Snoop, Sneak, Sniff
Mac users are more likely affected by tracking threats than malware.
Why? Let’s start by defining what is a tracking threat.
Tracking threat are software or application that snoop user’s activity, sneak password and sniff out private information. Software or applications such as keyloggers and sniffers are considered as tracking threats and they are vastly available over the internet.
This type of software/application are also classified as grayware. Graywares are not considered as malwares and they are not even dangerous by itself. However, just like a kitchen knife, if it falls to a wrong guy it will definitely poses threat to the user and to other people as well.
LogKext is the only kernel-based freeware keylogger for Mac OS X. It is controlled by a command-line client called logKextClient.
Below are the packages and its descriptions.
logkextdaemon.pkg – This package contains logKextDaemon, which is in Mac universal binary format. This binary is a daemon program that runs in background and manages the keylogging activity.
logkextkeymap.pkg – This package contains property list file, logKextKeymap.plist. The list includes identifiable keys such as numbers, letters (upper and lower case) and characters.
Logkext-1.pkg – This package contains another package named LogKext.kext, which contains a binary file LogKext. LogKext is the main program responsible for intercepting keyboard events by using IOHIDSystem and IOHIKeyboard classes in the kernel.
logkextReadme.pkg – This package contains LogKext Readme.html, which includes install and uninstall guide, release notes and frequently asked questions.
logkextuninstall.pkg – This package contains LogKextUninstall.command, which is a terminal shell script that stops logKext from running and removes it’s related files.
The packages were installed in this order:
The following files were created:
This program can monitors and record user’s keystrokes including username, password, PII, private conversations, typed-in urls and more.
So, imagine if this piece of software went to the wrong hands ?
It is more scary when you thought you have downloaded and installed a clean application, but with undocumented details there’s more hidden or unexplainable features that could work in background.
Downloaded file: KeyloggerX.dmg.sit (768,805 bytes)
Inside this image are the following files:
Disclaimer.rtf – This document informs the user that “You are held resposible for your actions”. Check the full disclaimer here.
Keylogger X – This is the binary file in Prefered Executable Format File (signature start with “Joy!peffpwpc”).
Read Me.rtf – This document describes this program as “Keylogger X is designed to run on OSX. The logged file is saved in the users preference folder called “User Preferences”. “
Ok, let’s run and check this program. Oops, there’s nothing on your screen, you cannot even search for “User Preferences” folder. Where? Nobody knows!
Is it running in background ?
The behavior of this program is not acceptable and absolutely real threat to users.