“‘2018 is barely two weeks old, and already it looks like we’ve got new piece of macOS malware! Hooray :),'” Paul Wagenseil reports for LAPTOP. “That’s how Apple-focused security researcher Patrick Wardle opened a blog post yesterday (Jan. 11) detailing what Wardle calls ‘MaMi,’ a stealthy DNS hijacker that reroutes your internet traffic to possibly malicious websites. MaMi also has abilities that haven’t yet been activated: It can steal passwords, take screenshots, download files and programs, run other pieces of software and inject bogus security certificates.”
“To see whether your Mac was infected by MaMi, go to System Preferences, click on the Network section and check the IP address of your DNS server. If it’s ‘82.163.143.135’ or ‘82.163.142.137,’ then you’ll need to change it to something benign, such as Google’s 8.8.8.8 or 8.8.4.4 or OpenDNS’s 208.67.2222.222 or 208.67.220.220,” Wagenseil reports. “Notice we said ‘was’ infected. The MaMi sample that Wardle found deleted itself after changing the DNS settings on his test machine, so even if you found a smoking-gun DNS setting, the malware that did it may be long gone.”
“To prevent infection by MaMi, use common sense. Every piece of Mac malware found in recent years has required user approval, presumably unwitting, to be installed,” Wagenseil reports. “So don’t authorize that Adobe Flash Player update, that video player you apparently need to see a clip of a naked celebrity, or that antivirus software that showed up in a pop-up window telling you your Mac was infected.”
Read more in the full article here.
MacDailyNews Take: Check your DNS settings ASAP!
Note: Apple Airport users on Wi-Fi can use their Mac’s AirPort Utility to see their routers’ DNS server addresses by clicking/tapping “Internet.”
Before reading the story, I’m going to assume that the user has to do some “thing” in order to be impacted. I’ll be impressed if that’s not the case 🙂
Ah, yes, once again, malware that requires you to be a part of the delivery vector. 🙂
For the hyper-security minded, I highly recommend DNSCrypt. I haven’t run into any bugs in the latest version. It’s a great way to automatically encrypt your DNS server connections and make certain your Mac is set to use verified SAFE DNS server addresses.
https://en.wikipedia.org/wiki/DNSCrypt
https://www.dnscrypt.org/
Where is old Yecheng located? If he in Chine, no thank you.
Why am I not able to access the dnscrypt.org site?
I’m getting the error message, “The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.”
Yikes! My guess is that someone forgot to renew the web address license. It’s now ‘under new management’.
Use this address at OpenDNS:
https://www.opendns.com/about/innovations/dnscrypt/
MDN, your note is incorrect. If the Mac has had its DNS servers changed –either manually or by malware–, it doesn’t matter what DNS servers your APBS/router is set to, the affected computer does not query the router in that case.
I took it to mean in addition to, not instead of checking your Mac.
It’s completely unrelated– this reported malware has nothing to do with AirPort Extreme Base Stations, they are not affected by this, and most importantly, checking your router’s DNS settings is no help in diagnosing whether you have this malware in your Mac, which is what the comment implied. I have no idea why anyone would vote my comment down, I was just correcting the info as a service to other readers.
It’s time to change the word malware to morware or moron ware.
They don’t even have to try hard anymore. One security researcher set it up so that people would see an ad that said your computer is not infected, click OK to install virus. And people would do it!
When the malware requires you to take several active steps in order to enable it, it’s not really malware, it’s just social engineering in the form of software.
chumpware
Two points here:
1. You want to go to your **router** and put in a new rule for outbound traffic. Map the rogue DNS IP addresses to legitimate ones so in case you are infected the ploy will not work. Better yet, map them to localhost, 127.0.0.1 so you will be alerted to this when all your web connections stop working.
2. Google is not “benign”. No way I am letting the Google data harvesting beast know what sites I am visiting from my fixed IP address!