While you might suspect your MacOS computer has been infected with malware, it can be difficult to know for sure. One way to spot malicious programs is to look for suspicious behavior — like programs listening in on our keyboard input or launching themselves every time we boot. Thanks to free MacOS tools called ReiKey and KnockKnock, we can detect suspicious programs to discover keyloggers and other persistent malware lurking on our system.
There are many ways a keylogger or malware can end up on your MacOS system. It can happen from an infected file, a hacker with a USB Rubber Ducky, or, more likely, a jealous spouse or overprotective family member trying to monitor your actions. Ensuring your communications aren't being intercepted by someone is a concern for anyone who values their privacy, but how much malware is really out there for MacOS?
Patrick Wardle, an ex-NSA hacker who creates MacOS security tools, studies malware written for Apple devices. On his website https://objective-see.com/, Patrick hosts live samples of MacOS malware for researchers to study, and the variety of malware discovered in the wild is shocking. A simple search for keyloggers finds five separate kinds of keylogger malware for MacOS devices.
That presents a challenge: how do we defend against all of these different kinds of malware if even keyloggers come in five different flavors? Wardle's answer is to search for the behavior of malicious programs like keyloggers rather than just searching for programs themselves.
For example, a keylogger taps into the stream of events from our keyboard, allowing an attacker to intercept every key the victim types. Seeing each key typed will enable them to learn account passwords, intercept communications, and more. But, to truly be effective, these programs must run as soon as we login to our computer. Meaning malicious programs will usually be installed persistently so that the victim doesn't need to open the malicious file more than once.
First, ReiKey allows us to search for one of the most essential characteristics of a keylogger: programs that have tapped into our keyboard stream. Looking for keyboard stream access will alert us to any keyloggers installed on our system, not just those recognized by an antivirus.
Additionally, because a keylogger will also be installed persistently, we can discover it with another free tool called KnockKnock. When you run KnockKock, it breaks down persistently installed programs into easy to understand categories. These will include types of programs that malware will typically take advantage of to run persistently: browser extensions, launch items, kernel extensions, and plugins.
After scanning your system, KnockKnock will identify each persistently installed item and check to see if it's been flagged in VirusTotal.
If a malicious program is lurking on your system, you'll identify it by clicking on the "Info" icon to dig further into the details. If you've discovered files that are flagged by VirusTotal and look suspicious, this is a strong indication that your system is compromised by malware, adware, or other malicious and unwanted programs.
Let's test out these programs and see what we can find on our Mac.
To use KnockKnock and ReiKey, you'll need an up-to-date MacOS system to install it on. You'll also need an internet connection and browser to download the installer programs.
First, navigate to the product page for ReiKey on Objective-see.com, and locate the download link under the ReiKey icon on the top left of the page.
Download the installer and unzip. Double click on the "ReiKey Installer.app" file to launch the installer program.
When the installer opens, simply click the "Install" button to install ReiKey on your MacOS system.
As soon as the installation is complete, you can click "next" to close out of the installer. You should now have a ReiKey icon in your task bar, allowing you to access the app's preferences.
Click the ReiKey icon in the task bar, and then click the "Preferences" option. There you can access the configuration options, allowing you to set whether to run the program at login, run with an icon in the status bar, and whether to ignore Apple's programs when scanning.
When I ran a Python keylogger, I got the following alert on my device.
Now that ReiKey is installed and configured let's run a scan.
Click the ReiKey icon in the status bar again, and this time click the "Scan" option. A window will pop up with the scan results, showing if any programs are tapping into our keyboard.
Here, we can see a negative result. If you see something here, it means some program is listening in on your every keystroke.
Next, we'll install KnockKnock to look for persistent malware. To do this, navigate to the page for KnockKnock. Locate the download icon for the app on the top left.
Once KnockKnock is downloaded, you can run it directly without needing to run an installer.
Run the "KnockKnock.app" file you downloaded, and the following window should open. To begin, click the arrow icon to initiate a scan. The scanning process will require you to grant the app permissions to access various folders and programs if you're running the latest version of MacOS, Catalina.
After scanning the files in your system, a list of persistently installed programs will appear. Many things might be installed persistently that aren't malicious, so check each result to see if you recognize the program. If you have, for example, browser extensions you don't use or recognize, it might be a good idea to remove them.
We can also identify programs with suspicious qualities. Here, we see that a persistently installed script is unsigned, as revealed by the unlocked icon.
If we want to take a closer look at this, we can click the "Info" icon to reveal more details.
If we want to take a closer look at a file, we can do so by clicking the VirusTotal score. The score will reveal the detection ratio and a link to the report. If we want to submit the file again, click "rescan" to send it to VirusTotal again.
Resending will give you access to a detailed report. Here, we see the detection report for the previously flagged unsigned "Tor" program we found.
It looks like this file isn't malicious, but if it were, this is exactly how we would discover and test it.
The average MacOS user may struggle to identify malware on their computer. Thanks to ReiKey and KnockKnock, badly-behaving software can be detected as soon as it is installed. If you're worried about a partner installing a keylogger, an employer bugging your computer, or unwanted adware hanging around and consuming memory, these tools make it easy to keep your MacOS system free from spyware and persistent malware.
Also, make sure you go check out the "products" section objective-see.com for more free security tools for MacOS.
I hope you enjoyed this guide to detecting malware on your MacOS computer with ReiKey and KnockKnock! If you have any questions about this tutorial on securing your Mac, please ask below. If you have a comment or idea for a future episode, feel free to reach me on Twitter @KodyKinzie.