OneMadCow
-
Posts
2 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by OneMadCow
-
-
I contacted Simon at Obdev (Little Snitch) and asked about his opinion on this. He suggested adding these rules to block against the DNS servers being installed.
"
thank you for letting us know about this.I will dig somehow deeper into this issue, but after a brief look I can state the following:This malware called OSX/MaMi is an unsigned Mach-O 64-bit executable - that means, macOS will warn you when you run this executable and Little Snitch will warn you in case this unsigned process wants to make any network connections.Still - the tricky part comes in when you actually run the executable, enter your admin password and therefore allow it to change your system configuration, particularly your DNS configuration.As Little Snitch comes with a factory allow rule for the /usr/sbin/mDNSResponder process which is the central service in macOS that maps computer names to Internet addresses. This rule allows mDNSResponder to connect anywhere.Therefore Little Snitch will possibly not warn you once your DNS servers have been changed, as these connections are usually intended.The article also describes that these populated DNS servers are 82.163.143.135 and 82.163.142.137.So you could add the following two rules to simply deny any connections for system processes (like the mDNSresponder) to these addresses:action: denydirection: incomingpriority: regularprocess: anyowner: systemdestination: 82.163.142.137, 82.163.143.135port: anyprotocol: anynotes: These IP addresses are used as DNS Servers for the macOS MaMi malwareaction: denydirection: outgoingpriority: regularprocess: anyowner: systemdestination: 82.163.142.137, 82.163.143.135port: anyprotocol: anynotes: These IP addresses are used as DNS Servers for the macOS MaMi malwareYou could simply copy the lines and paste them into the Little Snitch Configuration to create the rules."OneMadCowLos Angeles
Background Service is Offline
in Malwarebytes for Mac Support Forum
Posted
That would be a negative. I've tried this and others with the latest build on 10.13.4 and it's not resolving. The only other issue causing might be the enduser has filevault enabled on the Macbook in question. I tried this as "root" (I know, I know) and still didn't elevate or address this issue. Gatekeeper isn't showing the "allow MW to do xyz", either.