Pat, Ronni, While I don’t mean to trivialise the issue of malware and the current, advanced state of infection abilities I think you might have gone down the wrong rabbit hole here with the malware.
What more likely happened was James’ school is running a proxy server which issues it’s own certificates to browsers and as he had a new installation it may not have had this installed. If this is the case then there is another issue with the proxy server settings on his laptop. How to resolve it I don’t know but I would investigate it. cheers, robin > On 29 Apr 2017, at 12:32 pm, Ronni Brown <ro...@mac.com> wrote: > > > Hi Peter, > > For James to have been infected by OSX.Dok. James would have needed to > install it! And he would have to go through quite a number of steps & windows > to install it. > You have indicated that James is pretty competent in these things, so lets > hope you are correct. As this is a new very nasty Malware and the malware is > able to have continued root-level permission without continuing to request > for an admin password. > --- > “OSX.Dok comes in the form of a file named Dokument.zip, which is found being > emailed to victims in phishing emails. Victims primarily are located in > Europe. > > Apple has already revoked the certificate used to sign the app, so, at this > point, anyone who encounters this malware will be unable to open the app and > unable to be infected by it. > > If the user clicks past this warning to open the app, it will display a > warning that the file could not be opened, which is simply a cover for the > fact that no document opened: > > Interestingly, this window cannot be dismissed, as the OK button does not > respond. Further, the app will remain stuck in this mode for quite some time. > If the user becomes suspicious at this point and attempts to force quit the > app, it will not show up in the Force Quit Applications window and in > Activity Monitor, it will appear as “AppStore.” > > If the user manages to force this “AppStore” app to quit, however, all is not > yet okay. The malware dropper will have copied itself onto the /Users/Shared/ > folder and added itself to the user’s login items so it will re-open at the > next login to continue the process of infecting the machine. > > After several minutes, the app will obscure the entire screen with a fake > update notification. > “OS X Updates Available - A security issue has been identified in a OS X > software product etc etc.” > > If James did continue to this stage his Mac is probably infected with this > Malware. > > Malwarebytes Anti-Malware for Mac <https://www.malwarebytes.com/mac/>will > detect the important components of this malware as OSX.Dok, disabling the > active infection. However, when it comes to the other changes that are not > easily reversed, which introduce vulnerabilities and potential behavior > changes, additional measures will be needed. > For people who don’t know their way around in the Terminal and the arcane > corners of the system, it would be wise to seek the assistance of an expert, > or erase the hard drive and restore the system from a backup made prior to > infection. > > Please post back more information from James as to exactly what were the > details of the below “certificate pop up screen”? A what happened after he > click “Accept” >>> "certificate pop up come up on screen" to which he pressed Accept >>> > > I’m hoping it is not the malware and can be rectified without an erase of the > hard drive and restore the system from a previous backup made prior to > infection. > > > Cheers, > Ronni > > 13-inch MacBook Air (April 2014) > 1.7GHz Dual-Core Intel Core i7, Turbo Boost to 3.3GHz > 8GB 1600MHz LPDDR3 SDRAM > 512GB PCIe-based Flash Storage > > macOS Sierra 10.12.4 > > >> On 29 Apr 2017, at 10:33 am, Pat <clamsh...@iinet.net.au >> <mailto:clamsh...@iinet.net.au>> wrote: >> >> There is a report in today’s online news about a new malware targeting Macs >> calle OSX/Dok. The first symptom is a pop-up message about a new OSX update. >> Don’t update! It is a trojan that can bypass Gatekeeper. Apparently it is >> signed with a valid developer certificate and attacks all kinds of Mac. >> >> Pat >> >> >> >>> On 29 Apr 2017, at 08:57, petercr...@westnet.com.au >>> <mailto:petercr...@westnet.com.au> wrote: >>> >>> My son's (James) MacBook Pro (~2011) has been updated to Sierra 10.12.4 >>> since he went on school holidays. He went back to school this week and was >>> unable to gain access into the school IT environment using the school wifi. >>> He had previously had no problem at last time in school when running El >>> Capitan. He called me this morning as I am FIFO at the moment in sunny >>> Hedland and using Facetime we proved a few things. He was able to access >>> the school IT environment by using the home WIFI network without a hitch. >>> This problem therefore arises when he is at school in the school wifi >>> environs. >>> >>> He indicated to me when first attempting to connect to the school >>> environment via the installed VMware he had a "certificate pop up come up >>> on screen" to which he pressed Accept. My suspicion is that has something >>> to do with his access problem though may be a Sierra related issue >>> potentially. He took it to his school IT team on Friday who said "you need >>> to go to the App store and do an update". He told them he is at the latest >>> OSX 10.12.4, there is no further update - I think they're fobbing him off >>> and copping out because they don't actually know the problem and solution. >>> But neither do I, however I admit to it. James is pretty competent in these >>> things but we're both stumped right now. >>> >>> >>> Any clues by anyone on similar issues? >>> >>> >>> Regards >>> >>> >>> Pete. >>> >>> > > -- The WA Macintosh User Group Mailing List -- > Archives - <http://www.wamug.org.au/mailinglist/archives.shtml> > Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml> > Settings & Unsubscribe - > <http://lists.wamug.org.au/listinfo/wamug.org.au-wamug>
-- The WA Macintosh User Group Mailing List -- Archives - <http://www.wamug.org.au/mailinglist/archives.shtml> Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml> Settings & Unsubscribe - <http://lists.wamug.org.au/listinfo/wamug.org.au-wamug>
