Posted on 04/28/2017 10:21:46 AM PDT by Swordmaker
We learned recently that macOS malware grew by 744% last year, though most of it fell into the less-worrying category of adware.
However, a newly-discovered piece of malware (via Reddit) falls into the ‘seriously nasty’ category – able to spy on all your Internet usage, including use of secure websites.
Security researchers at CheckPoint found something they’ve labelled OSX/Dok, which manages to go undetected by Gatekeeper and stops users doing anything on their Mac until they accept a fake OS X update …
OSX/Dok does rely on a phishing attack as its initial way in. Victims are sent an email claiming to be from a tax office regarding their income tax return, asking them to open an attached zip file for details. This should, of course, immediately ring alarm-bells: no-one should ever open a zip file they aren’t expecting, even if it seems to be from a known contact.
But after that, the approach taken by the malware is extremely clever. It installs itself as a Login Item called AppStore, which means it automatically runs each time the machine is booted. It then waits for a while before presenting a fake macOS update window.
The victim is barred from accessing any windows or using their machine in any way until they relent, enter the password and allow the malware to finish installing. Once they do, the malware gains administrator privileges on the victim’s machine […]
The malware then changes the victim system’s network settings such that all outgoing connections will pass through a proxy, which is dynamically obtained from a Proxy AutoConfiguration (PAC) file sitting in a malicious server.
This means that literally everything you do on the Internet, even accessing secure servers using https connections, will pass through the attacker’s proxy. A bogus security certificate is also installed, allowing the attacker to impersonate any website without being flagged.
As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings. The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.
The reason Gatekeeper doesn’t block the malware in the first place is that it has a valid developer’s certificate. This should make it easy for Apple to address, by revoking the certificate, but it of course set in motion again if the attackers can gain access to another certificate.
yeah linux is way better now- burn a disk of the iso- you can run it without installing it- to try it out- or run it in a virtual machine to give it a whirl - i tried linux back in 90’s too- absolutely hated it- and like you i had all kinds of problems getting stuff to work with it- i tried linux again a few years back and was pleasantly surprised - Very easy to use now and it sees a ton of hardware now- hardest part is learning how to install hardware specific drivers- but even that is pretty easy now as their driver manager makes it pretty much a one click process these days depending on which distribution of linux you choose- i use mint- cinnamon edition- about as easy as they come-
there are many other softwares that can detect malware
I’ve been running OS X & now macOS since 2008. Never had a virus. Never had a problem.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.