Your search for the origin of this sound may progress on 2 paths:
which application produces it and which sound is it.
Which application?
Here is an easy way to control if this sound is coming from
a standard screen capture.
Type the following command twice:
ls -lu /usr/bin/screencapture
First, whenever you want.
Next time, just after you heard the shutter sound.
This command will display you the time when this command was last run.
Which sound?
Quick identification
Here is a 1st attempt to be sure of which sound is used.
You can't try to recognize a sound by firing an application and trying
all the sound it can produce with its graphical interface.
The only practical approach is to use fast command lines just after
you heard your unsolicited sound.
Open a Terminal
or xterm
window and enter as is these 4 lines of
command defining short name functions to test 4 approaching sounds:
shutter() { afplay '/System/Library/Components/CoreAudio.component/Contents/Resources/CoreAudioAUUI.bundle/Contents/Resources/Grab.aif' ; }
lock() { afplay '/System/Library/Frameworks/SecurityInterface.framework/Versions/A/Resources/lockClosing.aif' ; }
unlock() { afplay '/System/Library/Frameworks/SecurityInterface.framework/Versions/A/Resources/lockOpening.aif' ; }
safe() { afplay '/System/Library/Components/CoreAudio.component/Contents/Resources/CoreAudioAUUI.bundle/Contents/Resources/Sticky Keys Locked.aif' ; }
On Mountain Lion, these sounds have moved. Then these functions have to be defined with:
shutter() { afplay '/System/Library/Components/CoreAudio.component/Contents/SharedSupport/SystemSounds/system/Grab.aif' ; }
lock() { afplay '/System/Library/Frameworks/SecurityInterface.framework/Versions/A/Resources/lockClosing.aif' ; }
unlock() { afplay '/System/Library/Frameworks/SecurityInterface.framework/Versions/A/Resources/lockOpening.aif' ; }
safe() { afplay '/System/Library/Components/CoreAudio.component/Contents/SharedSupport/SystemSounds/accessibility/Sticky Keys Locked.aif' ; }
Keep this window open, and as soon as you hear the unsolicited sound,
fire these four commands in turn to hear which one was played:
shutter
lock
unlock
safe
Next, to be sure, you can once more verify the access time of the identified sound file with the -lu
options of ls
. For example, you can
confirm that the lock sound was played with:
ls -lu '/System/Library/Frameworks/SecurityInterface.framework/Versions/A/Resources/lockClosing.aif'
Deep search
If this quick approach fails, here is a command to identify the file
which was used by the system to play a sound within the preceding hour
(-atime -1h
):
find /Library /System/Library \( -type d \( -name "iTunes" -o -name "GarageBand" -o -name "Apple Loops" \) -prune \) -o \( \( -name "*.aif*" -o -name "*.wav*" -o -name "*.m4a*" \) -atime -1h -exec ls -luT {} \; \) 2>/dev/null
If this command doesn't report anything, the next step will be to run
the same deep search within your HOME directory:
find ${HOME} \( -type d -name "iTunes" -prune \) -o \( \( -name "*.aif*" -o -name "*.wav*" -o -name "*.m4a*" \) -atime -1h -exec ls -luT {} \; \) 2>/dev/null
The problem was my Time Machine backup. Here are the symptoms I got in their order:
- Time Machine get stuck during the backup stage, gives the error "ComputerX.sparsebundle is already in use"
- Process
fseventsd
started hogging CPU causing the computer to slow down
- Computer could not restart or shut down
My sparsebundle on the Time Machine was corrupted so my computer could not complete the backup. The process responsible for maintaining the backup (fseventsd
) got hung up on the currupted file and started chewing up CPU. When I tried to shutdown my computer, It would get stuck because my computer wouldn't be able to eject the corrupted sparsebundle.
I found the solution here:
In short, heres how to fix it:
1) mount your sparse bundle from your storage device
2) do a disk repair from Disk Utility
, make sure your sparse bundle is selected!
Note: If your sparse bundle is not completely corrupted, you might be able to save some of your backups depending on how corrupted the bundle is
3) If your bundle is completely toast (like mine was) then you have to completely erase the bundle and start over from scratch. You DO NOT have to erase the entire backup disk, just your bundle
Note: You may have to restart your computer to clear your bundle because now that the corrupted bundle is mounted, your computer won't be able to gracefully unmount.
Best Answer
The problem with getting pirated software is three fold:
Microsoft and IDC published a whitepaper entitled The Dangerous World of Counterfeit and Pirated Software (making it quite apropos considering it was pirated Office software) and this answer makes extensive use as a resource.
What this means is that just showing up to search for and download the software, you're immediately attacked using a wide array of tools like malware, adware, spyware, trackers, etc. It's a shotgun approach by the site/hackers to see what they can get from you.
Needless to say, not only are they trying to get something on your computer, the fact that they're using trackers tells us they're building a profile.
This is an interesting technique...what better way to get a better "picture" of your victim than to force them to return to get activation keys or cracks. This also inherently treks them that the installation of their compromised software was successful!
Emphasis mine
Granted, you didn't get an actual CD/DVD media, but these care commonly distributed as disk images (ISO/DMG) and the "unusual behavior" is in line with what you and/or your brother saw with respect to Terminal.
This is the crux of the problem!
A simple script (bash or sh) is all that's is required to open some firewall ports or modify a user shell environment file like
.bash_profile
or.zprofile
to source some malicious code every time you open a Terminal shell. These types of scripts won't necessarily show up as malware. It could be a simple script usingcurl
to connect to a website run by a hacker sending something as innocuous as you IP address or usingscp
to silently copy a file like your key chain.Remember, the genuine installer requires Admin credentials to run and you provide them when you enter your password. Any nefarious steps added will then be installed with admin (
sudo
) privileges.I'm assuming that the Terminal screen you're referring to is showing a login from a different TTY. (It's very difficult to see the Terminal prompt in the 4th picture). The script could have opened a backdoor to your computer.
The Risk
A good majority of people worry about data loss and they should be. Ransomware can bring you or your business to a complete halt because the perpetrators are literally holding your data hostage by making it inaccessible and unusable.
The second is identity theft (this is the bigger risk IMO). Having the installer add some scripts (even to
cron
so they run periodically) to send things like browser cookies, your IP address, your bookmarks, password files (keychain) and even install keyloggers (we'll get back to this one). It would be super easy to figure out that you banked at ACME bank, did your shopping at H&K and Amazon, you have a VISA from BankOne, and a MasterCard from BankTwo and you use the same username for them all.Keyloggers
Keyloggers are a very special type of malware. They straddle the line between bona fide malware and legitimate software. From Malwarebytes:
This means a keylogger commonly used by (for example) parents to oversee their children's' behavior while online can be utilized by a hacker to capture your keystrokes. Using a simple bash script, it would be super easy to
scp
that file to a website somewhere.Putting this altogether now, we potentially have a method to gather all of your browsing/surfing info creating a profile or a "picture" of you, your password (key chain) files, your location on the web (IP) and your passwords (and other credentials) all sent to an obscure web location. All of it operating under the radar because technically, none of it is malware; they're just scripts calling built in tools like
curl
orscp
.Mitigation
Make a different back up of your data! Ransomware works by encrypting your existing data with a key only your attacker knows. If your data happened to get compromised, you don't want overwrite an older, but clean Time Machine backup with bad data.
Wipe your drive and reinstall your OS. It's not impossible to clean this up; it's tedious and time consuming. Additionally, you'll always be wondering if you "got everything." The most efficient way to be positive that you've removed all potential threats is to wipe your drive clean and reinstall macOS (from a trusted source, of course).
Reinstall your Apps manually or restore from a Time Machine backup taken prior to the install of pirated software. This way you can be certain you're not bringing back compromised files.
Manually copy/restore data that was backed up post infection as you need it. It's very likely the data is safe, but for piece of mind, take an extra step and give it a once over before copying back to your system.
Change your passwords! Especially if you reuse credentials for different services. The problem here is that you don't know what was compromised - so the safest course of action is to change the password so that if it was compromised, the exposure is limited. It's very important to use different credentials for different services. Using a (paid) product like 1Password, Keeper or the open source KeePass can help you do this.
Going forward, consider using APFS snapshots before installing software. This will allow you to roll-back to a previously known-good state of your system.
TL;DR
The pirated software obviously did something when it was installed. The problem is, if it simply installed some scripts that copy files and installed a keystroke logger, it can circumvent detection by malware scanners and anti-virus tools.
The only efficient and surefire way to fix this is to wipe your drive clean and reinstall. The problem is, you don't know what was done, so you have to assume the worst and mitigate it from that standpoint.
Loss of data is always a big concern so having regular backups would be (again) a saving grace here. Identity theft is (IMO) more of a concern so changing your passwords to your accounts, especially ones that have critical data on you (i.e. financial, medical, taxes, etc.) is a high priority. Even though you may have to reuse login/username (lots of websites use email addresses), never reuse your password - don't make it easy for the attackers!
Finally, understand the time/effort that goes into fixing this all to save a few dollars by getting some pirated software. Hopefully I've painted a picture of the immense risk that you were opened up to, but as you go through the clean up process, you'll see how time and labor intensive this is. Your brother owes you big time on this one...I see you being treated to a very expensive restaurant visit in the near future.