Mac的恶意软件真的比较少吗？

Many people believe that they are much less likely to be bothered by malware if they use a Mac computer, but is it really true? Unfortunately, No.

许多人认为，如果他们使用Mac电脑，恶意软件的可能性要小得多，但这是真的吗？不幸的是，

According to the McAfee Labs, malware attacks on Apple’s Mac computers were up 744% in 2016, and its researchers have discovered nearly 460,000 Mac malware samples, which is still just a small part of overall Mac malware out in the wild.

根据迈克菲实验室的报道，2016年苹果Mac电脑的恶意软件攻击上升了744％，研究人员发现了近四十六万个Mac恶意软件样本，这仍然是恶意软件恶意软件的一小部分。

Today, Malware Research team at CheckPoint have discovered a new piece of fully-undetectable Mac malware, which according to them, affects all versions of Mac OS X, has zero detections on VirusTotal and is “signed with a valid developer certificate (authenticated by Apple).”

今天，CheckPoint的恶意软件研究小组发现了一个完全无法检测到的Mac恶意软件，根据这些恶意软件，它们影响到所有版本的Mac OS X，对VirusTotal进行了零检测，并且已经签署了有效的开发者证书（由Apple认证）“。

Dubbed DOK, the malware is being distributed via a coordinated email phishing campaign and, according to the researchers, is the first major scale malware to target macOS users.

名曰DOK，恶意软件正在通过协调一致的电子邮件钓鱼运动分布，根据研究人员，是第一大的规模的恶意软件的目标用户的MacOS。

The malware has been designed to gain administrative privileges and install a new root certificate on the target system, which allows attackers to intercept and gain complete access to all victim communication, including SSL encrypted traffic.

恶意软件的设计旨在获得管理权限，并在目标系统上安装新的根证书，这样可以让攻击者拦截并获得对所有受害者通信（包括SSL加密流量）的完全访问。

Just almost three months ago, Malwarebytes researchers also discovered a rare piece of Mac-based espionage malware, dubbed Fruitfly, that was used to spy on biomedical research center computers and remained undetected for years.

就在近三个月前，Malwarebytes的研究人员还发现了一种罕见的基于Mac的间谍恶意软件，被称为Fruitfly，用于间谍生物医学研究中心电脑，并且几年来仍未被发现。

Here’s How the DOK Malware Works:

以下是DOK恶意软件的工作原理：

mac-malware.png
The malware is distributed via a phishing email masquerading as a message regarding supposed inconsistencies in their tax returns, tricking the victims into running an attached malicious .zip file, which contains the malware.

恶意软件通过欺骗邮件伪装成关于其报税表中的不一致的消息，欺骗受害者运行附带的恶意的.zip文件，其中包含恶意软件。

Since the malware author is using a valid developer certificate signed by Apple, the malware easily bypasses Gatekeeper — an inbuilt security feature of the macOS operating system by Apple. Interestingly, the DOK malware is also undetectable in almost all antivirus products.

由于恶意软件作者正在使用由Apple签署的有效的开发者证书，恶意软件很容易地绕过了网守 – 苹果MacOS操作系统的内置安全功能。有趣的是，几乎所有防病毒产品中的DOK恶意软件也无法检测到。

Once installed, the malware copies itself to the /Users/Shared/ folder and then add to “loginItem” in order to make itself persistent, allowing it to execute automatically every time the system reboots, until it finishes to install its payload.

一旦安装，恶意软件将自己复制到/ Users / Shared /文件夹，然后添加到“loginItem”，以使其自身持久化，允许它在系统重新启动时自动执行，直到完成安装其有效内容。

The malware then creates a window on top of all other windows, displaying a message claiming that a security issue has been identified in the operating system and an update is available, for which the user has to enter his/her password.

然后，恶意软件在所有其他窗口之上创建一个窗口，显示一条消息，声明在操作系统中已经识别出安全问题，并且有更新可用，用户必须为此输入他/她的密码。

Once the victim installed the update, the malware gains administrator privileges on the victim’s machine and changes the victim system’s network settings, allowing all outgoing connections to pass through a proxy.

一旦受害者安装了更新，恶意软件会在受害者的计算机上获得管理员权限，并更改受害者系统的网络设置，允许所有传出连接通过代理。

According to CheckPoint researchers, “using those privileges, the malware will then install brew, a package manager for OS X, which will be used to install additional tools – TOR and SOCAT.”

根据 CheckPoint研究人员的说法， “使用这些特权，

DOK Deletes itself after Setting up Attacker’s Proxy

DOK在设置攻击者代理后自行删除

osx-malware
The malware then installs a new root certificate in the infected Mac, which allows the attacker to intercept the victim’s traffic using a man-in-the-middle (MiTM) attack.

恶意软件然后在受感染的Mac中安装新的根证书，这样可以让攻击者使用中间人（MiTM）攻击拦截受害者的流量。

“As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings,” the researchers say.
研究人员说：“由于上述所有操作，当尝试上网时，用户的网络浏览器将首先向攻击者网页询问TOR的代理设置。

“The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.”

“然后，用户流量通过攻击者控制的代理重定向，攻击者执行中间人攻击，冒充用户尝试冲浪的各个站点，攻击者可以自由阅读受害者的流量并篡改它以任何方式他们愿意。“
According to researchers, almost no antivirus has updated its signature database to detect the DOK OS X malware, as the malware deletes itself once it modifies proxy settings on the target machines for interceptions.

据研究人员介绍，几乎没有防病毒软件更新其签名数据库来检测DOK OS X恶意软件，因为恶意软件在目标机器上修改代理设置以进行拦截时会自动删除。

Apple can resolve this issue just by revoking the developer certificate being abused by the malware author.

苹果可以通过撤销由恶意软件作者滥用的开发者证书来解决此问题。

Meanwhile, users are always recommended to avoid clicking links contained in messages or emails from untrusted sources and always pay extra attention before proving your root password.

同时，建议用户避免从不受信任的来源点击消息或电子邮件中包含的链接，并在证明您的root密码之前总是要特别注意。

转载于95cn