Apple Security
Ping!
The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.
If you want on or off the Mac Ping List, Freepmail me
Posted on 05/01/2017 10:29:18 AM PDT by Swordmaker
OSX/Dok is now blocked, but it didn’t rely on any system exploits to install.
Check Point, a security analysis firm, posted an alarming blog entry on Thursday about a new malicious macOS Trojan horse that appeared able to bypass Apple’s protections and could hijack and sniff all the traffic entering and leaving a Mac without a user’s knowledge. This would include SSL/TLS encrypted connections, because the malware installs a local digital certificate that overrides normal man-in-the-middle warnings and protections.
The malware, called OSX/Dok by Check Point, spreads via a phishing attack that Check Point says mostly targets European users. One message shown is in German and the signature portion says it’s from the Swiss tax office. The email contains a ZIP file attachment which has to be saved, opened, and an item within it launched. It’s unclear from the description whether a user has to enter an administrative password, although based on the steps, this would seem likely. On execution, the malware performs various nefarious deeds, such as copying itself and running shell commands, as well as installing a startup item so it will launch at each reboot.
Check Point says the malware is signed with a valid Apple developer’s certificate, something that’s happened before. Malicious parties may hijack legitimate developers’ accounts, or register and use (and burn) that certificate. With a certificate that checks out, macOS Gatekeeper recognizes the app as legitimate, and doesn’t prevent its execution.
Apple confirmed that Gatekeeper wasn’t bypassed. That developer certificate has been revoked, which will prevent it launching in the future without a warning. Apple has confirmed that it updated XProtect, its silent malware signature system, to ward it off as well. There’s no indication about how many users might have been infected, as Check Point’s research team encountered it in the wild.
As with nearly all macOS malware, OSX/Dok requires a naive user who accepts at face value phishing email and willingly extracts and launches a file they were not expecting and which they’re unfamiliar with. The main exception to this was the subversion of two releases of the torrenting software Transmission, which had legitimate copies replaced by hacked ones. Those were also Trojan horses, but from software people intentionally downloaded and installed.
With BlockBlock and XFence (formerly Little Flocker) installed, even if you had been trusting enough to carry out the steps to launch the malware, it would have been unable to write files or mark itself as launching on startup. (Both packages are free and in beta.)
Mac users need to maintain vigilance against launching any file that wasn’t expected or is from an unknown party or one that claims to be tax, law-enforcement, or another authority. Even if the file appears to be from a known source, if it’s not something expected and in a format typically sent by that person or group, it might be a spearphishing attempt, in which faked return addresses are used to lull people into installing a Trojan horse.
Thanks for the heads up.
Must have a lot of holes in it...............
The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.
If you want on or off the Mac Ping List, Freepmail me
Got to go out of my way to launch this
bump
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.