[MacTUG] OSX/MaMi Malware Hijacks DNS, Takes Screenshots, More - The Mac Observer
Mike Patterson
mpatterson at uwaterloo.ca
Wed Jan 17 10:52:28 EST 2018
Earlier this week I started looking to see if I saw DNS queries directed towards those servers; I saw some UDP 53 netflows, but couldn't find corroborating DNS query logs. I'll dig into it again as best I can.
Mike
--
Mike Patterson - Manager, Information Security Operations
Information Security Services, University of Waterloo
+1 519-888-4567, x47178 / mike.patterson at uwaterloo.ca
Security Operations Centre x41125 / soc at uwaterloo.ca
> On Jan 17, 2018, at 9:38 AM, m3griffi <m3griffi at uwaterloo.ca> wrote:
>
> This is unlikely in our environment but better safe than sorry.
>
> Marlon
>
> """
> It’s easy to tell if you’ve been hit with OSX/MaMi by checking the DNS entries on your Mac. You can do that by going to Apple menu > System Preferences, Then do this:
>
> Select Network
> Click Advanced
> Choose the DNS tab
> Look for 82.163.143.135 and 82.163.142.137
>
> If you see either of those IP addresses your Mac has been hit with OSX/MaMi. It’s unclear right how which files need to be removed from your Mac to remove the threat. Changing the DNS entries to something else, like Google’s 8.8.8.8, seems to fix the problem for now.
>
> As always, you can minimize the risk of installing the malware by avoiding websites you don’t trust, not clicking on pop-ups or other alerts on webpages, and not clicking links in email messages from people you don’t know.
>
> https://www.macobserver.com/news/osx-mami-malware-hijacks-dns/
> """
> _______________________________________________
> MacTUG mailing list
> MacTUG at lists.uwaterloo.ca
> https://lists.uwaterloo.ca/mailman/listinfo/mactug
More information about the MacTUG
mailing list