I am on OSX 10.9.2, please note I have included several URLs in my post, this is not spam this is due to the nature of the malware.
I have just discovered I have malware on my computer after noticing that my network traffic became incredibly slow and many of the requests timed out after the first request in Safari, Firefox or Chrome.
I also noticed that sometimes it would be making a request to www35.glam.com. That whenever I restart either Chrome or Firefox, regardless of my homepage settings icanhaz.cheezburger.com would open in a new tab and yahoo search would appear in my main tab.
I have found a process on my computer called running when issuing the following command:
sudo lsof -lnP +M -i4
If I kill the process, my active running browsers speed up immensely and my requests perform like they did before. I have run the ps xuwww command on the processes PID and this is the output I am getting:
PID TT STAT TIME COMMAND
13718 ?? S 0:00.93 curl --compress --connect-timeout 60 -s -A Prey/0.6.2 (mac) --connect-timeout 3 -L www.google.com --dump-header /tmp/prey-curl-headers.txt -S --stderr -
It should be noted that it always takes the same PID. I can see that it is creating a temporary file, and masquerading as a piece of software known as Prey (preyproject.com) which I have never installed (or heard of until today). That temporary file appears to be removed directly after it's creation as by the time I can ls /tmp it no longer exists.
I would appreciate advice on how to go further into removing this malware. I have run a full system scan with Avast and it fails to detect any issues.
Update and solution:
First off this is not a duplicate of How do I deal with a compromised server? which is regarding servers and this is a personal machine not serving incoming traffic. I would like to post this as a solution in the answers to assist anyone else who encounters this malware, but am unable to due to it's current locked status.
I managed to solve this issue by using littlesnitch to monitor requests initiated by curl. I noticed some going to control.preyproject.com. I then found an installation of prey in my /usr/share/prey folder, the files had a date modified time way before I had purchased the laptop (new from factory). I used the following command sudo rm -Rf /usr/share/prey; (sudo crontab -l | grep -v prey) | sudo crontab - to remove the installation (found here).
That seems to of done it... no more weird behaviour. After resetting my browser settings to factory it has not altered them again and I am not seeing any unexpected traffic in littlesnitch which I have configured to alert me to all non system outgoing and incoming traffic.
I believe this to be rather dangerous as Prey allows an internet connected remote user to lock your computer, take control of its camera and retrieve its location (probably more functionality I do not know of). If this is not removed their is a chance the hacker is using it to do so.
If you do receive this malware the first thing I suggest you do is block all traffic incoming and outgoing to preyproject.com (although they may have multiple domains, this isn't guaranteed to shield you) to prevent such events from happening.
wireshark) the network traffic and then analyse it (you are probably being used to scan/attack other websites). It would also be interesting to get a copy of that malware. Look up where is the curl process (ie. if instead of /usr/bin it's somewhere like a tmp folder) .And also what is the process that spawned curl (parent process). – Ángel Sep 21 '14 at 19:51