Long story short, a friend of mine received a "unrecognized IP successful login" alert on a Microsoft mail account he owns. The conditions of the "hack" (timing, password used etc) are such that the only viable option other than a "false positive" alert (which is still very likely) is that the password was somehow stolen from the client – an iMac – used to create the account in a very short timespan (the "compromise" date is just 5 minutes after the original account creation) – if you like, you can find more details in this question on Information Security.
Anyway, the point is that if there was a compromise, then there must be some keylogger or similar malware on the machine. I did some basic search but found nothing. Also tried to install Little Snitch, but the network filters didn't show anything suspicious.
That said, since I can't find any infection to remove nor I can be sure that the alert my friend received was a false positive, I was planing to "restore/reinstall/format" the machine, even if that means sacrificing all the data contained on it. But I must admit my ignorance… even if I also own an iMac I never had the need to restore it after some compromise, so I don't really know how to proceed.
I am therefore asking for suggestions about the best approach here. I assume I will have to download an operating system iso somewhere on Apple site and then use that to restore the system but I am not sure. This page seems to indicate that I should enter "Restore Mode" and work up from there…. but… does that mean that the "restore" component is still tied to the currently installed OS and could have been compromised too in a way that could give an infection the ability to survive the "wipe"?
Sorry if those questions seems a little confused or paranoid, but having found no trace of the alleged infection I am now starting to evaluate any possibility.
Best Answer
Here's how to detect keyloggers:
Run this command in terminal:
kextstat
Something like this should appear:
So my first 143 kexts all start with
com.apple
, so they should be safe (unless somebody uses Apple's bundle id, so look closely at each of one and see if there's something wrong with the name) and I have installed parallels, so it should be safe too.Next check if one of the extensions links against something that doesn't make sense, like an audio extension linking with a networking library. You can see what they are linked to by looking inside the angle brackets <>. For example, item 114 (
com.parallels.virtualhid
) links to item 1, which iscom.apple.kpi.bsd
. as 1 is inside the angle brackets (<37 5 4 3 1>
)If you find something suspicious, remove it, but before you go on be sure that you have the right kernel extension. Disabling the wrong kernel extension can make life really hard. They are usually found in
System/Library/Extensions
and end with the extension.kext
.Now if you really want to completely reinstall macOS, follow these steps:
Shut down your computer, then power it up while holding Command-R.
Select "Disk Utility" from the menu
Click on Erase and confirm the dialogs (May take a while to erase)
Select "reinstall macOS"
Follow its instructions
Note that installation may take a long time, especially when your internet connection is slow as it actually downloads the OS from the internet.