I am on OSX 10.9.2, please note I have included several URLs in my post, this is not spam this is due to the nature of the malware.
I have just discovered I have malware on my computer after noticing that my network traffic became incredibly slow and many of the requests timed out after the first request in Safari, Firefox or Chrome.
I also noticed that sometimes it would be making a request to www35.glam.com
. That whenever I restart either Chrome or Firefox, regardless of my homepage settings icanhaz.cheezburger.com
would open in a new tab and yahoo search would appear in my main tab.
I have found a process on my computer called running
when issuing the following command:
sudo lsof -lnP +M -i4
If I kill the process, my active running browsers speed up immensely and my requests perform like they did before. I have run the ps xuwww
command on the processes PID and this is the output I am getting:
PID TT STAT TIME COMMAND
13718 ?? S 0:00.93 curl --compress --connect-timeout 60 -s -A Prey/0.6.2 (mac) --connect-timeout 3 -L www.google.com --dump-header /tmp/prey-curl-headers.txt -S --stderr -
It should be noted that it always takes the same PID. I can see that it is creating a temporary file, and masquerading as a piece of software known as Prey (preyproject.com) which I have never installed (or heard of until today). That temporary file appears to be removed directly after it's creation as by the time I can ls /tmp
it no longer exists.
I would appreciate advice on how to go further into removing this malware. I have run a full system scan with Avast and it fails to detect any issues.
Update and solution:
First off this is not a duplicate of How do I deal with a compromised server? which is regarding servers and this is a personal machine not serving incoming traffic. I would like to post this as a solution in the answers to assist anyone else who encounters this malware, but am unable to due to it's current locked status.
I managed to solve this issue by using littlesnitch to monitor requests initiated by curl. I noticed some going to control.preyproject.com
. I then found an installation of prey
in my /usr/share/prey
folder, the files had a date modified time way before I had purchased the laptop (new from factory). I used the following command sudo rm -Rf /usr/share/prey; (sudo crontab -l | grep -v prey) | sudo crontab -
to remove the installation (found here).
That seems to of done it... no more weird behaviour. After resetting my browser settings to factory it has not altered them again and I am not seeing any unexpected traffic in littlesnitch which I have configured to alert me to all non system outgoing and incoming traffic.
I believe this to be rather dangerous as Prey allows an internet connected remote user to lock your computer, take control of its camera and retrieve its location (probably more functionality I do not know of). If this is not removed their is a chance the hacker is using it to do so.
If you do receive this malware the first thing I suggest you do is block all traffic incoming and outgoing to preyproject.com
(although they may have multiple domains, this isn't guaranteed to shield you) to prevent such events from happening.