Intruder Alert! 4 ways to track down hidden Mac malware
Are programs running on your computer that you don’t know about? Could a mischievous installer have plunked an unknown application in your Login Items list and set it to hide each time it launches at startup? If you’re curious, there are a number of ways to find out.
1. Check Login and Startup Items: It’s easy to check your Login Items. Go to the Accounts system preferences panel and click the Login Items tab to see what’s listed. Here, you’ll find items that automatically run whenever you log in—or, if your Mac is set up to automatically log you in, whenever you start up the Mac (see “Check Behind the Scenes”). Don’t forget to look in /Library/StartupItems folder as well to see if anything’s configured to launch whenever the computer starts up, regardless of who logs in.
2. Activate Activity Monitor: Activity Monitor (/Applications/Utilities) lets you keep an eye on all of the processes running on your Mac, from the applications you’ve launched, to the OS services running behind the scenes, to the underlying Unix mechanisms that make it all work. But just because you don’t recognize something—
ntpd, for example—doesn’t mean it’s a dangerous piece of software (
ntpdsyncs your Mac clock with a central time server). Skim this list periodically, though, and you’ll start to recognize what should be there and have a chance of noticing when something out of the ordinary appears.
Check Behind the Scenes : The Accounts tab in System Preferences lets you select programs you’d like your Mac to run every time you log in, but it could also contain programs that put themselves there when you ran an innocuous installer.
3. Use Feature-rich Firewall Software: Firewall software can also make you aware of unknown software running on your Mac that’s trying to make network connections. While Apple’s built-in firewall only watches for incoming connections (unless you reconfigure it manually, or using a third-party tool such as BrickHouse), other firewall software can keep an eye on outgoing connections, as well.
4. Geek Out: If you’re in a really geeky mood, type the command
sudo fs_usagein Terminal (/Applications/Utilities) followed by your administrator password when prompted to see what programs are accessing your Mac’s file system. If you have lots of software running, this will generate more info than you’ll be able to read, but if you try it with no applications (other than Terminal) running, it could expose unexpected or unwelcome software trying to read or write to your hard drive. —Mark Anbinder