hook into the kernel and/or replace system binaries to hide itself. Basically what you're seeing cannot be trusted because the system cannot be trusted. What you need to do is turn off the system, connect an external boot drive (don't connect it to the running system) and then boot the system from an external disk and look for suspicious programs.
Solution 2:
I'll make the hypothesis you have already thoroughly checked all the most common RAT are off or dead (all sharings, ARD, Skype, VNC…).
-
On an external and fully trustable Mac running also 10.6.8, install one (or both) of these 2 rootkits detectors:
-
rkhunter
this is a traditionnal
tgz
to build & install -
chkrootkit which you may install through
brew
ormacports
, for example:port install chkrootkit
-
rkhunter
this is a traditionnal
Test them on this trustable Mac.
Save them on an USB key.
Plug your key on your suspected system running in normal mode with everything as usual and run them.
Solution 3:
One definite way to see if anything suspicious is running is to open the Activity Monitor app, which you can open with Spotlight or go to Applications > Utilities > Activity Monitor. An app can hide from plain sight, but if it's running on the machine, it will definitely show up in Activity Monitor. Some things on there will have funny names, but they are supposed to be running; so if you aren't sure what it is, maybe Google it before you click Quit Process, or you could turn off something important.