Apple’s macOS is reportedly the target of a new DNS hijacking exploit. As noted by The Hacker News, the malware is being likened to the DNSChange trojan that affected over four million computers in 2011…
This sort of malware works by changing DNS server settings on affected computers, thus routing traffic through malicious servers and logging sensitive data in the process. This new version is being referred to as OSX/MaMi.
News of this malware first appeared on the Malwarebytes forum, prompting ex-NSA hacker Patrick Wardle to do a deep dive into it. Wardle found that the malware is indeed a DNS Hijacker, but actually goes further and installs a new root certificate to hijack encrypted communication.
“OSX/MaMi isn’t particularly advanced – but does alter infected systems in rather nasty and persistent ways,” Wardle writes.
“By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads)” or to insert cryptocurrency mining scripts into web pages.
Furthermore the malware’s reach is said to extend to things such as generating mouse events, taking screenshots, and more:
Generating simulated mouse events
Perhaps persists as a launch item (programArguments, runAtLoad)
Downloading & uploading files
There’s still a lot we don’t know about this attack. For instance, specific information about how it’s spreading remains unclear. Wardle speculates, however, that the attackers may be using rather basic methods of malicious emails and fake security alerts and popups.
Currently, you can check to make sure you aren’t affected by launching System Preferences, heading into the Network menu, choosing “Advanced” and toggling over to the DNS menu. On that menu, keep an eye out for 18.104.22.168 and 22.214.171.124.
It’s important to note that, as of right now, antivirus products are not detecting the malware:
As is often the case with new malware, it’s currently marked as ‘clean’ by all 59 engines on VirusTotal (this will hopefully change shortly as AV products start adding detections).
Furthermore, Wardle will be releasing a free open-source firewall for macOS called Lulu that prevents the OSX/MaMi malware from stealing your data. Much more information from Wardle is available here. [...]
The first number you have is an IP4 address that is often called a "ten net" address. Those are frequently handed out by home and small business routers, but some larger organizations have switched over to internal 10-net routing.
The second number is IP6 information. I get something similar at home from Comcast, but not here at work.
aslo the 10.0.1.1 address is an internal address - probably your router - and it (the router) probably point to your ISP to resolve and names. On my system I have one pointing to my router and a second of 126.96.36.199 which is Google’s Public Domain Name Server.
> On Jan 17, 2018, at 12:57 PM, Louise Olson <[hidden email]> wrote:
> On Wed, January 17, 2018 10:58 am, Fritz Mills wrote:
> and toggling over to the DNS menu. On that menu, keep an eye out for
>>>> 188.8.131.52 and 184.108.40.206.
> I just did this to see what I had ... and saw something I've never seen in
> DNS servers on my computers. Here is what is in mine:
> What on earth is that? Could that explain some oddities I've seen with
> some of my browsers for quite a while now? What should I have in there?
The first one is an IPv4 DNS server address. The second is an IPv6 DNS server address that has been configured automatically. If you click on the TCP/IP tab, you will see a dropdown that says “Configure IPv6 Automatically and it will show a router address and your computer’s IPv6 address.