2017 05: May

<--- Introduction

2003 Revisits --->

OSX/Dok:

Security researchers at CheckPoint found something they’ve labelled OSX/Dok - how do these security people come up with these names? This piece of malware is in the particularly nasty category, in that it can spy on all your Internet usage, including with secure websites such as your banking.

As is usual with Mac malware, OSX/Dok asks that you install it by relying on a phishing attack. In this case, you will usually receive an email appearing to come from your friendly tax office regarding their income tax return, asking you to open an attached zip file for details. The install gets past Apple's Gatekeeper with a developer's certificate (since revoked by an Apple update) and installs itself as a 'login' application called AppStore - which means that it will automatically run each time the machine is booted. It then waits for a while before presenting a fake macOS update window.

The victim is barred from accessing any windows or using their machine in any way until they relent, enter the password and allow the malware to finish installing. Once they do, the malware gains administrator privileges on the victim’s machine.

The malware then changes the victim system’s network settings such that all outgoing connections will pass through a proxy, which is dynamically obtained from a Proxy AutoConfiguration (PAC) file sitting on a malicious server.

This means that literally everything you do on the Internet, even accessing secure servers using https connections, will pass through the attacker’s proxy. A bogus security certificate is also installed, allowing the attacker to impersonate any website without being flagged.

As a result of all of the above actions, when attempting to surf the web, the user’s web traffic is redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.

The malware mostly targets European users … mostly! All that is left to say: beware of Trojans bearing gifts, especially if they are just horsing around, asking for your password.

Moral: Never open an unexpected zip file, even if it appears to be from someone you know.

<--- Introduction

2003 Revisits --->

© 2017 Canterbury Apple Users; SeniorNet Mac Inc.