Threat Description

Trojan:​OSX/DNSChanger

Details

Aliases:Trojan:​OSX/DNSChanger
Category:Malware
Type:Trojan
Platform:OSX

Summary



A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus for Mac to disinfect the relevant files.

Restoring DNS Settings

  • Open the Apple Network Pane:
    • Applications >System Preferences >Network
  • Set the correct DNS Server, or leave it blank if you use a DHCP server.
  • To double check the DNS settings, click the Advanced button and choose the DNS tab:
  • Click the OK button, then the Apply button.


Technical Details



Trojan:OSX/DNSChanger are detections of installation packages, masked as fake codec installations for Mac OS X computers.

These trojans start in the package install scripts.

Installation

Social engineering techniques are used to persuade the user into downloading and running this trojan. Websites hosting video (often illicit) claim that the video cannot be viewed without installing a new codec. The user is prompted to install the "needed" codec.

The user then downloads:

Installing the fake codec:

Once the fake codec is installed, the video will play so as not to raise suspicion. During the installation, the local machine's DNS settings are adjusted to point towards a malicious server.

Changes the DNS Server

The trojan changes the OS X network settings to use a different DNS server. DNS Settings are made with a tool called scutil.

The DNS Server Addresses vary. For example, Trojan:OSX/DNSChanger.A directs traffic to servers located in Ukraine.

Reports Back

After installation, the script sends back an HTTP message with information that it successfully infected the system. The message contains the operating system version and the host name.

Prevents Disinfection

The install script adds a crontab (a configuration file that specifies shell commands to run periodically on a given schedule) to a script to verify the malicious DNS servers remain unchanged. The script is stored in /Library/Internet Plug-Ins and is named plugins.settings.

The trojan infects both 10.4 and 10.5 versions of Mac OS X.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your Mac

F-Secure Anti-Virus for Mac will disinfect your Mac and remove all harmful files

Learn More