How to be 100% sure that your Mac has malware

A 12 step program for those in denial

TIP: Skip to the * * * section if you don't have the time to listen to me.

If you ever have asked a question about malware to any of the overwhelming majority of Mac users who don't believe in malware you're certain to get a response that goes along the lines of "No Macs don't get malware. It must be something you did or something you are doing wrong."

These people live in denial and are probably actually smarter than the minority who have accepted reality for the simple fact that ignorance is bliss. If you don't know about an issue then well there is no issue! You aren't depressed about all those charities and their sad stories because you decide to ignore it! I suggest you at least consider this technique as something that you may decide is better for you in the long run. If you don't know anyone is hacking into your computer then are they really hacking into it? I for one have never heard a tree fall ever and its entirely possible that they make no noise.

If you are smart/stupid enough to operate under that logic then do take some time to evaluate if knowing is what's really best for you as a unique individual. Go eat something, your certainly forgetting something important right now, there's probably a relative you should be calling anyway, and I doubt you're getting enough sleep. Really at least go take a vitamin, drink some water, brush your teeth, maybe change your clothes, don't watch the news, compliment someone (you'll feel way too good about it...it's a selfish deed really if you need an excuse).

* * *

* * * *

* * * * *

* * * * * *

* * * * *

* * * *

* * *

* * * *

* * * * *

* * * * * *

* * * * *

* * * *

The best way to tell if you have malware on your Mac is most defintely not a virus scan. Not that they can't be very useful it's just that Mac malware tends to be fairly sophisticated. Malware developers don't want to spoil Apple's reputation of being untouched because it is an excellent cover. Mac malware tends to hide itself in complex ways, especially when anti-virus type software is used or other tools one might use to confirm malware.

The most useful analogy is to that of a "root-kit." If you have heard the phrase it generally means something scary and very bad and persistent. That's because it just refers to getting "root" (admin) access aka your admin account's password...which you've given to every popup that has ever come up...

There always be someone who seems authoritative telling you that you're a paranoid nutcase, but the best way stop their 40 hours a week of propaganda is with language generated by Apple/Intel and other reliable sources.

Follow these specific steps to get the messages your computer generates as it is just starting up and before the operating system (and its malware) has fully loaded, blocking these telltale error messages.

You may want to print this or use another device. Also, you'll need your smartphone or other video camera that is capable of capturing somewhat high speed video. Any iPhone/iPad should work just fine.

  1. Shutdown your computer

  2. Boot into Recovery Mode by holding down the "Command" and "R" keys as/after you start your computer. If you have a bluetooth keyboard this may be more tricky as you probably need to wait a second after pressing the power button.

  3. In the menu options at the top of the screen select Utilities then open Terminal

  4. Now we want to check the contents of your NVRAM (Non-Volatile RAM--it doesn't get wiped when power is lost. Some relics call this PRAM or MACOSX). Type in the Terminal window "nvram -p" and hit enter. It probably says a bunch of nonsense. The more confusing, the more likely that its nefarious. If it looks like "Q3JhcHBsZQ==" it's in Base64 format. If there are lots of % signs it's URL encoded and can probably be translated by removing the % signs and looking grouping together discernable words. Typing nvram -xp is more likely to generate Base64 which is harder to read but easier to translate automaticallly than. URL can be.

  5. Delete/factory restore the contents of your NVRAM with nvram -c

  6. Enter special startup commands. Type nvram boot-args="-s -v -x cpus=1 debug=0x144e kextlog=0xffffffff" Don't forget the to use quotes after the = and at the end. 0x144e and 0xffffffff are both zeros not the letter "O". Double check this step carefully.

  7. Start recording a video of your screen. Most messages will be on the left half of the screen and will pass by very quickly so try to get the camera focused properly and securely ready for 5-10 minutes of recording. You can also setup kernel debugging remotely that's more complicated.

TIP: Brace yourself for an unusual and colorful startup that is about the opposite of that boring Apple logo you are used to. It will take at least 5 minutes to complete.

8. Restart the computer using the Apple logo > Restart or typing reboot

9. Your computer will now be forced to startup into single user verbose safe mode using only 1 processor of the 4 or 8 possible and will show debugging messages and highly detailed log messages regarding your kernel extensions.

10. Be sure to record everything from start to finish. You may miss some details and probably won't really need them but can always repeat the process.

11. Review your footage. If you have malware it is likely in the form/requires fraudulent kernel extensions for hiding and operation. If this is the case you will see warning message from the genuine Apple kernel about the signature of these kexts suchas "Extensions with invalid signatures are prohibited from loading during Safe Boot. /System/Library/Extensions/AppleKextExcudeList.kext has been prohibited from loading/has an invalid signature."

12. If you are warned about the signature of any of your kernel extensions you have undeniable evidence you have a malware infection. Congratulations its a virus!!!

To remove this colorful startup mode go back and repeat steps 1-5 to clear your NVRAM or just hold down Command, Option, P, and R as your computer starts up.

Unfortunately there's not good solutions to this problem so call up Apple and give them hell. Threaten to sue. Write your Congressperson, City Hall, the President. Plan a boycot or a protest. It's all equally useless. Throw the computer away and don't buy anymore of the junk until they fix they're problem.

Really tell your friends. Tweet about it. Make a facebook page. Pass out these instructions to a line of people wait for the new iPhone. But spread the word like a virus. This isn't right that they can deny reality and allow the continued abuse of your personal property, data and security in the name of profit. Small claims court is always a viable option..sure to make some headlines. If enough people sued for their money back on the premise that Apple Care still denies even the existance of malware and offers no viable solution (reinstalling your OS is likely useless but feel free to try it!!).