Thanks Robin, that is quite plausible what you've suggested there. I
sent an update email in yesterday to WAMUG indicating the Proxy
settings on his laptop were corrected and this in turn resolved the
problem for James, so there is no problem now in that context as was
originally raised in this thread. We will also as recommended by Ronni
run the Malwarebytes Antimalware program to be sure rather than not
know for sure. I've just thought now too that my other son Timothy
who has not yet updated his OSX (still running Yosemite I think) and
he has not reported any issues with his connection at school so the
proxy settings change _could_ have been a by-product of the Sierra
update.
Regards
Pete.
----- Original Message -----
From: wamug@wamug.org.au
To:"WAMUG Mailing WAMUG"
Cc:
Sent:Sat, 29 Apr 2017 18:09:45 +0800
Subject:Re: Macbook Pro Certificates
Pat, Ronni, While I don’t mean to trivialise the issue of malware
and the current, advanced state of infection abilities I think you
might have gone down the wrong rabbit hole here with the malware.
What more likely happened was James’ school is running a proxy
server which issues it’s own certificates to browsers and as he had
a new installation it may not have had this installed.If this is the
case then there is another issue with the proxy server settings on his
laptop.How to resolve it I don’t know but I would investigate it.
cheers,
robin
On 29 Apr 2017, at 12:32 pm, Ronni Brown wrote:
Hi Peter,
For James to have been infected by OSX.Dok. James would have needed to
install it! And he would have to go through quite a number of steps &
windows to install it. You have indicated that James is pretty
competent in these things, so lets hope you are correct. As this is a
new very nasty Malware and the malware is able to have continued
_root-level permission_ without continuing to request for an admin
password.---“OSX.Dok comes in the form of a file named DOKUMENT.ZIP,
which is found being emailed to victims in phishing emails. Victims
primarily are located in Europe.
Apple has already revoked the certificate used to sign the app, so, at
this point, anyone who encounters this malware will be unable to open
the app and unable to be infected by it.
_IF THE USER CLICKS PAST THIS WARNING TO OPEN THE APP, IT WILL DISPLAY
A WARNING THAT THE FILE COULD NOT BE OPENED, WHICH IS SIMPLY A COVER
FOR THE FACT THAT NO DOCUMENT OPENED:_
Interestingly, this window cannot be dismissed, as the OK button does
not respond. Further, the app will remain stuck in this mode for quite
some time. If the user becomes suspicious at this point and attempts
to force quit the app, it will not show up in the Force Quit
Applications window and in Activity Monitor, it will appear as
“AppStore.”
If the user manages to force this “AppStore” app to quit, however,
all is not yet okay. The malware dropper will have copied itself onto
the /Users/Shared/ folder and added itself to the user’s login items
so it will re-open at the next login to continue the process of
infecting the machine.
After several minutes, the app will obscure the entire screen with a
fake update notification._“OS X UPDATES AVAILABLE - A SECURITY ISSUE
HAS BEEN IDENTIFIED IN A OS X SOFTWARE PRODUCT_ etc etc.”
_If James did continue to this stage his Mac is probably infected with
this Malware.___
_Malwarebytes Anti-Malware for Mac _ [2]_will detect the important
components of this malware as OSX.Dok, disabling the active infection.
However, when it comes to the other changes that are not easily
reversed, which introduce vulnerabilities and potential behavior
changes, additional measures will be needed. __For people who don’t
know their way around in the Terminal and the arcane corners of the
system, it would be wise to seek the assistance of an expert, or
__ERASE THE HARD DRIVE AND RESTORE THE SYSTEM FROM A BACKUP MADE PRIOR
TO INFECTION._
Please post back more information from James as to exactly what were
the details of the below “certificate pop up screen”? A what
happened after he click “Accept”
"certificate pop up come up on screen" to which he pressed
AcceptI’m hoping it is not the malware and can be rectified without
an erase of the hard drive and restore the system from a previous
backup made prior to infection.
Cheers,Ronni
13-INCH MACBOOK AIR (APRIL 2014)
1.7GHz Dual-Core Intel Core i7, Turbo Boost to 3.3GHz8GB 1600MHz
LPDDR3 SDRAM
512GB PCIe-based Flash Storage
macOS Sierra 10.12.4
On 29 Apr 2017, at 10:33 am, Pat wrote:
There is a report in today’s online news about a new malware
targeting Macs calle OSX/Dok. The first symptom is a pop-up message
about a new OSX update. Don’t update! It is a trojan that can bypass
Gatekeeper. Apparently it is signed with a valid developer certificate
and attacks all kinds of Mac.
Pat
On 29 Apr 2017, at 08:57, petercr...@westnet.com.au [4] wrote:
My son's (James) MacBook Pro (~2011) has been updated to Sierra
10.12.4 since he went on school holidays. He went back to school this
week and was unable to gain access into the school IT environment
using the school wifi. He had previously had no problem at last time
in school when running El Capitan. He called me this morning as I am
FIFO at the moment in sunny Hedland and using Facetime we proved a few
things. He was able to access the school IT environment by using the
home WIFI network without a hitch. This problem therefore arises when
he is at school in the school wifi environs.
He indicated to me when first attempting to connect to the school
environment via the installed VMware he had a "certificate pop up
come up on screen" to which he pressed Accept. My suspicion is that
has something to do with his access problem though may be a Sierra
related issue potentially. He took it to his school IT team on Friday
who said "you need to go to the App store and do an update". He told
them he is at the latest OSX 10.12.4, there is no further update - I
think they're fobbing him off and copping out because they don't
actually know the problem and solution. But neither do I, however I
admit to it. James is pretty competent in these things but we're both
stumped right now.
Any clues by anyone on similar issues?
Regards
Pete.
-- The WA Macintosh User Group Mailing List --
Archives -
Guidelines -
Settings & Unsubscribe -
Links:
------
[1] mailto:ro...@mac.com
[2] https://www.malwarebytes.com/mac/
[3] mailto:clamsh...@iinet.net.au
[4] mailto:petercr...@westnet.com.au
[5] http://www.wamug.org.au/mailinglist/archives.shtml
[6] http://www.wamug.org.au/mailinglist/guidelines.shtml
[7] http://lists.wamug.org.au/listinfo/wamug.org.au-wamug
-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Settings & Unsubscribe - <http://lists.wamug.org.au/listinfo/wamug.org.au-wamug>
