PSA: Again, another reason not to open attachments from strangers
Don't be scared but be aware, there's a new malware in town and it wants your Mac.
Check Point Technologies has released detailed information about a a new malware attack that is directed at Mac users. It's being called Dok and it has the potential to access a user's online communication, including secure sites. According to Check Point, it affects all versions of OS X and is not yet detectable by anti-virus software.
This new malware – dubbed OSX/Dok — affects all versions of OSX, has 0 detections on VirusTotal (as of the writing of these words), is signed with a valid developer certificate (authenticated by Apple), and is the first major scale malware to target OSX users via a coordinated email phishing campaign.
Why is Dok such a big deal?
Check Point says that Dok is the first major scale malware to target OS X users, but that's not the only reason it's a big deal. DoK also appears to have a fake signed Apple developer certificate, which allows it to bypass your Gatekeeper security protection. You and your Mac would be none-the-wiser having a new root certificate in your system.
How Dok gets in
To calm your fears, this malware isn't something you could accidentally pick up while surfing the net or if your Wi-Fi password isn't secure. For Dok to infect your Mac, you have to invite it into your system.
Check Point explains that the initial contact is via a phishing email (currently targeted at European users). When a person downloads an attachment (called Dokument.ZIP) from the email, it copies itself to the Mac and then displays a false message saying the file couldn't be opened because it was damaged. It will then execute itself and send another pop up message that will tell you there is a new update to your Mac's software and tell you to click "Update All" right within the message, at which point you'll be asked to enter your password to continue.
That's how Dok infects your Mac. You first have to open an attachment from an unknown source. You then have to perform an action on your computer that is completely different than how Apple does things (Apple doesn't ask you to click on "Update All" in a pop up message). You then have to enter your password to continue, which is the point of attack. If you give away your password to Dok, it gains access to your administrative privileges, where it can quietly redirect all of your web browsing to a proxy.
How you can protect yourself against Dok
Since this is a phishing attack, it's pretty easy to avoid infection. Simply don't download attachments from unknown sources. If you aren't sure of the legitimacy of an email, you can check the file name of the attachment. If it's called Dokument.ZIP, definitely don't open it. It's always a good practice to check the sender's email address to see whether it is official. If the sender email is something like llk124@ww.edir.4.com, you should probably delete that email right away.
What if Dok has already infected your Mac?
If you did receive an email from an unknown source, and have already opened the attachment called Dokument.ZIP, and then clicked on a suspicious looking update button, and then entered your password, and now think you might be infected, there are a few steps you can take to delete the malware.
First navigate to your Proxy configuration settings and delete the rouge server.
- Click the Apple Menu icon in the upper left corner of the screen.
- Click System Preferences from the dropdown menu.
- Click Network.
- Select your current internet connection (Wi-FI or Ethernet).
- Click Advanced at the bottom right of the window.
- Select the Proxies tab.
- Select Automatic Proxy Configuration.
- Delete the URL listed as http://127.0.0.1.5555...
Dok also installed two LaunchAgents, which you'll also have to find and delete.
/Users/%User%/Library/LaunchAgents/com.apple.Safari.proxy.plist
/Users/%User%/Library/LaunchAgents/com.apple.Safari.pac.plist
Lastly, you'll need to delete the fake signed Apple Developer certificate.
- Launch Finder.
- Select Applicatons.
- Open your Utilities folder.
- Double-click on Keychain Access.
- Select the certificate named COMODO RSA Secure Server CA 2.
- Right or Control + click on the Certificate.
- Select Delete Certificate fro the drop down options.
- Select Delete to confirm that you want to delete the certificate.
Remember best practices for staying safe
It's very difficult to get the Dok infection. There are a number of red flags you would likely come across that would help you identify that something is wrong. Don't open attachments from unknown sources. Don't click on suspicious looking pop up messages. Check email addresses of senders to see if they are real. You can protect yourself from attacks if you stay aware.
If you do, however, end up with malware on your Mac, don't worry. If the steps above seem too complicated, you can call Apple support for help. Someone will be able to walk you through the necessary steps to remove the malware from your Mac.
from iMore - The #1 iPhone, iPad, and iPod touch blog http://ift.tt/2pqhl7P
via IFTTT
No comments: