MasterCard MarketPlace™
DNSchanger Trojan horse malware causes slow surfing in Mac OS X
Several users have noticed that their web browsing has become exceptionally slow, especially when compared to other computers on the same network which seem to browse at normal speeds.
Apple Discussions poster Roippeli writes:
"My Internet used to work fine on my mac, until today.I don't know what it is. I used to run both connections (to mac/pc) via D-Link DI-524 and the connection worked fine. Today my PC-Internet was working fabulous, but at the same time my mac was struggling. It took a very long time to connect even to apple.com 1-2minutes. Some sites it couldn't even load. I took the d-link router away and connected the mac straightly to my wlan-modem/ethernet box, but the problem stayed."
In addition, for some users with BootCamp or Virtualization solutions installed it seems browsing in Windows appears to be normal, which indicates something is wrong with Mac OS X. While some users had recently installed the Mac OS X 10.5.5 update, others started experiencing the problem a week or so after applying the update. Users have tried repairing permissions, resetting the computer's PRAM, resetting Safari, and other options such as booting into Safe Mode, but nothing seems to have worked.
This problem is a DNS issue, and for some users it could be caused by a known trojan horse malware package called "DNSChanger" (also known as "OSX.RSPlug"). This trojan alters the DNS settings of the active network connection, and keeps reverting them even if users change them manually. This trojan is likely picked up from users attempting to play certain quicktime movies which claim the user needs to install a codec to watch the film. Upon installing the "codec" the user infects their system and their DNS records get changed, resulting in bogged down internet access while the system uses the wrong DNS servers to resolve host names.
As a warning to users, this trojan is only one of a couple known malware packages out there (so far), but it is inevitable that malware will crop up more and more for OS X. As such, while for the most part users should be safe for now, sooner or later it may be worthwhile to look into an AntiVirus package and at least run regular scans on the hard drive.
Fix: Run the DNSChanger removal utility For now, there is a fix for the DNSChanger trojan. Affected users should download this utility and run it to remove the DNSChanger trojan from their systems. After running the utility, the computer will need to be rebooted and then it is recommended that users reset Safari and ensure their DNS servers are properly entered in the Network system preferences.
Resources
I absolutely hope you are suggesting here that we should use the fix for that trojan and not the trojan itself...
His iMac was slow, but his laptop was fine. So was mine.
I checked the DSL gateway, set the iMac DNS addresses to opendns.org (can't set them in that gateway), but things didn't improve. DSL speed test was normal.
I clicked a few random bookmarks on my laptop to test; one happened to be MacFixit. I was stunned that the solution was here today, <i>the minute I needed it</i>, as if MacFixit read my mind. Uncanny luck.
Made my week.
Check your Network settings in System Preferences to make sure.
You need to make sure that all of the DNS server settings for your computers and network devices are not compromised since any compromised device will redirect you to a bad DNS server.
To get infected by this you have to go to weird sites, download weird software, install weird software, and type your admin password to install such weird software!!!
SO YOU SAY THEN THAT THE MAC IS NOT SECURE??? Give me a break! Security is something and people stupidity another. Sorry, but this is too much!
More info from the horse's mouth:
The DNSChanger Trojan Horse, also known as OSX.RSPlug.A and OSX/Puper, which has been found on numerous pornographic websites disguising itself as a video codec. Once downloaded and installed, DNSChanger changes the DNS settings on the computer, redirecting websites entered by the user to malicious sites. If personal information is entered on these malicious websites, it can lead to identity theft.
Source: http://www.securemac.com
MORALE: THE MAC IS ULTRA-SECURE. BUT PEOPLE IS STUPID!
I'm sorry, but using a separate news feeder app was the cause of mine (of which I analyzed and blocked afterwards). The feeds in question were from political blogs?not porno! So your statements are incorrect.
Also, stop being a Mac zealot and start waking-up to reality. The Mac is going to be hit with malware...it's just a matter of time. In the past and under different Mac operating systems the Mac was hit. Yes, Leopard is different, but to state it is ultra-secure is just plain stupid and misleading on your part. I recall a certain U.S. President emphatically stating the government would not bailout private corporations. Hmmm...
Regardless of where it comes from, the fact remains that you must still type an administrator's password in order to be infected.
There are many sources for this malware. It was created by the Russian Zlob gang, and the same group of criminals makes a similar malware program for Windows computers. Ot's distributed in a very large number of ways--on dodgy porn Web sites, via hacked legitimate Web sites, via Web sites that seed Google with poisoned links for popular search terms, via hacked WordPress blogs, via hacked phpNuke and phpBB forums--the list goes on and on. In fact, I've even documented an extensive, hidden underground network used to spread it, at
http://tacit.livejournal.com/240750.html
The network has grown to about ten times its old size and become far more sophisticated since I created that diagram, which will give you an idea of how resourceful and dedicated these criminals are.
But one thing remains the same: You MUST type your administrator password to be infected. You CANNOT be infected automatically or silently. Put simply, user education is important. Pay attention. NEVER type your administrator password if you do not fully understand what is happening. NEVER type your administrator password to install software that you did not explicitly set out to download.
Sure... I have been hearing that since...
1984?
Almost...
Back to the real world: if you do not install things that should not be installed, there is no problem at all with Mac.
This assumption may turn around and bite a big old chomp out of your ass...
There are ways to execute software without requiring an administrator password. I would not take it for granted that the system is untouchable, as you seem to be so adamantly professing. Only recently folks have uncovered ways to promote tasks to superuser without having to enter a password. If someone with malicious intent had found this before others, then a decent level of harm could have been done.
This is an undeniable possibility in all systems, and in addition, while it is true most viruses require the actions of users to enable them, many people are not so keen on detecting what is and is not a virus. For instance, the process for updating some Adobe apps asks for the admin password so many times, that users just get used to entering their password at the prompt. It goes without saying that folks who constantly enter their passwords might just do it out of habit. We're not talking computer gurus here, but more the people who're not so computer savvy. Those are the folks who're at risk, and its those people who should be warned more than anyone else.
To claim that these folks should just "learn how to do it right and be on the lookout" is a hope without end, and it's naive to assume they've got the know-how to actively be able to track malware on their systems. For most folks, as is the case with the people quoted in this article, they just go ahead and do things on their computers without taking necessary precautions. These are the folks who need antivirus and other scanning software packages.
You don't have to <i>be</i> stupid to make stupid mistakes. Anyone who claims he has never made such a mistake is not to be trusted. To ere is human. Being on guard all the time is more work than most people are up to. While the Mac OS is, for the most part, more secure than Windows, it's only a matter of time until, as this exploit demonstrates, a significant number of OS X attacks escape into the wild. Sooner or later we, too, will need robust virus and malware protection software. So enjoy your freedom while you can. In the meantime, one thing to avoid like the plague is overconfidence. Absolutely nothing is more dangerous. There's even a fancy French word for it - hubris.<p>---<br>Don't anthropomorphize computers.<br />
They hate that.
Uh, to "err" is human...(pronounced "er", not "error" btw). Otherwise a good post.
When the air is thick with naivity users tend to type in caps...
The Mac OS is known for its security, but a major part of that is the very low number of attacks and number of malware that's out there, especially in relation to that for Windows. Granted this specific bit of malware requires a bit of user input to get implemented, but it's naive to think that the OS is immune to viruses and such just because there're no known ones out there.
Guess how many goodly written (in evil sense) trojans/worms exist in current 450.000 malware titles ClamAv database consists of? Not more than 100
Those Windows malware, viruses and especially trojans exist because users click "OK" blindly even giving their password.
This threat is REAL and people thinking it hurts their favorite brand's image so try to convince newbies that it is not hurts Mac security much more than a real threat.
If you give your admin password without thinking a second, even on rock secure NSA funded SecureLinux, you will get owned.
If you think or get tricked to think that nothing can hurt you since you are on OS X/Mac, you are in much more danger than average Windows user. At least they have some kind of Antivirus installed because of fear.
Yes. One variant of this Trojan installs a script named Quicktime.xpt in that folder. You did indeed infect yourself with this malware.
Homerun, folks. Found the bugger in Library/Internet Plugins and dumped it. Both Safari and Firefox (and now Mail) stayed slow. Repaired permissions (took much longer than usual, but completed), downloaded the cleaner, ran it (about 6 seconds), restarted, repaired permissions again, checked DNS settings, and now all's well. Many, many thanks for publishing this fix. Have accessed this site daily for over a year, and this is the first time I've had a problem you've discovered. Bravo and many thanks (here's hoping the fix holds).
By the way, anybody know why ClamX didn't pick this up?
It's easy to blame this on the user (obviously), but if more people ran some security on their macs (well at least this user), this could have been cleaned up a long time ago.
BTW, the User had fraudulent charges on her CC in February 2008.
FYI, the servers that DNS was being redirected to were 85.255.114.100 and 85.255.112.99
- by mrthuse September 26, 2008 11:54 AM PDT
- Have been experiencing the same thing using the latest versions of both Safari and Firefox on the home eMac. Since I scan weekly w/ ClamX, I wonder why - if the problem's really the infection - that didn't pick it up. Hmm?
- Like this Reply to this comment
-
(19 Comments)Will try some of these fixes (deleting files, downloading and installing the cleaner) and report back.
Thanks for the update.