14 DAY TRIAL // Gone are the days when Mac systems were more secure than Windows, and living proof is a new type of malware targeting Apple’s computers that has already been spotted and, what’s worse, it is undetectable by the majority of antivirus solutions.
Called OSX/MaMi, the malware was dissected by security researcher Patrick Wardle, who explained in a technical analysis of the infection that the damage it can do right now is kind of limited, but it has the potential of doing a lot more bad things on a compromised host with future updates.
Basically, OSX/MaMi is right now just a DNS hijacker, but Wardle explains that it could get more malicious capabilities, such as taking screenshots, injecting ads, stealing credentials, and other dirty things like these.
“OSX/MaMi isn’t particular advanced – but does alter infected systems in rather nasty and persistent ways. By installing a new root certifcate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads),” he says.
How to remove the malware from a Mac
The malware typically spreads through the typical methods that involve phishing and linking to the infection, such as email attachments or sending links to pages hosting the content.
While antivirus solutions do not detect the malware, the easiest way to figure out that a system has been compromised is to check the DNS settings of the system. If infected, the DNS servers are 82.163.143.135 and 82.163.142.137, and removing them as well as the malicious certificate the malware deploys on a compromised host is the easiest way to clean the system.
To remove the DNS servers, you need to open System Preferences and head over to Network > Advanced > DNS. Delete the two entries mentioned above.
In order to move the compromised certificate, launch the Keychain app and open the System section in the top left side. The malicious entry is called cloudguard.me, and simply right-click it and hit the delete option.