Fwd: [IP] PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: [IP] PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more

Fritz Mills


Begin forwarded message:

From: "Dave Farber" <[hidden email]>
Subject: [IP] PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more
Date: January 16, 2018 at 7:38:11 PM CST
To: "ip" <[hidden email]>
Reply-To: [hidden email]



Begin forwarded message:

From: the keyboard of geoff goodfellow <[hidden email]>
Subject: PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more
Date: January 16, 2018 at 8:23:30 PM EST
To: "E-mail Pamphleteer Dave Farber's Interesting People list" <[hidden email]>

Apple’s macOS is reportedly the target of a new DNS hijacking exploit. As noted by The Hacker News, the malware is being likened to the DNSChange trojan that affected over four million computers in 2011…


This sort of malware works by changing DNS server settings on affected computers, thus routing traffic through malicious servers and logging sensitive data in the process. This new version is being referred to as OSX/MaMi.

News of this malware first appeared on the Malwarebytes forum, prompting ex-NSA hacker Patrick Wardle to do a deep dive into it. Wardle found that the malware is indeed a DNS Hijacker, but actually goes further and installs a new root certificate to hijack encrypted communication.

“OSX/MaMi isn’t particularly advanced – but does alter infected systems in rather nasty and persistent ways,” Wardle writes.

“By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads)” or to insert cryptocurrency mining scripts into web pages.

Furthermore the malware’s reach is said to extend to things such as generating mouse events, taking screenshots, and more:

  • Taking screenshots
  • Generating simulated mouse events
  • Perhaps persists as a launch item (programArguments, runAtLoad)
  • Downloading & uploading files
  • Executing commands

There’s still a lot we don’t know about this attack. For instance, specific information about how it’s spreading remains unclear. Wardle speculates, however, that the attackers may be using rather basic methods of malicious emails and fake security alerts and popups.

Currently, you can check to make sure you aren’t affected by launching System Preferences, heading into the Network menu, choosing “Advanced” and toggling over to the DNS menu. On that menu, keep an eye out for 82.163.143.135 and 82.163.142.137.

It’s important to note that, as of right now, antivirus products are not detecting the malware:

As is often the case with new malware, it’s currently marked as ‘clean’ by all 59 engines on VirusTotal (this will hopefully change shortly as AV products start adding detections).

Furthermore, Wardle will be releasing a free open-source firewall for macOS called Lulu that prevents the OSX/MaMi malware from stealing your data. Much more information from Wardle is available here. [...]


--
living as The Truth is True





____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: [IP] PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more

Louise Olson

On Wed, January 17, 2018 10:58 am, Fritz Mills wrote:
 and toggling over to the DNS menu. On that menu, keep an eye out for
>>> 82.163.143.135 and 82.163.142.137.


I just did this to see what I had ... and saw something I've never seen in
DNS servers on my computers.  Here is what is in mine:

10.0.1.1
2601:204:4100:4faf:e51:1ff:fee2:f492

What on earth is that?  Could that explain some oddities I've seen with
some of my browsers for quite a while now?  What should I have in there?


Louise


____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: [IP] PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more

Woodard Paul
That looks like an IPv6 format 
see http://ipv6friday.org/blog/2012/01/ipv6-and-dns/
On Jan 17, 2018, at 1:57 PM, Louise Olson <[hidden email]> wrote:

2601:204:4100:4faf:e51:1ff:fee2:f492




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: [IP] PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more

Bruce Carter
In reply to this post by Louise Olson
The first number you have is an IP4 address that is often called a "ten net" address.  Those are frequently handed out by home and small business routers, but some larger organizations have switched over to internal 10-net routing.

The second number is IP6 information.  I get something similar at home from Comcast, but not here at work.


On Wed, Jan 17, 2018 at 1:57 PM, Louise Olson <[hidden email]> wrote:

On Wed, January 17, 2018 10:58 am, Fritz Mills wrote:
 and toggling over to the DNS menu. On that menu, keep an eye out for
>>> 82.163.143.135 and 82.163.142.137.


I just did this to see what I had ... and saw something I've never seen in
DNS servers on my computers.  Here is what is in mine:

10.0.1.1
2601:204:4100:4faf:e51:1ff:fee2:f492

What on earth is that?  Could that explain some oddities I've seen with
some of my browsers for quite a while now?  What should I have in there?


Louise


____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____



--
Bruce Carter, Center for Creative Computing,
University of Notre Dame, Notre Dame, IN  46556



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: [IP] PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more

Woodard Paul
In reply to this post by Louise Olson
aslo the 10.0.1.1 address is an internal address - probably your router - and it (the router) probably point to your ISP to resolve and names. On my system I have one pointing to my router and a second of 8.8.8.8 which is Google’s Public Domain Name Server.
On Jan 17, 2018, at 1:57 PM, Louise Olson <[hidden email]> wrote:

10.0.1.1




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: [IP] PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more

Fritz Mills
In reply to this post by Louise Olson

> On Jan 17, 2018, at 12:57 PM, Louise Olson <[hidden email]> wrote:
>
>
> On Wed, January 17, 2018 10:58 am, Fritz Mills wrote:
> and toggling over to the DNS menu. On that menu, keep an eye out for
>>>> 82.163.143.135 and 82.163.142.137.
>
>
> I just did this to see what I had ... and saw something I've never seen in
> DNS servers on my computers.  Here is what is in mine:
>
> 10.0.1.1
> 2601:204:4100:4faf:e51:1ff:fee2:f492
>
> What on earth is that?  Could that explain some oddities I've seen with
> some of my browsers for quite a while now?  What should I have in there?
>
The first one is an IPv4 DNS server address. The second is an IPv6 DNS server address that has been configured automatically. If you click on the TCP/IP tab,  you will see a dropdown that says “Configure IPv6 Automatically and it will show a router address and your computer’s IPv6 address.





____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: [IP] PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more

Louise Olson
In reply to this post by Woodard Paul

On Wed, January 17, 2018 2:11 pm, Woodard Paul wrote:
> That looks like an IPv6 format
> see http://ipv6friday.org/blog/2012/01/ipv6-and-dns/

Thank you, Paul.  Could it be something the tech guy I had set up my
computer and network just over a year ago would have entered?

Louise


____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: [IP] PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more

Rodney

> On  17, 2018, at 20:19, Louise Olson <[hidden email]> wrote:
>
> Thank you, Paul.  Could it be something the tech guy I had set up my
> computer and network just over a year ago would have entered?

No, that was set automatically via DHCP.


____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: [IP] PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more

Louise Olson
In reply to this post by Bruce Carter

> The second number is IP6 information.  I get something similar at home
> from
> Comcast, but not here at work.
>
>
>BINGO ... I have Comcast.


____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____