X

Trojans still Greek to Mac Users

Although the infamous DNSChanger (also known as OSX.RSPLUG or perhaps osx.trojan-2) has been circulating the Internet for some time, people are still experiencing the effects from it's devious ruse. The following article is a breakdown of what the DNSChan

CNET staff
4 min read

Although the infamous DNSChanger (also known as OSX.RSPLUG or perhaps osx.trojan-2) has been circulating the Internet for some time, people are still experiencing the effects from its devious ruse. The following article is a breakdown of what the DNSChanger trojan does and what you can do to keep your Mac safe. A recent MacFixIt forum thread unveiled the "osx.trojan-2" file in an external hard drive containing files downloaded from LimeWire.

Esteemed MacFixIt forum moderator joemikeb suggests:

"I just searched every AV site I know of and found no references to osx.trojan-2. My guess is this is ClamX AVs name for what is commonly called the DNSChanger trojan that redirects your internet traffic to illicit DNS servers in Russia or China and those servers in turn do things like capturing your personal information and redirecting your query to false or otherwise illicit web sites."

About DNSChanger
As joemikeb writes, common symptoms of this trojan are found primarily in Internet surfing. Web sites may often be redirected to another site, usually containing advertising or pornography. You may also experience an inordinate number of pop-up advertising, again displaying pornography or pill-based enhancement products. Finally, your overall Web surfing experience may be extremely slowed.

Where DNSChanger comes from
This trojan has been linked to Web sites containing video content that requires the user to install a codec in order to view the media. This tactic primarily exists on pornography Web sites, though it is certainly not limited to them. When people install the supposed codec, the trojan gains access to the DNS settings and is able to redirect Internet traffic through remote servers that are able to access your personal data and other information for use in identity theft scams.

How to avoid the DNSChanger and other trojans
Although any content that you download has the possibility of containing malicious software, a few widely regarded practices will generally keep you free from having to deal with anything like the DNSChanger trojan.

1. Stay away from suspect and untrusted Web sites, especially pornography sites.
2. Check out what you're downloading. Mac OS X asks you for you administrator password to install applications for a reason! Only download media and applications from well-known and trusted Web sites. If you think you may have downloaded suspicious files, read the installer packages and make sure they are legit. If you cannot determine if the program you downloaded is infected, do a quick Internet search and see if any other users reported issues after installing a particular program.
3. Use an antivirus program. If you are in the habit of downloading a lot of media and other files, it may be well worth your while to run those files through an AV application.
4. Use Mac OS X's built-in Firewalls and other security features.
5. Stop using LimeWire. Please stop! LimeWire (and other peer-to-peer sharing applications) are hotbeds of potential software issues waiting to happen to your Mac. Everything from changing permissions to downloading trojans and other malicious software can be acquired from using these applications.

Get rid of DNSChanger if you already have it
If you believe you may have the DNSChanger trojan, check out:
This is a freeware scan that will determine if you have the trojan and remove it if you do. There's also great information on SecureMac.

Resources
F-Secure provides a visually enhanced description of how DNSChanger infects your Mac.
Read the MacFixIt forum thread describing some recent trojan activity.

UPDATE: New Mac malware - OSX/RSPlug-F
On March 20, 2009, Sophos began treating a new Trojan horse - OSX/RSPlug-F. This trojan acts in a similar fashion as the DNSChanger, but is activated slightly different. The malware is a product of social engineering, depending on the naivety of unsuspecting users looking to download a program they feel will be useful to them. The websites look and feel legitimate, as do the products. Once the user clicks to download, the trojan is downloaded via a remote download server and it begins. OSX/RSPlug-F will look to change your DNS server settings which could lead to your Internet traffic being redirected through malicious servers.

Resources
For more on the OSX/RSPlug-F (including a video demonstration of how the Trojan works), check out Sophos security expert Graham Cluley's blog.
For more information about the OSX/RSPlug-F, check out this Sophos analyses page.
Read Intego's The Mac Security Blog post about the OSX/RSPlug-F.

Experiencing problems? Have feedback? Let us know!

Resources

  • This is a freeware scan
  • SecureMac
  • F-Secure provides a visual...
  • Read the MacFixIt forum th...
  • Sophos
  • check out Sophos security expert Graham Cluley's blog
  • For more information about...
  • Read Intego's The Mac Security Blog post about the OSX/RSPlug-F.
  • Let us know!
  • More from Late-Breakers