How can I detect a keylogger on MY system?

[SirDice]

Quote: Originally Posted by cwtnospam No, I'm saying that with an arbitrary set of possible numbers (as in 10 worms and 5 infections) your equation falls apart.

Your assumption of the numbers is wrong as a is directly related to market share. Currently when a worm sends out 10 copies, 9 of them end up on a Windows host and can do no harm there. Getting 5 infections when sending out 10 worms means there's a 50% market share.

Quote: It's not a good representation of reality, especially since we are talking about a very small number of potential attacks at any point in time. You're trying to use Science as a marketing tool without doing any real science.

No, I'm trying to explain why there hasn't been a major outbreak. Currently there's indeed a small chance, the formula shows that any worm will die out by itself at this point in time. However, it also shows that when the numbers are right there will be an epidemic.

[SirDice]

Quote: Originally Posted by EatsWithFingers However, the above formula does not concern itself with how likely an outbreak is in the first place. It just deals with modelling the resulting spread. In other words, it does not answer the question of how likely it is that new malware will appear for a particular OS platform (which brings us back to debating the presence or otherwise of a motivation for malware writers to target OS X).

It more or less does prove the likelyhood. Albeit indirect perhaps. As the numbers are right now it's clear that a worm will die out by itself and never reach it's full potential even if it would use 'killer code' that can infect every single OS-X host it encounters. So writing one to become the next Melissa for Mac is somewhat futile at this point in time.

[EatsWithFingers]

Quote: Originally Posted by SirDice It more or less does prove the likelyhood. Albeit indirect perhaps.

Maybe I wasn't clear with my final statement. What I meant was the formula only models the spread of a worm once it exists. It does not deal with the likelihood of that worm existing in the first place. And that is the contentious point when it comes to discussing the relative security of two different platforms.

Quote: Originally Posted by SirDice As the numbers are right now it's clear that a worm will die out by itself and never reach it's full potential even if it would use 'killer code' that can infect every single OS-X host it encounters. So writing one to become the next Melissa for Mac is somewhat futile at this point in time.

I'm not sure about your formula, but the one I posted shows that any given worm will eventually infect all possible hosts. So, in your example, all systems running OS X that remained unpatched would become infected. This is independent from the market share of OS X and only relies on every Mac being somehow connected to another Mac (e.g., every Mac owner having the e-mail address of at least one other Mac owner in their address book).

EDIT: I do agree that the rate of spread is related to market share, and thus in the case of OS X, it will be low enough that the vast majority of systems will be patched before any real damage is done.

[ArcticStones]

.
Thank you for your impressive thoroughness and patience, EatsWithFingers.

As I understand it, we can now permanently park the notion that 8 virus-free years of OS X is due to low market share, as misguided.
.

[SirDice]

Quote: Originally Posted by EatsWithFingers Maybe I wasn't clear with my final statement. What I meant was the formula only models the spread of a worm once it exists. It does not deal with the likelihood of that worm existing in the first place.

Yes, I agree to that. But perhaps I wasn't too clear either. What I meant was that currently the rate of propagation is too low for anyone to even bother writing a worm for OS-X. It simply doesn't have enough impact to make it big.

Quote: So, in your example, all systems running OS X that remained unpatched would become infected.

As I've mentioned before, worms don't necessarily propagate because of bugs. Some do, most don't. I've mentioned NetSky as an example, it does not abuse any bugs. No amount of patching will stop a worm like that.

[cwtnospam]

Quote: Originally Posted by SirDice As I've mentioned before, worms don't necessarily propagate because of bugs. Some do, most don't. I've mentioned NetSky as an example, it does not abuse any bugs. No amount of patching will stop a worm like that.

Geez, if 10% of what you say were true, the Mac would be full of malware by now. We've got hackers salivating every time anyone announces any kind of OS X vulnerability, and writing lame trojans that can't get past the first ten people to see them, yet you'd have us believe they're not interested in trying to write malware!

What color is the sky in your world?

[NaOH]

Quote: currently the rate of propagation is too low for anyone to even bother writing a worm for OS-X.

I thought the issue was market share, not the speed of propagation. How much slower is the rate of propagation for the current 100 million people using an OS X-based platform compared to if the install base reaches 150 million? 33%?

If a self-described security professional can't be clear about all this, it's no wonder billions of computer users have trouble understanding the risks and how they might best protect themselves.

[SirDice]

Quote: Originally Posted by NaOH I thought the issue was market share, not the speed of propagation.

Then you haven't been paying attention. Propagation speed is directly related to market share.

[cwtnospam]

Speed, not interest in creating one. But I'm sure you'll go on ignoring all those guys who spend months creating an implausible real world hack (like pre-infecting a Mac to make cracking it easy) just so they can go to a black hat convention and demonstrate a theoretical Mac vulnerability.

[NaOH]

Speed is not related to market share. Breadth of impact is. If you think I haven't been paying attention, please explain the following market share-related quotes, all by you:

I see no reason why the number of OS-X malware wouldn't rise when it's market share will be at 90% (opposite to what it is now).

Exactly. I'm more or less stating that when the roles are reversed it would be the Mac users who would be facing those 40.000+ viruses/worms/whatever.

There have been various attacks [on the Mac]. None of them reached a big audience simply because of the numbers involved.

I see no reason why the number of OS-X malware wouldn't rise when it's market share will be at 90% (opposite to what it is now). Given enough years at that level I'm quite sure the total amount will equal or perhaps surpass the numbers we see now attacking Windows.

As I've said before the number of OS-X users hasn't gained critical mass yet that would allow a worm or a virus to wreak havoc.

But times will change when the baddies will move into your nice little [Apple] neighborhood. This is what inevitably will happen when market share increases.

Please, have a look at what you've written before suggesting I'm not paying attention. One minute you've claimed that the Mac will have the same number of malware threats as Windows when the user base reaches some imaginary critical mass you've not defined.

At other times you're saying your point is simply that people should be careful, but you've spent loads more time defending your baseless conjecture rather than offering a semblance of helpful advice to those who might stand to learn something about security.

After that, you slide into statements like a Mac "worm will die out by itself and never reach it's full potential." Please, I'm no security expert, but by that logic no worm will ever reach its full potential until every living person has an infinite amount of computers and they're all connected to the Internet.

And you've made all those claims without any supporting evidence other than the fact that no OS is completely secure. Seriously, imagine you're charged with submitting an OS X security procedures proposal that will be subjected to scientific peer review. What would you say, because none of what you've said here would fly in such an environment.

[EatsWithFingers]

Quote: Originally Posted by SirDice What I meant was that currently the rate of propagation is too low for anyone to even bother writing a worm for OS-X. It simply doesn't have enough impact to make it big.

Worms are typically used as a delivery mechanism for more insidious malware. That is, there is no point in writing a worm if the target system cannot be infected by its payload.

Quote: Originally Posted by SirDice As I've mentioned before, worms don't necessarily propagate because of bugs. Some do, most don't. I've mentioned NetSky as an example, it does not abuse any bugs. No amount of patching will stop a worm like that.

True, but the patching can prevent the worm having any effect on the host system (other than being used to spread the worm itself whenever the file containing the worm is executed).

As you've pointed out, it is possible to write an e-mail worm that spreads amongst Macs (or any OS for that matter), but for that worm to do anything other than simply replicate there needs to be bugs in the OS which can be exploited. EDIT: OK, so MyDoom overwrites system files, but that is trivial to prevent by using a non-admin account for daily use (covered by one of my "sensible habits").

The question then is, "does a benign worm that requires user initiation to replicate constitute a security threat?" My answer would be "no, it does not."

[roncross@cox.net]

Quote: Originally Posted by SirDice Yes, I agree to that. But perhaps I wasn't too clear either. What I meant was that currently the rate of propagation is too low for anyone to even bother writing a worm for OS-X. It simply doesn't have enough impact to make it big.

Well if this is the case, then why worry about having antivirus protection and such if there is no impact.
I recall in your earlier post advocating for this, but it contradicts the statement you made later. You are not showing clarity in your thought process which is why you are unable to persuade anyone.

Quote: Originally Posted by NaOH If a self-described security professional can't be clear about all this, it's no wonder billions of computer users have trouble understanding the risks and how they might best protect themselves.

Hey, I'm also a self described security profession and I use no antivirus, firewall, etc.. and I feel safe

Quote: Originally Posted by NaOH Please, have a look at what you've written before suggesting I'm not paying attention. One minute you've claimed that the Mac will have the same number of malware threats as Windows when the user base reaches some imaginary critical mass you've not defined. At other times you're saying your point is simply that people should be careful, but you've spent loads more time defending your baseless conjecture rather than offering a semblance of helpful advice to those who might stand to learn something about security. After that, you slide into statements like a Mac "worm will die out by itself and never reach it's full potential." Please, I'm no security expert, but by that logic no worm will ever reach its full potential until every living person has an infinite amount of computers and they're all connected to the Internet. And you've made all those claims without any supporting evidence other than the fact that no OS is completely secure. Seriously, imagine you're charged with submitting an OS X security procedures proposal that will be subjected to scientific peer review. What would you say, because none of what you've said here would fly in such an environment.

SirDice, will you be able to clearly summarize your points so that we know once and for all how you view this issue? I for one am very confused.

[EatsWithFingers]

Quote: Originally Posted by EatsWithFingers OK, let's assume (in this hypothetical future) that OS X used the following implementation of the MLS paradigm, then we may be able to severely limit the damage that any malware would do, and thus limit their spread, effectiveness, appeal to criminals, etc. [..]

Quote: Originally Posted by SirDice Is this implemented yet? If so, could you point me to it's documentation? I'd like to read up a bit on it.

Quote: Originally Posted by EatsWithFingers Sorry, but there's no implementation of this as far as I am aware.

Apologies for digging up these earlier posts, but I've since read about FreeBSD Jails and the concepts appear to be very similar. And increased security is precisely the motivation behind them.

[butterthief]

macbook 10.4.11...grrrr...don't have the specs (as i am running a live ubuntu disk for privacy) but they are decent, intel based.

i think my mac *may* have been compromised...i have a 'significant other' who works in the software world and may be spying on my computer. we're having challenges. sorry if i am posting in the wrong place...it sounded like a security/privacy topic.

this post says to check the activity monitor (ha!) but thats all gobbledygook to me. how can i tell what is malicious and what is standard?

also, i would like to run a scan to check my mac before i keep writing 7 layers of zeroes and re-installing over and over again. is it possible that something can hide from a re-install, like 'rootkits' in pcs?

or can something be stealth-installed from reading his emails? even ones without pics?

yes, i am paranoid. just because you're paranoid doesn't mean they aren't out to get you.

i just want to communicate with the dignity of personal choice and personal privacy.

thanks in advance for any help you may offer.

this is what comes up on my activity monitor:
Activity Monitor
Aosnotifyd
AppleSpell.service
ATTSServer
BBLauchAgent
Diskimages-helpe
Dock
FileSyncAgent
Finder
Firefox
iCal
iTunes Helper
launchd
loginwindow
mdworker
Microsoft Database Daemon
Microsoft Word
Pboard
Spotlight
SystemUIServer
UserEventAgent

[NaOH]

All of those are legitimate processes. Generally, the most helpful first action is to do a web search for any process whose name you can't identify. For example, searching for Aosnotifyd will lead to information discussing how this is a sync process for the computer and MobileMe.

Hi Guys
Anyone still there?
I've just switched from Windows and feel insecure ( psychologically at least ) about the malware discussion and what I should do for my Mac.

I am running OSX 10.6.5 While I sorted out whether I believe the 'We're safe' or 'you need protection' brigade I downloaded ProtectMac AntiVirus trial while I thought about it. 4 days to go!

I admit to being 56, female, unfamiliar with Macs, and would pay for an AV program that would do the job, but which one?? I care most about not getting a key logger because I want to bank online. I don't have the clarity and memory anymore to delve in the backwoods like I used to on my PC (even back in DOS days). I just want to be as safe as poss.

I've read the golden rules but can't be sure I've kept them!
I have a separate standard account for everyday use, but do often get asked for admin passwords, and keychain is a mystery to me because it doesn't behave consistently, to my mind. I've downloaded some programs like flip4mac, a wma converter, dropbox - things I'd expect to be ok. But can you pick up trojans from just surfing? I've also played some online games, like bejeweled (bless). I'd like to download some but don't know when to trust a game site, or how to find which to trust. It's all very well saying don't make that mistake, but if you are to stray further than what comes with your new Mac, you have to take a risk, including entering your admin password, don't you??

If you don't understand how I can be this isn't feeble and still be allowed to use a computer, just try to imagine how you'd help your Grandma to have a good and safe experience with her Mac cos she couldn't get out and needed to shop online. That's not unlike my situation. So I'd be so grateful if you can help, suggest, and put my mind at rest if I'm OK here? I've posted my standard user's Activity Monitor below, if you'd take a look please? I did start googling them, but I got so tired.

More risky is my father's behaviour, playing on poker sites, clicking everywhere, and no password, just hit return! He's 84. You try getting him to remember! He has is own Mac, thank God, but I want to help him bank online, and a keystroke logger would be disastrous!

If I ever decide to do a reinstall, can you tell me this: Does the installation disc contain all the additional apps that came on the new machine, ie The iLife components like Garage Band?


My activity monitor for my standard user is here( spacing a bit odd, but I think everything got expanding to view):
Am I clean, and would it be a different picture for my admin account do you think? Did someone say Key loggers can hide? Might they not show up here then? Perhaps I should just stay in bed!

Thanks so much
B


1 launchd
83048 WindowServer
14 syslogd
56 socketfilterfw
28 securityd
30 ptmd
48 ProtectMacAntiVirus
23 ntpd
11 notifyd
83205 mdworker
31 mds
32 mDNSResponder
83047 loginwindow
83085 launchd
83144 WebKitPluginAgent
83181 Flash Player (Safari Internet plug-in)
83109 UserEventAgent
83209 TextEdit
83090 SystemUIServer
83135 Safari
83203 Quick Look Helper
83117 ProtectMacAntiVirusAgent
83104 pboard
83123 iTunesHelper
83122 GrowlHelperApp
83099 fontd
83091 Finder
83124 Dropbox
83131 dbfseventsd
83089 Dock
83146 AppleSpell.service
83115 AirPort Base Station Agent
83229 Activity Monitor
10 kextd
34 KernelEventAgent
36 hidd
83078 hdiejectd
37 fseventsd
39 dynamic_pager
16 distnoted
83074 diskimages-helper
12 diskarbitrationd
15 DirectoryService
76 cvmsServ
83212 cupsd
51 coreservicesd
87 coreaudiod
13 configd
74770 clamd
17 blued
45 autofsd
83231 activitymonitord
0 kernel_task

Hey All....

OK so im very very new to MAC(had it for like a month now). Heres my problem:

A few days ago someone hacked my gmail, hotmail and facebook and changed all backup information and passwords. I have managed to get gmail and facebook back but not hotmail.

i have reason to bel that there might be a key logger on my comp...i really need to get this checked.

activity monitor is below: PLEASE HELP!!!!

369 Activity Monitor waleedelahi 3.7 2 29.7 MB Intel (64 bit)
118 AirPort Base Station Agent waleedelahi 0.0 4 5.8 MB Intel (64 bit)
140 AppleSpell.service waleedelahi 0.0 2 7.5 MB Intel (64 bit)
113 AppleVNCServer waleedelahi 0.0 4 3.9 MB Intel (64 bit)
96 Dock waleedelahi 0.0 3 24.4 MB Intel (64 bit)
98 Finder waleedelahi 0.0 4 12.5 MB Intel (64 bit)
343 Flash Player (Safari Internet plug-in) waleedelahi 0.3 13 27.7 MB Intel
102 fontd waleedelahi 0.0 2 5.1 MB Intel (64 bit)
376 googletalkbrowserplugin (Safari Internet plug-in) waleedelahi 0.0 3 3.9 MB Intel
377 GoogleTalkPlugin waleedelahi 0.0 8 9.9 MB Intel
120 imagent waleedelahi 0.0 5 6.1 MB Intel (64 bit)
126 iTunesHelper waleedelahi 0.0 3 2.9 MB Intel (64 bit)
92 launchd waleedelahi 0.0 2 1.0 MB Intel (64 bit)
38 loginwindow waleedelahi 0.0 2 8.0 MB Intel (64 bit)
100 pboard waleedelahi 0.0 1 856 KB Intel (64 bit)
135 Safari waleedelahi 3.1 10 354.0 MB Intel (64 bit)
97 SystemUIServer waleedelahi 0.0 3 14.3 MB Intel (64 bit)
110 UserEventAgent waleedelahi 0.0 3 7.1 MB Intel (64 bit)
379 VDCAssistant waleedelahi 0.0 4 4.1 MB Intel (64 bit)
141 WebKitPluginAgent waleedelahi 0.0 2 1,020 KB Intel (64 bit)

141 Activity Monitor marinescabieses 10.0 6 29.6 MB Intel (64 bit)
143 activitymonitord root 1.5 1 1.1 MB Intel (64 bit)
119 AirPort Base Station Agent marinescabieses 0.0 3 1.6 MB Intel (64 bit)
46 autofsd root 0.0 2 976 KB Intel (64 bit)
17 blued root 0.0 3 4.2 MB Intel (64 bit)
13 configd root 0.0 7 3.0 MB Intel (64 bit)
77 coreaudiod _coreaudiod 0.0 2 2.2 MB Intel (64 bit)
54 coreservicesd root 0.5 5 12.7 MB Intel (64 bit)
24 cupsd root 0.0 3 2.2 MB Intel (64 bit)
66 cvmsServ root 0.0 1 804 KB Intel (64 bit)
15 DirectoryService root 0.0 6 4.6 MB Intel (64 bit)
12 diskarbitrationd root 0.0 2 1.4 MB Intel (64 bit)
16 distnoted daemon 0.0 3 1.2 MB Intel (64 bit)
103 Dock marinescabieses 0.0 3 13.3 MB Intel (64 bit)
40 dynamic_pager root 0.0 1 788 KB Intel (64 bit)
105 Finder marinescabieses 0.0 6 30.5 MB Intel (64 bit)
108 fontd marinescabieses 0.0 2 4.3 MB Intel (64 bit)
38 fseventsd root 0.0 12 1.6 MB Intel (64 bit)
37 hidd root 0.0 3 1.5 MB Intel (64 bit)
127 iTunesHelper marinescabieses 0.0 3 2.8 MB Intel (64 bit)
0 kernel_task root 0.9 58 84.2 MB Intel
35 KernelEventAgent root 0.0 3 1,004 KB Intel (64 bit)
10 kextd root 0.0 2 2.6 MB Intel (64 bit)
1 launchd root 0.0 3 1.2 MB Intel (64 bit)

Blackcurrant, and wally I'm not sure what all you have heard, I had been a Mac user since they 1st came out, I worked for Apple in San Jose. It is not hard at all to monitor someone's activity on your Mac. The program will cost you some money just over 100 I do believe. I personally use it to keep track of my kids my ex-wife, and that is why she is my ex-wife, and have just recently found a great name used for. It will log all these little back door injuries to your information while you're surfing the web. I'm not sure if the programmers you realize what it does since they don't advertise for that. The program is called Specter. They have for Windows and Mac. Best money I ever spent. It records every keystroke every webpage every e-mail, I just cannot say enough about it. You're worried that someone is accessing your computer get Specter it runs completely hidden, even stays out of the activity files. The only way to detect if you have Spector on your computer is to buy it and try to install it. I hope this helps you in your right there is nothing wrong with being paranoid because they are out to get you a you may not know who but somebody always wants something from you.