Jump to content

OneMadCow

Members
  • Content Count

    2
  • Joined

  • Last visited

Posts posted by OneMadCow


  1. On 8/31/2017 at 10:54 AM, treed said:

    I think that we may have found the root of the problem, although we're still not sure exactly what caused it.

    It looks like folks have their system keychain set to an unusual "restricted" mode, which is related to the System Integrity Protection feature in macOS, and which should NOT be set for the system keychain.

    That would be a negative. I've tried this and others with the latest build on 10.13.4 and it's not resolving. The only other issue causing might be the enduser has filevault enabled on the Macbook in question. I tried this as "root" (I know, I know) and still didn't elevate or address this issue. Gatekeeper isn't showing the "allow MW to do xyz", either.


  2. I contacted Simon at Obdev (Little Snitch) and asked about his opinion on this. He suggested adding these rules to block against the DNS servers being installed.

    "

    thank you for letting us know about this.
     
    I will dig somehow deeper into this issue, but after a brief look I can state the following:
     
    This malware called OSX/MaMi is an unsigned Mach-O 64-bit executable - that means, macOS will warn you when you run this executable and Little Snitch will warn you in case this unsigned process wants to make any network connections.
     
    Still - the tricky part comes in when you actually run the executable, enter your admin password and therefore allow it to change your system configuration, particularly your DNS configuration.
     
    As Little Snitch comes with a factory allow rule for the /usr/sbin/mDNSResponder process which is the central service in macOS that maps computer names to Internet addresses. This rule allows mDNSResponder to connect anywhere.
     
    Therefore Little Snitch will possibly not warn you once your DNS servers have been changed, as these connections are usually intended.
     
    The article also describes that these populated DNS servers are 82.163.143.135 and 82.163.142.137.
     
    So you could add the following two rules to simply deny any connections for system processes (like the mDNSresponder) to these addresses:
     
     
    action: deny
    direction: incoming
    priority: regular
    process: any
    owner: system
    destination: 82.163.142.137, 82.163.143.135
    port: any
    protocol: any
    notes: These IP addresses are used as DNS Servers for the macOS MaMi malware
     
    action: deny
    direction: outgoing
    priority: regular
    process: any
    owner: system
    destination: 82.163.142.137, 82.163.143.135
    port: any
    protocol: any
    notes: These IP addresses are used as DNS Servers for the macOS MaMi malware
     
     
    You could simply copy the lines and paste them into the Little Snitch Configuration to create the rules."
     
    OneMadCow
    Los Angeles
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.