Affiliate Disclosure: By buying the products we recommend, you help keep the lights on at MakeUseOf. Read more.
If you’re a Mac user who looks down on “virus-prone” Windows users, it may be time to check yourself. One of the worst misconceptions today is that Mac users aren’t vulnerable to malware, and if you left your guard down, you could be infected by something truly serious.
Remember when ransomware hit Mac users back in 2015? Well, things are worse now with the newly-dubbed OSX/Dok malware. This thing is so potent it can take full control over your machine without you even realizing it. Here’s all you need to know about what it is, how to remove it, and steps to prevent it.
How the OSX/Dok Malware Works
OSX/Dok arrives as an email attachment in the form of a ZIP file (named Dokument.zip). If you download said file and try to open it, the malware will throw up a fake “package is damaged” error message while simultaneously copying itself to the /Users/Shared folder with an install permission prompt from a signed developer.
It will proceed to replace your system’s “AppStore” Login Item with itself, making it so that the malware runs every time your system reboots. Afterwards, it will notify you that a security issue has been found and an update is required, but before you can update, you must enter your admin password.
— Check Point Software (@CheckPointSW) May 9, 2017
After entering your password, the malware gains administrative rights to your system (i.e. full control). With this newfound power, it alters your network settings in two ways: all traffic is routed through a proxy server and all traffic can be intercepted. This allows the malware to impersonate any website using bogus security certificates.
For more details, see Check Point’s investigation of OSX/Dok. The malware uses obfuscation tactics to avoid detection by anti-virus software, so you could be infected without realizing it.
OSX/Dok is significant for two reasons. First, its potential for damage is one of the scariest we’ve ever seen on Mac. Second, it exposed a weakness in Apple’s system of signed developer certificates, making them less trustworthy. And third, it’s the first widescale Mac-only malware attack.
As of this writing, Apple had revoked the fake developer certificate on May 1, but the crafty malware creators almost immediately resumed under a new developer ID, which was also revoked a few days later. However, you can still install software from unidentified developers, so this malware is still a problem.
3 Steps to Removing the OSX/Dok Malware
If all of the above sounds familiar and you’re now realizing that your system has been infected by OSX/Dok, the good news is you can remove it right now. Before going ahead with the following steps, be sure to Quit (or Force Quit) all open apps, especially Safari.
1. Remove the Proxy Server
- Open System Preferences (easiest way is with Spotlight).
- Click Network.
- On the left, select your current internet connection, then click the Advanced… button at the bottom right.
- Click the Proxies tab.
- On the left, select the Automatic Proxy Configuration protocol. On the right, under Proxy Configuration File, delete the URL (which should begin with http://127.0.0.1:5555… if you’re infected.)
2. Remove the LaunchAgents
- First, make sure you enable hidden files and folders.
- Open Finder.
- Navigate to Macintosh HD.
- Find Users.
- Navigate to your username.
- Go to Library (this is a hidden folder).
- Navigate to LaunchAgents.
- Delete the file named com.apple.Safari.proxy.plist.
- Delete the file named com.apple.Safari.pac.plist.
3. Remove the Fake Developer Certificate
- Open the Keychain Access utility app (easiest way is with Spotlight).
- On the left, under Category, select Certificates.
- On the right, look for COMODO RSA Secure Server CA 2. Right-click on it and select Delete.
- Confirm by clicking Delete.
Tips for Preventing Malware on a Mac
The good thing about OSX/Dok (and other malware like it) is that you can protect yourself against it with 100 percent effectiveness. Because it arrives via a phishing email, all you need to do is learn how to spot phishing emails so that you never fall for them ever again.
It would also help to learn how to spot dangerous email attachments. The general rule of thumb is that you should never download email attachments unless you were expecting one before the email arrives. Just because an email comes from a known contact doesn’t mean it’s safe — their email account could have been compromised!
Other important security tips for Mac users include:
- Knowing the different ways malware can infect your system.
- Installing a free but effective anti-virus app.
- Making sure your system and apps stay updated.
- Adhering to common sense principles for avoiding malware.
Was this a wake-up call for you? What steps do you take to make sure you don’t catch malware on Mac? Let us know in the comments below!
Image Credit: guteksk7 via Shutterstock.com