Skip navigation

HT4651: Mac OS X Snow Leopard and malware detection

Learn about Mac OS X Snow Leopard and malware detection

HT4651 Is Mac OS 10.7.3 vulnerable to DNSchanger Trojan malware?

5550 Views 11 Replies Latest reply: Apr 21, 2012 7:33 PM by WZZZ RSS
herbium Calculating status...
Currently Being Moderated
Feb 22, 2012 11:54 AM

Is Mac OS 10.7.3 vulnerable to DNSchanger Trojan Malware?

MacBook Pro (15-inch Mid 2009), Mac OS X (10.7.3)
  • WZZZ Level 6 Level 6 (11,880 points)

    You're asking in the 10.6 area. But why are you asking? Do you suspect you have been infected? This is the second post we've had today about this. The first one ran the MacScan removal tool, but is saying the infection remained.

  • WZZZ Level 6 Level 6 (11,880 points)

    You are running Lion; this is the Snow Leopard (10.6) forum. This is pretty old stuff, so that's why I'm wondering if there's some new development. This is the trojan removal tool from securemac (macscan) for infections that were cirulating in 2008.



    XProtect/Quarantine, which is a limited malware screening tool in 10.6, and I'd assume present also in 10.7 Lion, is showing a definition for the OSX.RSPlug.A Trojan Horse, AKA, the DNS Changer Trojan. But that definition, if something new is happening, may not be up to date. That's all I know right now.

  • ds store Level 7 Level 7 (30,305 points)

    All computers are suspectible to trojans if the user intalls it, 10.7.3 is no different, so if you've installed something with your admin password and your having issues, it could be a trojan. But likely did not get on your machine without your assistance.



    The site you linked too shows a all green light, so it's not malicious.


    I've found the IP's used by the malicious DNS changer network, however it is old news.


    Screen shot 2012-02-22 at 4.25.13 PM.jpg


    DNS stands for Domain Name Server, what this does is when you search for say, or, it translates the Domain name of into a IP address (number) that then allows your computer to connect to that site.


    Because servers (computers) are moved around to different hosting services with different IP address, sort of alike a business that changes location if the lease for the location is expired, the name of the domain (like a name of a business) doesn't change so people can still find the site.


    The Domain Name Server handles all the IP changes, proving your computer with the latest IP address to connect too.


    Now in your System Preferences > Network > DNS will be the iP addresses of the Domain Name Server your using, usually it's your ISP's but people often change it to something faster or offers more security or "filtering" of malicious site or even content!


    So what you need to do is check two things, your Mac's and your router's DNS setting to make sure the IP address (two of them usually) are set to IP addressed that you KNOW belong to your ISP or a alternate DNS provider you have selected.


    The only way to find out is to contact your ISP and give them your account/location present DNS IP numbers  and they will tell you the IP address of the closest DNS to your location which is likely what they use.


    If your DNS settings on either the Mac or the router is NOT kosher, then you've got a problem.

  • genoa Calculating status...

    Sorry to sound dumb, but is it safe to run the check found at Supposedly the FBI set this up.

  • Klaus1 Level 8 Level 8 (43,430 points)



    You can check here if you have been infected with DNS Changer malware:

    The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X and allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.


    SecureMac provides a Trojan Detection Tool for Mac OS X.  It's available here:


  • WZZZ Level 6 Level 6 (11,880 points)

    Seems to be on the level.



    But these are the steps for manually checking for Mac. Appears to be Windows only, so don't know there are steps for checking for Macs.



    WOT gives the site an excellent rating.

  • Klaus1 Level 8 Level 8 (43,430 points)

    Your are right, your first link links to my link:  !

  • WZZZ Level 6 Level 6 (11,880 points)

    I really don't understand what this is all about. The Secure Mac DNS Changer Trojan is really ancient news. This seems to be something newer than that and for Windows only, yet that site has detection and removal for OS X.

  • genoa Level 1 Level 1 (0 points)

    Thank, Klaus1. I've installed the trial verson of MacScan and it's running now.


    So if nothing is found I don't need to run Right?


    One other question. Does this trojan only infect intel macs. I have an old G3 that is only use for backup storage and was wondering if I need to run a check on it.



  • WZZZ Level 6 Level 6 (11,880 points)

    Running MacScan probably has nothing to do with this. Run the DNS check; it's not harmful. The original DNS Changer that MacScan identified was both PPC/Intel. As I said, I don't understand what this is about, since it's supposed to be Windows only, but there are instructions for removing it from Macs.


More Like This

  • Retrieving data ...

Bookmarked By (1)


  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.