“2018 is barely two weeks old, and already it looks like we’ve got new piece of macOS malware! Hooray :)”
That’s how Apple-focused security researcher Patrick Wardle opened a blog post yesterday (Jan. 11) detailing what Wardle calls “MaMi,” a stealthy DNS hijacker that reroutes your internet traffic to possibly malicious websites.
MaMi also has abilities that haven’t yet been activated: It can steal passwords, take screenshots, download files and programs, run other pieces of software and inject bogus security certificates.
Check If You’re Infected
To see whether your Mac was infected by MaMi, go to System Preferences, click on the Network section and check the IP address of your DNS server. If it’s “22.214.171.124” or “126.96.36.199,” then you’ll need to change it to something benign, such as Google’s 188.8.131.52 or 184.108.40.206 or OpenDNS’s 208.67.2222.222 or 220.127.116.11.
Notice we said “was” infected. The MaMi sample that Wardle found deleted itself after changing the DNS settings on his test machine, so even if you found a smoking-gun DNS setting, the malware that did it may be long gone.
How to Prevent Infection
To prevent infection by MaMi, use common sense. Every piece of Mac malware found in recent years has required user approval, presumably unwitting, to be installed.
So don’t authorize that Adobe Flash Player update, that video player you apparently need to see a clip of a naked celebrity, or that antivirus software that showed up in a pop-up window telling you your Mac was infected. Instead, hold off and get Mac antivirus software straight from the source.
It’s not yet known how MaMi (named after a text string Wardle found in the code) infects a Mac, though Wardle suspects “rather lame methods such as malicious email, web-based fake security alerts/popups or social-engineering type attacks.” But as of this writing, only one antivirus scanning engine in the online VirusTotal repository detects MaMi through the usual file-matching methods.
How MaMi Malware Works
DNS servers are the phone books of the internet. They match human requests such as “www.tomsguide.com” with network addresses such as “18.104.22.168” so that, among other things, you can see this website in your web browser.
DNS hijacking sends a computer to a malicious DNS server that could, for example, send you to an evil version of Tom’s Guide that could infect you with even more malware.
It’s not clear how widespread MaMi is so far. Wardle was tipped off to it by a posting on a Malwarebytes forum, but didn’t explain how he located his own copy. Wardle did point to a website that automatically downloaded the binary to our computer when we connected. (We’re using a Windows PC, so the malware didn’t do anything to us.)
This story originally appeared on Tom’s Guide.