Re: Macbook Pro Certificates

[Ronni Brown]

Hi Peter,

For James to have been infected by OSX.Dok. James would have needed to install 
it! And he would have to go through quite a number of steps & windows to 
install it. 
You have indicated that James is pretty competent in these things, so lets hope 
you are correct. As this is a new very nasty Malware and the malware is able to 
have continued root-level permission without continuing to request for an admin 
password.
---
“OSX.Dok comes in the form of a file named Dokument.zip, which is found being 
emailed to victims in phishing emails. Victims primarily are located in Europe.

Apple has already revoked the certificate used to sign the app, so, at this 
point, anyone who encounters this malware will be unable to open the app and 
unable to be infected by it.

If the user clicks past this warning to open the app, it will display a warning 
that the file could not be opened, which is simply a cover for the fact that no 
document opened:

Interestingly, this window cannot be dismissed, as the OK button does not 
respond. Further, the app will remain stuck in this mode for quite some time. 
If the user becomes suspicious at this point and attempts to force quit the 
app, it will not show up in the Force Quit Applications window and in Activity 
Monitor, it will appear as “AppStore.”

If the user manages to force this “AppStore” app to quit, however, all is not 
yet okay. The malware dropper will have copied itself onto the /Users/Shared/ 
folder and added itself to the user’s login items so it will re-open at the 
next login to continue the process of infecting the machine.

After several minutes, the app will obscure the entire screen with a fake 
update notification.
“OS X Updates Available - A security issue has been identified in a OS X 
software product etc etc.”

If James did continue to this stage his Mac is probably infected with this 
Malware.

Malwarebytes Anti-Malware for Mac  will 
detect the important components of this malware as OSX.Dok, disabling the 
active infection. However, when it comes to the other changes that are not 
easily reversed, which introduce vulnerabilities and potential behavior 
changes, additional measures will be needed. 
For people who don’t know their way around in the Terminal and the arcane 
corners of the system, it would be wise to seek the assistance of an expert, or 
erase the hard drive and restore the system from a backup made prior to 
infection.

Please post back more information from James as to exactly what were the 
details of the below “certificate pop up screen”? A what happened after he 
click “Accept”  
>> "certificate pop up come up on screen" to which he pressed Accept
>> 

I’m hoping it is not the malware and can be rectified without an erase of the 
hard drive and restore the system from a previous backup made prior to 
infection.


Cheers,
Ronni

13-inch MacBook Air (April 2014)
1.7GHz Dual-Core Intel Core i7, Turbo Boost to 3.3GHz
8GB 1600MHz LPDDR3 SDRAM
512GB PCIe-based Flash Storage

macOS Sierra 10.12.4


> On 29 Apr 2017, at 10:33 am, Pat  wrote:
> 
> There is a report in today’s online news about a new malware targeting Macs 
> calle OSX/Dok. The first symptom is a pop-up message about a new OSX update. 
> Don’t update! It is a trojan that can bypass Gatekeeper. Apparently it is 
> signed with a valid developer certificate and attacks all kinds of Mac.
> 
> Pat
> 
> 
> 
>> On 29 Apr 2017, at 08:57, petercr...@westnet.com.au 
>>  wrote:
>> 
>> My son's (James) MacBook Pro (~2011) has been updated to Sierra 10.12.4 
>> since he went on school holidays. He went back to school this week and was 
>> unable to gain access into the school IT environment using the school wifi. 
>> He had previously had no problem at last time in school when running El 
>> Capitan. He called me this morning as I am FIFO at the moment in sunny 
>> Hedland and using Facetime we proved a few things. He was able to access the 
>> school IT environment by using the home WIFI network without a hitch. This 
>> problem therefore arises when he is at school in the school wifi environs.
>> 
>> He indicated to me when first attempting to connect to the school 
>> environment via the installed VMware he had a "certificate pop up come up on 
>> screen" to which he pressed Accept. My suspicion is that has something to do 
>> with his access problem though may be a Sierra related issue potentially. He 
>> took it to his school IT team on Friday who said "you need to go to the App 
>> store and do an update". He told them he is at the latest OSX 10.12.4, there 
>> is no further update - I think they're fobbing him off and copping out 
>> because they don't actually know the problem and solution. But neither do I, 
>> however I admit to it. James is pretty competent in these things but we're 
>> both stumped right now.
>> 
>>  
>> Any clues by anyone on similar issues?
>> 
>>  
>> Regards
>> 
>>  
>> Pete.

Re: Macbook Pro Certificates

[petercrisp]

 Thanks for this Pat.

Regards

Pete.

- Original Message -
From: wamug@wamug.org.au
To:
Cc:
Sent:Sat, 29 Apr 2017 10:33:37 +0800
Subject:Re: Macbook Pro Certificates

There is a report in today’s online news about a new malware
targeting Macs calle OSX/Dok. The first symptom is a pop-up message
about a new OSX update. Don’t update! It is a trojan that can bypass
Gatekeeper. Apparently it is signed with a valid developer certificate
and attacks all kinds of Mac.
Pat

On 29 Apr 2017, at 08:57, petercr...@westnet.com.au [1] wrote:

My son's (James) MacBook Pro (~2011) has been updated to Sierra
10.12.4 since he went on school holidays. He went back to school this
week and was unable to gain access into the school IT environment
using the school wifi. He had previously had no problem at last time
in school when running El Capitan. He called me this morning as I am
FIFO at the moment in sunny Hedland and using Facetime we proved a few
things. He was able to access the school IT environment by using the
home WIFI network without a hitch. This problem therefore arises when
he is at school in the school wifi environs. 

He indicated to me when first attempting to connect to the school
environment via the installed VMware he had a "certificate pop up
come up on screen" to which he pressed Accept. My suspicion is that
has something to do with his access problem though may be a Sierra
related issue potentially. He took it to his school IT team on Friday
who said "you need to go to the App store and do an update". He told
them he is at the latest OSX 10.12.4, there is no further update - I
think they're fobbing him off and copping out because they don't
actually know the problem and solution. But neither do I, however I
admit to it. James is pretty competent in these things but we're both
stumped right now. 

Any clues by anyone on similar issues? 

Regards 

Pete.

 -- The WA Macintosh User Group Mailing List --
Archives - 
Guidelines - 
Settings & Unsubscribe - 


Links:
--
[1] mailto:petercr...@westnet.com.au
[2] http://www.wamug.org.au/mailinglist/archives.shtml
[3] http://www.wamug.org.au/mailinglist/guidelines.shtml
[4] http://lists.wamug.org.au/listinfo/wamug.org.au-wamug

-- The WA Macintosh User Group Mailing List --
Archives - 
Guidelines - 
Settings & Unsubscribe - 

Re: Macbook Pro Certificates

[Pat]

There is a report in today’s online news about a new malware targeting Macs 
calle OSX/Dok. The first symptom is a pop-up message about a new OSX update. 
Don’t update! It is a trojan that can bypass Gatekeeper. Apparently it is 
signed with a valid developer certificate and attacks all kinds of Mac.

Pat



> On 29 Apr 2017, at 08:57, petercr...@westnet.com.au wrote:
> 
> My son's (James) MacBook Pro (~2011) has been updated to Sierra 10.12.4 since 
> he went on school holidays. He went back to school this week and was unable 
> to gain access into the school IT environment using the school wifi. He had 
> previously had no problem at last time in school when running El Capitan. He 
> called me this morning as I am FIFO at the moment in sunny Hedland and using 
> Facetime we proved a few things. He was able to access the school IT 
> environment by using the home WIFI network without a hitch. This problem 
> therefore arises when he is at school in the school wifi environs.
> 
> He indicated to me when first attempting to connect to the school environment 
> via the installed VMware he had a "certificate pop up come up on screen" to 
> which he pressed Accept. My suspicion is that has something to do with his 
> access problem though may be a Sierra related issue potentially. He took it 
> to his school IT team on Friday who said "you need to go to the App store and 
> do an update". He told them he is at the latest OSX 10.12.4, there is no 
> further update - I think they're fobbing him off and copping out because they 
> don't actually know the problem and solution. But neither do I, however I 
> admit to it. James is pretty competent in these things but we're both stumped 
> right now.
> 
>  
> Any clues by anyone on similar issues?
> 
>  
> Regards
> 
>  
> Pete.
> 
> 
> 
> -- The WA Macintosh User Group Mailing List --
> Archives - 
> Guidelines - 
> Settings & Unsubscribe - 
> 

-- The WA Macintosh User Group Mailing List --
Archives - 
Guidelines - 
Settings & Unsubscribe - 

Macbook Pro Certificates

[petercrisp]

My son's (James) MacBook Pro (~2011) has been updated to Sierra
10.12.4 since he went on school holidays. He went back to school this
week and was unable to gain access into the school IT environment
using the school wifi. He had previously had no problem at last time
in school when running El Capitan. He called me this morning as I am
FIFO at the moment in sunny Hedland and using Facetime we proved a few
things. He was able to access the school IT environment by using the
home WIFI network without a hitch. This problem therefore arises when
he is at school in the school wifi environs. 

He indicated to me when first attempting to connect to the school
environment via the installed VMware he had a "certificate pop up
come up on screen" to which he pressed Accept. My suspicion is that
has something to do with his access problem though may be a Sierra
related issue potentially. He took it to his school IT team on Friday
who said "you need to go to the App store and do an update". He told
them he is at the latest OSX 10.12.4, there is no further update - I
think they're fobbing him off and copping out because they don't
actually know the problem and solution. But neither do I, however I
admit to it. James is pretty competent in these things but we're both
stumped right now.

 

Any clues by anyone on similar issues?

 

Regards

 

Pete.


-- The WA Macintosh User Group Mailing List --
Archives - 
Guidelines - 
Settings & Unsubscribe -