DNSchanger Trojan horse malware causes slow surfing in Mac OS X

Several users have noticed that their web browsing has become exceptionally slow, especially when compared to other computers on the same network which seem to browse at normal speeds.

Apple Discussions poster Roippeli writes:

"My Internet used to work fine on my mac, until today.I don't know what it is. I used to run both connections (to mac/pc) via D-Link DI-524 and the connection worked fine. Today my PC-Internet was working fabulous, but at the same time my mac was struggling. It took a very long time to connect even to apple.com 1-2minutes. Some sites it couldn't even load. I took the d-link router away and connected the mac straightly to my wlan-modem/ethernet box, but the problem stayed."

In addition, for some users with BootCamp or Virtualization solutions installed it seems browsing in Windows appears to be normal, which indicates something is wrong with Mac OS X. While some users had recently installed the Mac OS X 10.5.5 update, others started experiencing the problem a week or so after applying the update. Users have tried repairing permissions, resetting the computer's PRAM, resetting Safari, and other options such as booting into Safe Mode, but nothing seems to have worked.

This problem is a DNS issue, and for some users it could be caused by a known trojan horse malware package called "DNSChanger" (also known as "OSX.RSPlug"). This trojan alters the DNS settings of the active network connection, and keeps reverting them even if users change them manually. This trojan is likely picked up from users attempting to play certain quicktime movies which claim the user needs to install a codec to watch the film. Upon installing the "codec" the user infects their system and their DNS records get changed, resulting in bogged down internet access while the system uses the wrong DNS servers to resolve host names.

As a warning to users, this trojan is only one of a couple known malware packages out there (so far), but it is inevitable that malware will crop up more and more for OS X. As such, while for the most part users should be safe for now, sooner or later it may be worthwhile to look into an AntiVirus package and at least run regular scans on the hard drive.

Fix: Run the DNSChanger removal utility For now, there is a fix for the DNSChanger trojan. Affected users should download this utility and run it to remove the DNSChanger trojan from their systems. After running the utility, the computer will need to be rebooted and then it is recommended that users reset Safari and ensure their DNS servers are properly entered in the Network system preferences.

Resources