Update: Apple has revoked the developer certificate, so it will now trigger a notification that you are about to install a program from an unidentified developer.
Check Point Technologies has released detailed information about a new malware attack that is directed at Mac users. It's being called Dok and it has the potential to access a user's online communication, including secure sites. According to Check Point, it affects all versions of OS X.
According to MacWorld, Apple has revoked the certificate, which means you'll get a notification when Dok tries to install itself on your Mac.
Why is Dok such a big deal?
Check Point says that Dok is the first major scale malware to target OS X users, but that's not the only reason it's a big deal. Dok also appears to have had a fake signed Apple developer certificate. Apple has revoked the certificate as of May 1.
How Dok gets in
To calm your fears, this malware isn't something you could accidentally pick up while surfing the net or if your Wi-Fi password isn't secure. For Dok to infect your Mac, you have to invite it into your system.
Check Point explains that the initial contact is via a phishing email (currently targeted at European users). When a person downloads an attachment (called Dokument.ZIP) from the email, it copies itself to the Mac and then displays a false message saying the file couldn't be opened because it was damaged. It will then execute itself (at this point, you'll receive a notification that you are installing a program by an unidentified developer and you can click "Cancel" to stop the installation) and send another pop-up message that will tell you there is a new update to your Mac's software and tell you to click "Update All" right within the message, at which point you'll be asked to enter your password to continue.
That's how Dok infects your Mac. You first have to open the suspicious attachment. You then have to perform an action on your computer that is completely different than how Apple does things (Apple doesn't ask you to click on "Update All" in a pop-up message). You then have to enter your password to continue, which is the point of attack. If you give away your password to Dok, it gains access to your administrative privileges, where it can quietly redirect all of your web browsing to a proxy.
How you can protect yourself against Dok
Since this is a phishing attack, it's pretty easy to avoid infection. Simply don't download attachments from anyone that you weren't expecting. If you aren't sure of the legitimacy of an email, you can check the file name of the attachment. If it's called Dokument.ZIP, definitely don't open it. It's always a good practice to check the sender's email address to see whether it is official. If the sender email is something like email@example.com, you should probably delete that email right away. I should point out, though, that the Dok file has been known to be sent from a spoofed address that does look official. So be very careful to check the name of the attachment, too.
What if Dok has already infected your Mac?
If you did receive a suspicious looking email, and have already opened the attachment called Dokument.ZIP, and then clicked on a suspicious looking update button, and then entered your password, and now think you might be infected, there are a few steps you can take to delete the malware.
First, navigate to your Proxy configuration settings and delete the rogue server.
- Click the Apple Menu icon in the upper left corner of the screen.
- Click System Preferences from the drop down menu.
- Click Network.
- Select your current internet connection (Wi-FI or Ethernet).
- Click Advanced at the bottom right of the window.
- Select the Proxies tab.
- Select Automatic Proxy Configuration.
- Delete the URL listed as http://127.0.0.1.5555...
Dok also installed two LaunchAgents, which you'll also have to find and delete.
Lastly, you'll need to delete the fake signed Apple Developer certificate.
- Launch Finder.
- Select Applications.
- Open your Utilities folder.
- Double-click on Keychain Access.
- Select the certificate named COMODO RSA Secure Server CA 2.
- Right or Control + click on the Certificate.
- Select Delete Certificate fro the drop down options.
- Select Delete to confirm that you want to delete the certificate.
Remember best practices for staying safe
It's very difficult to get the Dok infection. There are a number of red flags you would likely come across that would help you identify that something is wrong. Don't open attachments from unknown sources. Don't click on suspicious-looking pop-up messages. Check email addresses of senders to see if they are real. You can protect yourself from attacks if you stay aware.
If you do, however, end up with malware on your Mac, don't worry. If the steps above seem too complicated, you can call Apple support for help. Someone will be able to walk you through the necessary steps to remove the malware from your Mac.
Lory is a renaissance woman, writing news, reviews, and how-to guides for iMore. She also fancies herself a bit of a rock star in her town and spends too much time reading comic books. If she's not typing away at her keyboard, you can probably find her at Disneyland or watching Star Wars (or both).
I think it's important to reiterate that the thing has to ask permission to infect your Mac. There isn't a new vulnerability here, but it is a fine example of social engineering. To me, this highlights the problem with the Mac App Store. It would be nice if you could get by using just the store, where things are checked and at least somewhat vetted. I can't on Mac; I can on iOS.
i get like 30 attempts to auto install some flash.dmg spam daily. doesn't happen on windows on the same sites. I swear i wish there was a way to stop that. Because maybe every few weeks one gets downloaded on accident. I've never clicked on it to install but still it get's downloaded which is annoying and you have to go delete it.
Took long enough for them to revoke it...
Thanks for this article. I generally don't open email attachments unless I'm sure of the sender but it's good to be reminded of the consequences.
You have zero wrist support - that desk looks dangerous for your RSI!
Thank you for signing up to iMore. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.