New OSX/Dok Malware Takes Over Your Mac: What to Do and How to Prevent It
Pinterest Stumbleupon Whatsapp
Advertisement

If you’re a Mac user who looks down on “virus-prone” Windows users, it may be time to check yourself. One of the worst misconceptions today is that Mac users aren’t vulnerable to malware 4 Security Misconceptions That You Need To Realize Today 4 Security Misconceptions That You Need To Realize Today There is a lot of malware and online security misinformation online, and following these myths can be dangerous. If you've taken any as truth, it's time to get the facts straight! Read More , and if you left your guard down, you could be infected by something truly serious.

Remember when ransomware hit Mac users Mac User With Ransomware? How To Easily Remove This "Malware" Threat Mac User With Ransomware? How To Easily Remove This "Malware" Threat The FBI Ransomware didn't only affect Windows users; Mac owners were conned into paying up. Ironically, however, the OSX version wasn't really malware, but merely a browser popup that is easily removed. Read More back in 2015? Well, things are worse now with the newly-dubbed OSX/Dok malware. This thing is so potent it can take full control over your machine without you even realizing it. Here’s all you need to know about what it is, how to remove it, and steps to prevent it.

How the OSX/Dok Malware Works

OSX/Dok arrives as an email attachment in the form of a ZIP file (named Dokument.zip). If you download said file and try to open it, the malware will throw up a fake “package is damaged” error message while simultaneously copying itself to the /Users/Shared folder with an install permission prompt from a signed developer.

It will proceed to replace your system’s “AppStore” Login Item with itself, making it so that the malware runs every time your system reboots. Afterwards, it will notify you that a security issue has been found and an update is required, but before you can update, you must enter your admin password.

After entering your password, the malware gains administrative rights to your system (i.e. full control). With this newfound power, it alters your network settings in two ways: all traffic is routed through a proxy server and all traffic can be intercepted. This allows the malware to impersonate any website using bogus security certificates.

For more details, see Check Point’s investigation of OSX/Dok. The malware uses obfuscation tactics to avoid detection by anti-virus software, so you could be infected without realizing it.

OSX/Dok is significant for two reasons. First, its potential for damage is one of the scariest we’ve ever seen on Mac. Second, it exposed a weakness in Apple’s system of signed developer certificates, making them less trustworthy. And third, it’s the first widescale Mac-only malware attack.

As of this writing, Apple had revoked the fake developer certificate on May 1, but the crafty malware creators almost immediately resumed under a new developer ID, which was also revoked a few days later. However, you can still install software from unidentified developers How to Open Mac Apps From Unidentified Developers How to Open Mac Apps From Unidentified Developers If you're new to the Mac environment and downloaded a third-party app that you can't seem to run, here's the quick solution you're looking for. Read More , so this malware is still a problem.

3 Steps to Removing the OSX/Dok Malware

If all of the above sounds familiar and you’re now realizing that your system has been infected by OSX/Dok, the good news is you can remove it right now. Before going ahead with the following steps, be sure to Quit (or Force Quit) all open apps, especially Safari.

1. Remove the Proxy Server

  1. Open System Preferences (easiest way is with Spotlight Search More Efficiently In Mac OS X With Our Top Spotlight Tips Search More Efficiently In Mac OS X With Our Top Spotlight Tips Spotlight has been a killer Mac feature for years, with Cupertino regularly schooling Redmond in the art of desktop search. Here are a few tips to help you find more on your Mac. Read More ).
  2. Click Network.
  3. On the left, select your current internet connection, then click the Advanced… button at the bottom right.
  4. Click the Proxies tab.
  5. On the left, select the Automatic Proxy Configuration protocol. On the right, under Proxy Configuration File, delete the URL (which should begin with http://127.0.0.1:5555… if you’re infected.)

New OSX/Dok Malware Takes Over Your Mac: What to Do and How to Prevent It mac malware osxdok network proxy

2. Remove the LaunchAgents

  1. First, make sure you enable hidden files and folders Hide & Find Any File On Mac OS X Hide & Find Any File On Mac OS X There's no straightforward way to quickly hide or reveal hidden files on Mac OS X as there is on Windows – but it is possible. Read More .
  2. Open Finder.
  3. Navigate to Macintosh HD.
  4. Find Users.
  5. Navigate to your username.
  6. Go to Library (this is a hidden folder).
  7. Navigate to LaunchAgents.
  8. Delete the file named com.apple.Safari.proxy.plist.
  9. Delete the file named com.apple.Safari.pac.plist.

New OSX/Dok Malware Takes Over Your Mac: What to Do and How to Prevent It mac malware osxdok launchagents

3. Remove the Fake Developer Certificate

  1. Open the Keychain Access utility app (easiest way is with Spotlight Search More Efficiently In Mac OS X With Our Top Spotlight Tips Search More Efficiently In Mac OS X With Our Top Spotlight Tips Spotlight has been a killer Mac feature for years, with Cupertino regularly schooling Redmond in the art of desktop search. Here are a few tips to help you find more on your Mac. Read More ).
  2. On the left, under Category, select Certificates.
  3. On the right, look for COMODO RSA Secure Server CA 2. Right-click on it and select Delete.
  4. Confirm by clicking Delete.

Tips for Preventing Malware on a Mac

The good thing about OSX/Dok (and other malware like it) is that you can protect yourself against it with 100 percent effectiveness. Because it arrives via a phishing email, all you need to do is learn how to spot phishing emails How to Spot a Phishing Email How to Spot a Phishing Email Catching a phishing email is tough! Scammers pose as PayPal or Amazon, trying to steal your password and credit card information, are their deception is almost perfect. We show you how to spot the fraud. Read More so that you never fall for them ever again.

It would also help to learn how to spot dangerous email attachments How To Spot A Dangerous Email Attachment How To Spot A Dangerous Email Attachment Emails can be dangerous. Reading the contents of an email should be safe if you have the latest security patches, but email attachments can be harmful. Look for the common warning signs. Read More . The general rule of thumb is that you should never download email attachments unless you were expecting one before the email arrives. Just because an email comes from a known contact doesn’t mean it’s safe — their email account could have been compromised 7 Important Email Security Tips You Should Know About 7 Important Email Security Tips You Should Know About Internet security is a topic that we all know to be important, but it often sits way back in the recesses of our minds, fooling ourselves into believing that "it won’t happen to me". Whether... Read More !

Other important security tips for Mac users include:

Was this a wake-up call for you? What steps do you take to make sure you don’t catch malware on Mac? Let us know in the comments below!

Image Credit: guteksk7 via Shutterstock.com

Leave a Reply

Your email address will not be published. Required fields are marked *