Jump to content

OneMadCow

Members
  • Posts

    2
  • Joined

  • Last visited

Everything posted by OneMadCow

  1. That would be a negative. I've tried this and others with the latest build on 10.13.4 and it's not resolving. The only other issue causing might be the enduser has filevault enabled on the Macbook in question. I tried this as "root" (I know, I know) and still didn't elevate or address this issue. Gatekeeper isn't showing the "allow MW to do xyz", either.
  2. I contacted Simon at Obdev (Little Snitch) and asked about his opinion on this. He suggested adding these rules to block against the DNS servers being installed. " thank you for letting us know about this. I will dig somehow deeper into this issue, but after a brief look I can state the following: This malware called OSX/MaMi is an unsigned Mach-O 64-bit executable - that means, macOS will warn you when you run this executable and Little Snitch will warn you in case this unsigned process wants to make any network connections. Still - the tricky part comes in when you actually run the executable, enter your admin password and therefore allow it to change your system configuration, particularly your DNS configuration. As Little Snitch comes with a factory allow rule for the /usr/sbin/mDNSResponder process which is the central service in macOS that maps computer names to Internet addresses. This rule allows mDNSResponder to connect anywhere. Therefore Little Snitch will possibly not warn you once your DNS servers have been changed, as these connections are usually intended. The article also describes that these populated DNS servers are 82.163.143.135 and 82.163.142.137. So you could add the following two rules to simply deny any connections for system processes (like the mDNSresponder) to these addresses: action: deny direction: incoming priority: regular process: any owner: system destination: 82.163.142.137, 82.163.143.135 port: any protocol: any notes: These IP addresses are used as DNS Servers for the macOS MaMi malware action: deny direction: outgoing priority: regular process: any owner: system destination: 82.163.142.137, 82.163.143.135 port: any protocol: any notes: These IP addresses are used as DNS Servers for the macOS MaMi malware You could simply copy the lines and paste them into the Little Snitch Configuration to create the rules." OneMadCow Los Angeles
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.