Learn how the OSX/Dok Mac malware spreads, how it manifests itself when inside a machine, what objectives it pursues, and how to remove it from infected Mac.
Prior to the emergence of OSX/Dok menace, Mac malware overall had not been nearly as much of an issue. Also referred to as OSX.Dok, this stealth and highly harmful application poses a serious threat to a victim’s privacy. It is involved in a large-scale identity theft scheme via intercepting one’s online traffic. With this whole sophistication in place, the baddie spreads in an old school way. In particular, it is mostly making the rounds in Europe with deceptive email messages impersonating tax administration. The contagion proper is a file named Dokument.zip enclosed in these phishing emails. When an unwary recipient tries to open this file, a dialog prompt actually says it’s an application rather than a document. However, not everyone reads those popups, so chances are the malicious app is fired up.
The further attack chain engages another alert that says the file may be damaged. No matter how many times the victim clicks the OK button, it won’t go away for a while. This is a trick aimed at distracting the user from the bad things going on backstage. The malware adds a new rogue application called “AppStore” to the Users/Shared/ folder and login items to make sure it is launched upon every Mac machine startup. This process is followed by a spoof “OS X Updates Available” message occupying the whole screen. It says, “A security issue has been identified in a OS X software product that could affect your system.” Having clicked the “Update All” button on there, the plagued person will be presented with an authentication prompt on behalf of the phony AppStore program requesting the administrator password. If the password is entered, OSX/Dok gets root privileges on the system.
The next phase of the compromise revolves around installing a number of tools onto the target Mac. The first one is a command-line setup solution called Homebrew. The latter then downloads and installs some additional utilities, including Socat and Tor. There is a strong reasoning behind OSX.Dok doing this – it leverages said tools to route all of the victim’s regular and SSL-protected Internet traffic via a malicious server operated by the crooks in charge. These changes can be seen under Network – Proxies, where the proxy configuration value defaults to a wrong URL. To enhance its interference with web surfing and man-in-the-middle attacks, the malware also adds a new valid root certificate called “COMODO RSA Extended Validation Secure Server CA 2” and installs two LaunchAgents, com.apple.Safari.proxy.plist and com.apple.Safari.pac.plist.
At the end of the day, OSX/Dok gets sufficient privileges to harvest the victim’s personally identifiable data (PID) online, including passwords they type on sites, and manipulate proxy settings to inconspicuously substitute genuine web pages with malicious replicas. Although troubleshooting isn’t easy in this case, you can remove the malware by sticking to the following step-by-step removal tutorial.
OSX/Dok manual removal for Mac
The steps listed below will walk you through the removal of this malicious application. Be sure to follow the instructions in the order specified.
• Open up the Utilities folder as shown below
• Locate the Activity Monitor icon on the screen and double-click on it
• Under Activity Monitor, find com.apple.Safari.pac.plist, com.apple.Safari.proxy.plist (or other dubious-looking objects), select them and click Quit Processfor each
• A dialog should pop up, asking if you are sure you would like to quit the above LaunchAgents files. Select the Force Quit option
• Click the Go button again, but this time select Applications on the list. Find the entries for Homebrew, Socat, and Tor on the interface, right-click on them and select Move to Trash. If user password is required, enter it
• Now go to Apple Menu and pick the System Preferences option
• Select Accounts and click the Login Items button. Mac OS will come up with the list of the items that launch when the box is started up. Locate com.apple.Safari.pac.plist, com.apple.Safari.proxy.plist or other suspicious entries there and click on the “-“ button
Get rid of OSX.Dok virus using Freshmac automatic removal tool
When confronted with malicious code like the OSX.Dok virus, you can neutralize its toxic impact by leveraging a specially crafted system utility. The Freshmac application (read review) is a perfect match for this purpose as it delivers essential security features along with must-have modules for Mac optimization.
This tool cleans unneeded applications and persistent malware in one click. It also protects your privacy by eliminating tracking cookies, frees up disk space, and manages startup apps to decrease boot time. On top of that, it boasts 24/7 tech support. The following steps will walk you through automatic removal of the OSX.Dok virus.
1. Download Freshmac installer onto your machine. Double-click the Freshmac.pkg file to trigger the installer window, select the destination disk and click Continue. The system will display a dialog asking for your password to authorize the setup. Type the password and click Install Software.
2. Once the installation has been completed, Freshmac will automatically start a scan consisting of 5 steps. It scans cache, logs, unused languages, trash, and checks the Mac for privacy issues.
3. The scan report will then display your current system health status and the number of issues detected for each of the above categories. Click the Fix Safely button to remove junk files and address privacy issues spotted during the scan.
4. Check whether the OSX/Dok virus problem has been fixed. If the lock screen is still there, go to the Uninstaller option on Freshmac GUI. Locate an entry that appears suspicious, select it and click Fix Safely button to force-uninstall the unwanted application.
5. Go to Temp and Startup Apps panes on the interface and have all redundant or suspicious items eliminated as well. The OSX/Dok virus shouldn’t be causing any further trouble.