These trojans start in the package install scripts.
Social engineering techniques are used to persuade the user into downloading and running this trojan. Websites hosting video (often illicit) claim that the video cannot be viewed without installing a new codec. The user is prompted to install the "needed" codec.
The user then downloads:
Installing the fake codec:
Once the fake codec is installed, the video will play so as not to raise suspicion. During the installation, the local machine's DNS settings are adjusted to point towards a malicious server.
Changes the DNS Server
The trojan changes the OS X network settings to use a different DNS server. DNS Settings are made with a tool called scutil.
The DNS Server Addresses vary. For example, Trojan:OSX/DNSChanger.A directs traffic to servers located in Ukraine.
After installation, the script sends back an HTTP message with information that it successfully infected the system. The message contains the operating system version and the host name.
The install script adds a crontab (a configuration file that specifies shell commands to run periodically on a given schedule) to a script to verify the malicious DNS servers remain unchanged. The script is stored in /Library/Internet Plug-Ins and is named plugins.settings.
The trojan infects both 10.4 and 10.5 versions of Mac OS X.