Mac Malware Avoids Antivirus

Tuesday, January 16, 2018 @ 10:01 AM gHale


A new type of malware targeting Apple computers is undetectable by a good chunk of antivirus solutions.

Right now, OSX/MaMi, discovered by security researcher Patrick Wardle, the damage the malware can do remains limited, but there is the potential to do more.

RELATED STORIES
Unpatched macOS Security Flaw
Apple Patches KRACK Hole
Apple Releases OS Fix
Apple Patches KRACK Holes

“OSX/MaMi isn’t particular advanced – but does alter infected systems in rather nasty and persistent ways,” Wardle said in a post. “By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle traffic (perhaps to steal credentials, or inject ads).”
https://objective-see.com/blog/blog_0x26.html

The malware typically spreads through the typical methods that involve phishing and linking to the infection, such as email attachments or sending links to pages hosting the content.

“As is often the case with new malware, it’s currently marked as ‘clean’ by all 59 engines on VirusTotal,” Wardle said. This will hopefully change shortly as AV products start adding detections.”

While antivirus solutions do not detect the malware, the easiest way to find if a system suffered compromise is to check the DNS settings.

If infected, the DNS servers are 82.163.143.135 and 82.163.142.137, and removing them as well as the malicious certificate the malware deploys on a compromised host is the easiest way to clean the system.

To remove the DNS servers, you need to open System Preferences and head over to Network > Advanced > DNS. Delete the two entries mentioned above.

In order to move the compromised certificate, launch the Keychain app and open the System section in the top left side. The malicious entry is called cloudguard.me, and simply right-click it and hit the delete option.



Leave a Reply

You must be logged in to post a comment.