Tools
Trojan:OSX/DNSChanger
Summary
Disinfection
Automatic Disinfection
Allow F-Secure Anti-Virus for Mac to disinfect the relevant files.
Restoring DNS Settings
- Open the Apple Network Pane:
- Applications > System Preferences > Network
- Set the correct DNS Server, or leave it blank if you use a DHCP server.
- To double check the DNS settings, click the Advanced button and choose the DNS tab:
- Click the OK button, then the Apply button.
Additional Details
Trojan:OSX/DNSChanger are detections of installation packages, masked as fake codec installations for Mac OS X computers.
These trojans start in the package install scripts.
Installation
Social engineering techniques are used to persuade the user into downloading and running this trojan. Websites hosting video (often illicit) claim that the video cannot be viewed without installing a new codec. The user is prompted to install the "needed" codec.
The user then downloads:
Installing the fake codec:
Once the fake codec is installed, the video will play so as not to raise suspicion. During the installation, the local machine's DNS settings are adjusted to point towards a malicious server.
Changes the DNS Server
The trojan changes the OS X network settings to use a different DNS server. DNS Settings are made with a tool called scutil.
The DNS Server Addresses vary. For example, Trojan:OSX/DNSChanger.A directs traffic to servers located in Ukraine.
Reports Back
After installation, the script sends back an HTTP message with information that it successfully infected the system. The message contains the operating system version and the host name.
Prevents Disinfection
The install script adds a crontab (a configuration file that specifies shell commands to run periodically on a given schedule) to a script to verify the malicious DNS servers remain unchanged. The script is stored in /Library/Internet Plug-Ins and is named plugins.settings.
The trojan infects both 10.4 and 10.5 versions of Mac OS X.