OSX - found a keylogger, next steps after scans and changing passwords?
May 18, 2020 12:10 PM   Subscribe

Doing a search for a random thing today, I found that clicking the link in the results brought me to a different, scammy, site. I ran a malwarebytes scan and found a keylogger (this one) which I removed. Running an AVG scan now. Will change critical passwords, though I do have 2FA turned on where possible. What else should I be doing?

Is this a big enough deal that I should restore from a backup (after scanning my backups)? To the best of my knowledge I don't do obvious things that would have opened a door to this, and no one has had physical access to my machine. My download speeds were super-slow until I removed the keylogger and now they are fine.

I've got an older iMac running Mojave and it's up to date security-wise. Firefox is my main browser and I've got all the grabby sites (Gmail, Facebook, Twitter, Amazon) running inside of Containers. I've got Ad Block Plus and Privacy Badger and I tossed out Add-ons that seemed out of date. Without getting into the nerdy "Well you should have done this BEFORE today" weeds, what can I be doing today? Thanks.
posted by anonymous to Computers & Internet (5 answers total)
IT professional here — found malware on your Mac? Time to nuke & pave it (that is, wipe it clean and reinstall everything from scratch). If one thing has been compromised you can't trust anything else on that machine.

I wouldn't even restore anything from backup except the documents you need (which might be all of them, sure). I would definitely not restore any applications or settings from backup.
posted by Ampersand692 at 12:20 PM on May 18, 2020 [3 favorites]

Agreeing with what Ampersand692 said. It stinks, but you can’t trust anything on that machine now. Start here.
posted by musicinmybrain at 12:35 PM on May 18, 2020 [1 favorite]

I am the guy that will tell you, over and over, that outside some very specific exceptions there's never a reason to wipe & rebuild a Mac.

Unfortunately, finding malware is one of the exceptions. You have to assume the whole thing is compromised. Save your files somewhere else, verify them, and then reformat the drive and start over.

IOW, it's The Ripley Doctrine.
posted by uberchet at 12:43 PM on May 18, 2020 [1 favorite]

Something feels off about that keylogger. It's a paid service with a monthly fee. The "you clicked on the wrong site and got malware" business is mostly a volume business. They don't care about you specifically, you just happened to wander down the wrong path. If they can't extract value from you, they just move on to the next target. So it doesn't make sense to spend too much time or especially money on any one target.

It's not out of the realm of possibility that a malware site has patched the keylogger software so they don't have to pay for it, but considering the monthly fee it's less likely. They would just install something from a hacking toolkit without the hassle of avoiding the monthly fee.

This is all to say: this is the kind of software someone who distrusts their spouse installs after googling for it. Or maybe a business monitoring work-at-home employees on their company laptop. Or maybe a less tech savvy creeper/stalker.

I certainly could be wrong, and I don't want to make you panic-- but are you sure no one has had physical access to your machine? Maybe a jealous ex months ago, or a dog walker, or a worker working in your house that was let in by the landlord if you rent? I just want to make sure you weren't directly targeted.

And I'd enable "Require password 1 minute after sleep or screen saver begins" in the Security & Privacy section of System Preferences to prevent someone installing it again if they do manage to have access to your machine.
posted by bluecore at 1:08 PM on May 18, 2020 [10 favorites]

From the OP:
Thanks very much for the basically unanimous feedback, I'll wipe and reinstall this evening. Bah. And in answer to your question, bluecore: no one has had access to this machine unless they broke in to my house. No workers, no ex, no landlord. It's a desktop iMac so it hasn't gone anywhere either, ever. I'm nearly always home nowadays and I live in a rural area with a population that isn't very tech savvy. The misdirected search link (going to one of those "You have won a prize!" sites) indicates to me that this was some overall malware package but I will stay alert, and thank you.
posted by jessamyn (staff) at 1:37 PM on May 18, 2020

« Older Virtual Escape Room Adventures   |   Professional software for check printing on Linux... Newer »

You are not logged in, either login or create an account to post comments