4

I am on OSX 10.9.2, please note I have included several URLs in my post, this is not spam this is due to the nature of the malware.

I have just discovered I have malware on my computer after noticing that my network traffic became incredibly slow and many of the requests timed out after the first request in Safari, Firefox or Chrome.

I also noticed that sometimes it would be making a request to www35.glam.com. That whenever I restart either Chrome or Firefox, regardless of my homepage settings icanhaz.cheezburger.com would open in a new tab and yahoo search would appear in my main tab.

I have found a process on my computer called running when issuing the following command:

sudo lsof -lnP +M -i4

If I kill the process, my active running browsers speed up immensely and my requests perform like they did before. I have run the ps xuwww command on the processes PID and this is the output I am getting:

  PID   TT  STAT      TIME COMMAND
13718   ??  S      0:00.93 curl --compress --connect-timeout 60 -s -A Prey/0.6.2 (mac) --connect-timeout 3 -L www.google.com --dump-header /tmp/prey-curl-headers.txt -S --stderr -

It should be noted that it always takes the same PID. I can see that it is creating a temporary file, and masquerading as a piece of software known as Prey (preyproject.com) which I have never installed (or heard of until today). That temporary file appears to be removed directly after it's creation as by the time I can ls /tmp it no longer exists.

I would appreciate advice on how to go further into removing this malware. I have run a full system scan with Avast and it fails to detect any issues.

Update and solution:

First off this is not a duplicate of How do I deal with a compromised server? which is regarding servers and this is a personal machine not serving incoming traffic. I would like to post this as a solution in the answers to assist anyone else who encounters this malware, but am unable to due to it's current locked status.

I managed to solve this issue by using littlesnitch to monitor requests initiated by curl. I noticed some going to control.preyproject.com. I then found an installation of prey in my /usr/share/prey folder, the files had a date modified time way before I had purchased the laptop (new from factory). I used the following command sudo rm -Rf /usr/share/prey; (sudo crontab -l | grep -v prey) | sudo crontab - to remove the installation (found here).

That seems to of done it... no more weird behaviour. After resetting my browser settings to factory it has not altered them again and I am not seeing any unexpected traffic in littlesnitch which I have configured to alert me to all non system outgoing and incoming traffic.

I believe this to be rather dangerous as Prey allows an internet connected remote user to lock your computer, take control of its camera and retrieve its location (probably more functionality I do not know of). If this is not removed their is a chance the hacker is using it to do so.

If you do receive this malware the first thing I suggest you do is block all traffic incoming and outgoing to preyproject.com (although they may have multiple domains, this isn't guaranteed to shield you) to prevent such events from happening.

George Reith
  • 141
  • 2
  • Fascinating. As always, the most secure solution is to reformat your HDD and reinstall the OS. I'd love to see a better answer though. – lzam Sep 21 '14 at 16:40
  • @lzam Thanks, I'd like to avoid that if possible as it is a work machine and I'd rather not risk loss of data. I was wondering if their is some sort of command to detect what process is creating a file. I have found the software littlesnitch and it is picking up the curl command, with it open it halts the command and I can see the temp file being created. – George Reith Sep 21 '14 at 17:05
  • Looks like they used an [existing anti-theft solution](https://preyproject.com/) as part of their malware. –  Sep 21 '14 at 18:02
  • 1
    As with any compromised machine, the only safe solution is to [nuke it from orbit and reinstall](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server). –  Sep 21 '14 at 18:03
  • It seems very strange that such process always appears with the same pid (perhaps you are seen as fake ps output? Usually processes only get the same pid when they were launched from boot, but 13718 is quite high). I would start by capturing (`wireshark`) the network traffic and then analyse it (you are probably being used to scan/attack other websites). It would also be interesting to get a copy of that malware. Look up where is the curl process (ie. if instead of /usr/bin it's somewhere like a tmp folder) .And also what is the process that spawned curl (parent process). – Ángel Sep 21 '14 at 19:51

0 Answers0