User profile for user: senseabove
senseabove Author
User level: Level 1
8 points

DNS Changer-like trojan?

I've stumbled upon some sort of virus/trojan/malware, and nothing seems capable of getting rid of it. I've tried MacScan, ProtectMac, and iAntiVirus, emptying the cache/history/cookies/etc. of all my browsers, as well as resetting my router, and none of these attempts have fixed it. (iAntiVirus is running a full scan right now, but I'm not hopeful; a quick scan found nothing and the software's update feature wouldn't work.)

The malware appears to operate like the DNS Changer trojan, but it only goes into effect occasionally. It happens in Safari and Firefox, for sure, and Chrome, iirc. Maybe once or twice an hour, a window will pop up, usually directed to "google-analytics.com" Sometimes it will start at "search.gugle.com" and then redirect to search. and results.google-analytics.com. Most often it gets stuck here, at the analytics.com address, but it will occasionally continue redirecting until the page ends up at something obviously scammish. The pop-up seems to be triggered by a random click; I cannot discern any specific websites or links that trigger it, except bit.ly, which loads, and then immediately redirects (without a pop-up) and hangs.
A name-server grep pulls 10.0.2.1, so nothing seems to be odd there, and this is why I assume it's not actually the DNS Changer trojan.

I'm currently running a daisy-chain of computers all sharing one internet connection, which tells me that it's my computer, because only it and the computer after me suffer from the problem. The modem is attached via ethernet to an iMac, which is wirelessly forwarding internet to my MacBook, which is forwarding internet via ethernet to a MacMini used as a mediacenter. The problem has only occurred, that I have seen, on the MacBook and MacMini. Curiously, the bit.ly redirect only occurs on the MacBook, not the mini.

That's all the information I can think of that's relevant. If anybody can help me, it would be much appreciated.

Message was edited by: senseabove

MacBook Black, Mac OS X (10.6.3)

Posted on Jun 5, 2010 3:59 PM

Reply
10 replies
User profile for user: senseabove
senseabove Author
User level: Level 1
8 points

Jun 5, 2010 4:37 PM in response to satcomer

Hi Satcomer,

I appreciate the quick response. As I have not installed any new codecs or screensavers, I did not think the recently discovered malware is what is affecting my system, though I was indeed already aware that an announcement about a new virus had been made. Sure enough, the removal tool detected nothing when I ran it.

The DNSChanger Removal Tool is well-known to be outdated, and numerous people, whose opinion I have discovered while, believe it or not, researching this problem, have pointed that there have been at least two more iterations of the trojan since the DNS Changer was last updated. MacScan should catch the new iterations, though it found nothing on my system. Researching this problem is in fact how I came to be aware that this is a DNS Changer LIKE problem, but not that exact same problem. Though just to make you happy, I ran the outdated software and I'll let you guess what it found. (Hint: It rhymes with "black pit")

Help from anyone who doesn't need to be a jerk would be appreciated even more than satcomer's.
Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
32,031 points

Jun 5, 2010 5:22 PM in response to senseabove

I would not be so quick to blame a trojan. See my [Mac Virus guide|http://www.reedcorner.net/thomas/guides/macvirus>... it has a catalog of all the trojans I know of. The RSPlug trojan (which many people call DNS Changer) is something that Snow Leopard protects you against already.

The first thing I would advise is to change the way you're accessing the internet. Your described method of sharing from one machine to the next in a daisy chain sounds prone to problems. And you say that some of the suspicious activity (not sure exactly what) involves the IP address 10.0.2.1, which is one of your local Macs.

Go get yourself a cheap ethernet switch (like a router, but not as smart, so not as expensive). You can pick them up at Best Buy, where someone can point you to what you need if you aren't sure. Hook the switch up to the incoming internet connection, then connect each of your machines to the switch. This will let all your machines access the internet without any of them needing to share the connection.

You should probably also get yourself a copy of [Little Snitch|http://www.obdev.at/products/littlesnitch> to monitor incoming and outgoing internet traffic.
Reply
User profile for user: senseabove
senseabove Author
User level: Level 1
8 points

Jun 5, 2010 6:10 PM in response to thomas_r.

Thanks, Thomas. I'm jumping through hoops to get to the internet because I'm subleasing an apartment right now and the owner specifically requested I leave the internet routed through his iMac so he has remote access to it. The Mini I really only plug in when I want to watch Netflix on the main TV (and the only reason I'm forwarding to it via ethernet is that it's having an unrelated wifi problem). I just figured it would be of interest that the pop-up occurs on the laptop and subsequently connected mini, but not the originating iMac, implying it's a problem with my computer, but more than a nasty cookie of some sort.

Nevertheless, I've connected the modem directly to the Mac to see if that'll help get to the root of this. The DNS servers now appearing when I run "/usr/sbin/scutil --dns | grep nameserve" in the terminal (which I got from another thread on DNS Changers in the 10.5 forum) are all my ISP's, according to a google search of the IP address, so I would assume that means I'm not suffering from a DNS Changer. And I'm using Camino now, since the attack seems to only work in Safari and Firefox, while trying to trigger it again in Firefox.

And I'm running little snitch, which I'd just remembered to turn back on before you replied, but I'm not sure what I should be looking for. That said, it doesn't seem to be popping up since I've turned Little Snitch back on.
Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
32,031 points

Jun 5, 2010 6:35 PM in response to senseabove

So, let me get this straight... you're renting from someone who has left his computer, and you're routing all your internet traffic through that computer? Unless you know this guy you're renting from - well enough to trust him - this sounds like a very bad idea to me! It's a bit fishy that he would leave the computer there, with you, yet insist that it be left running and connected to the internet in a specific way, but wouldn't have a problem with you using the internet through it. I wouldn't come right out and say that he's installed malicious software on his machine to snoop information from you or redirect your web surfing to phishing sites, but it should be something you think about.
Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
32,031 points

Jun 6, 2010 7:46 AM in response to satcomer

Premier Opinion, aka OpinionSpy, is not a DNS changer, and is debatably not even a trojan. A little scary, if you're dumb enough to agree to the installation, but the mere fact that it requires you to agree before it installs makes it fail the trojan test. A real trojan would just install silently.

There's more on this here:

http://discussions.apple.com/message.jspa?messageID=11603903#11603903
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

DNS Changer-like trojan?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up