Thursday, November 01, 2007

OSX Has It's Own Zlob DNSChanger OSX.RSPlug.A

Right before going to bed, I saw that there is a new variant of the all too familiar Zlob DNSChanger that has been infecting Windows computers for some 2 years now. The big change is it targeting Mac OS X instead of Windows. It does the same thing as the Windows versions that change your DNS to hijack your computer. It will redirect you to web sites you didn't mean to go to and your search results will also get sent to ones that the bad guys want you to see. That way,they can bombard you with ads and other garbage to try and get money out of you.

DNS is like a phone book. Your computer looks up what IP address a site like has. Since you are now using the fake phone book, when you click on a link or enter a web address, they send you to a similar web site. Usually, it has a lot of ads and links to other crappy websites. My experience with the Windows variants tends to be only a few redirects and then you are left alone for awhile. Also, unlike the zlob variant that tries to sell a fake antispyware program, you do not get pop ups and warning balloons that your system is infected.

The OS X version uses the same tactics to get you to install the trojan. A video gives you a warning that you need t install a codec or plug-in for Quicktime to view it. When you download the fake codec and try to install it, OS X will ask you for your admin password. This is one advantage that OS X has that most Windows users do not have. If you do not enter your password, then nothing bad happens. If you do enter your password, then you get hijacked.

Macworld has more details on this and how it can be removed. One of the first to report this trojan was Intego, who makes security software for MacIntosh computers.

Check in your Library folder (not the System/Library or your user Library) for a file called plugins.settings. The path to the file is:

/Library/Internet Plug-Ins/plugins.settings

Removing that file by itself won't fix the trojan. You need to do a little work in Terminal to remove OSX.RSPlug.A

1. In the Finder, navigate to /Library -> Internet Plug-Ins, and delete the file named plugins.settings. Empty the trash. This deletes the tool that sets the rogue DNS Server information.

2. In Terminal, type sudo crontab -r and provide your admin password when asked. This deletes the root cron job that checks the DNS Server settings. You can prove it worked by typing sudo crontab -l; you should see the message crontab: no crontab for root.

3. Open your Network System Preferences panel, go to the DNS Server box, and copy the entries you can see to a Stickies note, TextEdit document, or memorize them. Now retype those same values in the box, then click Apply.

4. Reboot your Mac.

For the most part, this is more of an annoyance. The main danger comes if you go to a website and enter personal information that the crooks want. They could redirect you to a website that isn't really your bank or Pay Pal and steal your login information. Although it seems now that it is mainly to send you to websites to peddle programs and display ads for you to click on.