Apple Blocks Comms-Snooping Malware

Apple has moved to thwart a malware attack that used a legitimate – probably hijacked – developer certificate, by revoking the cert.

Check Point wrote up the malware last week, calling “OSX/Dok” “the first major scale malware to target OSX users via a coordinated email phishing campaign”.

A hapless user who okayed all the stages of infection would end up having all their communications snooped – even HTTPS sessions encrypted with SSL.

The malware installation process included a legitimate-looking “your computer has a security problem” window that opened on top of all other windows, which Check Point captured:

The fake update alert

The fake nagware dialogue

If a user relents and okays the dialogue, the malware gets admin privileges, installs the Brew package manager, installs Tor and SOCAT, and forces the user’s connections through a proxy for snooping. The traffic interception is supported by the Comodo certificate installed by the malware.

According to Kaspersky’s Threatpost, Apple revoked the certificate on Sunday, US time, and also dropped an update to its XProtect anti-malware software. ®

via News ≈ Packet Storm


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s