While working on a client project last night, I notice a flicker on my mac's desktop. Figuring it's just Time Machine doing it's job, I ignore and continue working on my project. A few seconds later, the mounted Volume icon disappears. I've never seen Time Machine complete a backup in seconds - it's a time hog. "What the hell was that??" I think...
Assuming the worst, I disconnect the system from the network and begin investigating. Digging through system logs, I find...
11/23/09 10:40:16 PM /usr/sbin/ocspd starting
11/23/09 10:40:29 PM hdiejectd running
11/23/09 10:40:32 PM installer Package Authoring Warning: GoogleVoiceandVideo.pkg authorization level is AdminAuthorization but was promoted to RootAuthorization for compatibility, ensure authorization level is sufficient to install.
11/23/09 10:40:32 PM installer Package Authoring Warning: Google voice and video Installer.mpkg authorization level is NoAuthorization but was promoted to RootAuthorization for compatibility, ensure authorization level is sufficient to install.
OK, so my first thought is there's a vulnerability in either ocspd or hdiejectd (neither is the case), and somebody's installing what looks like a package named "Google Voice and Video" but probably is some trojan. I have no Google software on this system - no Picasa, GV, or whatever. I don't even have a web browser opened at the time on any Google property. I use Google Chat through Adium, but I'm familiar with Adium's update process - they wouldn't do crap like this. Obviously this is malicious content. Or so I thought.
After some time Googling around, I find a few others who have complained about similar issues, most notably ArsTechnica. While their issue is not exactly the same, it's close enough for me to realize that the "malicious" attacker I'm dealing with is Google themselves.
The point of this post is twofold - first, to help others who find strange Google installers running as root; The second purpose is to clarify what many of us find heinous about this:
Is Google Updater running on your system?
Google Updater runs via the OSX LaunchAgent - a system similar to UNIX cron. If the Updater has a plist config file on your system, then the Updater is installed. From a terminal window, try using ls to find the plist file:
$ ls /Library/LaunchAgents/com.google.keystone.agent.plist
If you see something other than "No such file or directory," it's on your system.
Google Updater Removal
Geekology has a post explaining how to uninstall the Google Updater...it worked very well for me.