Thanks Robin, that is quite plausible what you've suggested there. I sent an update email in yesterday to WAMUG indicating the Proxy settings on his laptop were corrected and this in turn resolved the problem for James, so there is no problem now in that context as was originally raised in this thread. We will also as recommended by Ronni run the Malwarebytes Antimalware program to be sure rather than not know for sure. I've just thought now too that my other son Timothy who has not yet updated his OSX (still running Yosemite I think) and he has not reported any issues with his connection at school so the proxy settings change _could_ have been a by-product of the Sierra update.
Regards Pete. ----- Original Message ----- From: wamug@wamug.org.au To:"WAMUG Mailing WAMUG" Cc: Sent:Sat, 29 Apr 2017 18:09:45 +0800 Subject:Re: Macbook Pro Certificates Pat, Ronni, While I don’t mean to trivialise the issue of malware and the current, advanced state of infection abilities I think you might have gone down the wrong rabbit hole here with the malware. What more likely happened was James’ school is running a proxy server which issues it’s own certificates to browsers and as he had a new installation it may not have had this installed.If this is the case then there is another issue with the proxy server settings on his laptop.How to resolve it I don’t know but I would investigate it. cheers, robin On 29 Apr 2017, at 12:32 pm, Ronni Brown wrote: Hi Peter, For James to have been infected by OSX.Dok. James would have needed to install it! And he would have to go through quite a number of steps & windows to install it. You have indicated that James is pretty competent in these things, so lets hope you are correct. As this is a new very nasty Malware and the malware is able to have continued _root-level permission_ without continuing to request for an admin password.---“OSX.Dok comes in the form of a file named DOKUMENT.ZIP, which is found being emailed to victims in phishing emails. Victims primarily are located in Europe. Apple has already revoked the certificate used to sign the app, so, at this point, anyone who encounters this malware will be unable to open the app and unable to be infected by it. _IF THE USER CLICKS PAST THIS WARNING TO OPEN THE APP, IT WILL DISPLAY A WARNING THAT THE FILE COULD NOT BE OPENED, WHICH IS SIMPLY A COVER FOR THE FACT THAT NO DOCUMENT OPENED:_ Interestingly, this window cannot be dismissed, as the OK button does not respond. Further, the app will remain stuck in this mode for quite some time. If the user becomes suspicious at this point and attempts to force quit the app, it will not show up in the Force Quit Applications window and in Activity Monitor, it will appear as “AppStore.” If the user manages to force this “AppStore” app to quit, however, all is not yet okay. The malware dropper will have copied itself onto the /Users/Shared/ folder and added itself to the user’s login items so it will re-open at the next login to continue the process of infecting the machine. After several minutes, the app will obscure the entire screen with a fake update notification._“OS X UPDATES AVAILABLE - A SECURITY ISSUE HAS BEEN IDENTIFIED IN A OS X SOFTWARE PRODUCT_ etc etc.” _If James did continue to this stage his Mac is probably infected with this Malware.___ _Malwarebytes Anti-Malware for Mac _ [2]_will detect the important components of this malware as OSX.Dok, disabling the active infection. However, when it comes to the other changes that are not easily reversed, which introduce vulnerabilities and potential behavior changes, additional measures will be needed. __For people who don’t know their way around in the Terminal and the arcane corners of the system, it would be wise to seek the assistance of an expert, or __ERASE THE HARD DRIVE AND RESTORE THE SYSTEM FROM A BACKUP MADE PRIOR TO INFECTION._ Please post back more information from James as to exactly what were the details of the below “certificate pop up screen”? A what happened after he click “Accept” "certificate pop up come up on screen" to which he pressed AcceptI’m hoping it is not the malware and can be rectified without an erase of the hard drive and restore the system from a previous backup made prior to infection. Cheers,Ronni 13-INCH MACBOOK AIR (APRIL 2014) 1.7GHz Dual-Core Intel Core i7, Turbo Boost to 3.3GHz8GB 1600MHz LPDDR3 SDRAM 512GB PCIe-based Flash Storage macOS Sierra 10.12.4 On 29 Apr 2017, at 10:33 am, Pat wrote: There is a report in today’s online news about a new malware targeting Macs calle OSX/Dok. The first symptom is a pop-up message about a new OSX update. Don’t update! It is a trojan that can bypass Gatekeeper. Apparently it is signed with a valid developer certificate and attacks all kinds of Mac. Pat On 29 Apr 2017, at 08:57, petercr...@westnet.com.au [4] wrote: My son's (James) MacBook Pro (~2011) has been updated to Sierra 10.12.4 since he went on school holidays. He went back to school this week and was unable to gain access into the school IT environment using the school wifi. He had previously had no problem at last time in school when running El Capitan. He called me this morning as I am FIFO at the moment in sunny Hedland and using Facetime we proved a few things. He was able to access the school IT environment by using the home WIFI network without a hitch. This problem therefore arises when he is at school in the school wifi environs. He indicated to me when first attempting to connect to the school environment via the installed VMware he had a "certificate pop up come up on screen" to which he pressed Accept. My suspicion is that has something to do with his access problem though may be a Sierra related issue potentially. He took it to his school IT team on Friday who said "you need to go to the App store and do an update". He told them he is at the latest OSX 10.12.4, there is no further update - I think they're fobbing him off and copping out because they don't actually know the problem and solution. But neither do I, however I admit to it. James is pretty competent in these things but we're both stumped right now. Any clues by anyone on similar issues? Regards Pete. -- The WA Macintosh User Group Mailing List -- Archives - Guidelines - Settings & Unsubscribe - Links: ------ [1] mailto:ro...@mac.com [2] https://www.malwarebytes.com/mac/ [3] mailto:clamsh...@iinet.net.au [4] mailto:petercr...@westnet.com.au [5] http://www.wamug.org.au/mailinglist/archives.shtml [6] http://www.wamug.org.au/mailinglist/guidelines.shtml [7] http://lists.wamug.org.au/listinfo/wamug.org.au-wamug
-- The WA Macintosh User Group Mailing List -- Archives - <http://www.wamug.org.au/mailinglist/archives.shtml> Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml> Settings & Unsubscribe - <http://lists.wamug.org.au/listinfo/wamug.org.au-wamug>