New Mac Malware Hijacks Web Connections: What to Do

"2018 is barely two weeks old, and already it looks like we've got new piece of macOS malware! Hooray :)"

That's how Apple-focused security researcher Patrick Wardle opened a blog post yesterday (Jan. 11) detailing what Wardle calls "MaMi," a stealthy DNS hijacker that reroutes your internet traffic to possibly malicious websites.

MaMi also has abilities that haven't yet been activated: It can steal passwords, take screenshots, download files and programs, run other pieces of software and inject bogus security certificates.

Check If You're Infected

To see whether your Mac was infected by MaMi, go to System Preferences, click on the Network section and check the IP address of your DNS server. If it's "" or "," then you'll need to change it to something benign, such as Google's or or OpenDNS's 208.67.2222.222 or

Notice we said "was" infected. The MaMi sample that Wardle found deleted itself after changing the DNS settings on his test machine, so even if you found a smoking-gun DNS setting, the malware that did it may be long gone.

MORE: Best Mac Antivirus Software

How to Prevent Infection

To prevent infection by MaMi, use common sense. Every piece of Mac malware found in recent years has required user approval, presumably unwitting, to be installed.

So don't authorize that Adobe Flash Player update, that video player you apparently need to see a clip of a naked celebrity, or that antivirus software that showed up in a pop-up window telling you your Mac was infected. Instead, hold off and get Mac antivirus software straight from the source.

It's not yet known how MaMi (named after a text string Wardle found in the code) infects a Mac, though Wardle suspects "rather lame methods such as malicious email, web-based fake security alerts/popups or social-engineering type attacks." But as of this writing, only one antivirus scanning engine in the online VirusTotal repository detects MaMi through the usual file-matching methods.

How MaMi Malware Works

DNS servers are the phone books of the internet. They match human requests such as "" with network addresses such as "" so that, among other things, you can see this website in your web browser.

DNS hijacking sends a computer to a malicious DNS server that could, for example, send you to an evil version of Tom's Guide that could infect you with even more malware.

It's not clear how widespread MaMi is so far. Wardle was tipped off to it by a posting on a Malwarebytes forum, but didn't explain how he located his own copy. Wardle did point to a website that automatically downloaded the binary to our computer when we connected. (We're using a Windows PC, so the malware didn't do anything to us.)

Best Android Antivirus Software

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.