Interesting People mailing list archives
PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more
From: "Dave Farber" <farber () gmail com>
Date: Tue, 16 Jan 2018 20:38:11 -0500
Begin forwarded message: From: the keyboard of geoff goodfellow <geoff () iconia com> Subject: PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more Date: January 16, 2018 at 8:23:30 PM EST To: "E-mail Pamphleteer Dave Farber's Interesting People list" <ip () listbox com> excerpted from https://9to5mac.com/2018/01/15/macos-dns-hijacking-malware/ <https://9to5mac.com/2018/01/15/macos-dns-hijacking-malware/> Apple’s macOS is reportedly the target of a new DNS hijacking exploit. As noted by The Hacker News <https://thehackernews.com/2018/01/macos-dns-hijacker.html?m=1>, the malware is being likened to the DNSChange trojan that affected over four million computers in 2011… This sort of malware works by changing DNS server settings on affected computers, thus routing traffic through malicious servers and logging sensitive data in the process. This new version is being referred to as OSX/MaMi. News of this malware first appeared on the Malwarebytes forum, prompting ex-NSA hacker Patrick Wardle to do a deep dive into it <https://objective-see.com/blog/blog_0x26.html>. Wardle found that the malware is indeed a DNS Hijacker, but actually goes further and installs a new root certificate to hijack encrypted communication. “OSX/MaMi isn’t particularly advanced – but does alter infected systems in rather nasty and persistent ways,” Wardle writes. “By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads)” or to insert cryptocurrency mining scripts into web pages. Furthermore the malware’s reach is said to extend to things such as generating mouse events, taking screenshots, and more: Taking screenshots Generating simulated mouse events Perhaps persists as a launch item (programArguments, runAtLoad) Downloading & uploading files Executing commands There’s still a lot we don’t know about this attack. For instance, specific information about how it’s spreading remains unclear. Wardle speculates, however, that the attackers may be using rather basic methods of malicious emails and fake security alerts and popups. Currently, you can check to make sure you aren’t affected by launching System Preferences, heading into the Network menu, choosing “Advanced” and toggling over to the DNS menu. On that menu, keep an eye out for 82.163.143.135 and 82.163.142.137. It’s important to note that, as of right now, antivirus products are not detecting the malware: As is often the case with new malware, it’s currently marked as ‘clean’ by all 59 engines on VirusTotal (this will hopefully change shortly as AV products start adding detections). Furthermore, Wardle will be releasing a free open-source firewall for macOS called Lulu that prevents the OSX/MaMi malware from stealing your data. Much more information from Wardle is available here <https://objective-see.com/blog/blog_0x26.html>. [...] -- Geoff.Goodfellow () iconia com <mailto:Geoff.Goodfellow () iconia com> living as The Truth is True http://geoff.livejournal.com <http://geoff.livejournal.com/> This message was sent to the list address and trashed, but can be found online. <https://www.listbox.com/login/messages/view/20180116202417:20C18584-FB25-11E7-8A2F-EB0DD359CE5B/>
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580 Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125 Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20180116203822:18530DD0-FB27-11E7-98F3-BD24513F892F Powered by Listbox: http://www.listbox.com
Current thread:
- PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more Dave Farber (Jan 16)