11 Replies Latest reply: Apr 21, 2012 7:33 PM by WZZZ
herbium Level 1 Level 1 (0 points)

Is Mac OS 10.7.3 vulnerable to DNSchanger Trojan Malware?

MacBook Pro (15-inch Mid 2009), Mac OS X (10.7.3)
  • WZZZ Level 6 Level 6 (12,775 points)

    You're asking in the 10.6 area. But why are you asking? Do you suspect you have been infected? This is the second post we've had today about this. The first one ran the MacScan removal tool, but is saying the infection remained.

  • herbium Level 1 Level 1 (0 points)

    Hi.  Thanks for your response.  This is my first entry into this sort of "community".  I ask the question because a friend of mine, a tech editor for oracle and others, sent out a broad email that on March 8th, those infected by this malware, will not be able to access the internet.  She then suggests: 


    "Here is a very good site for checking whether your computer is infected. Read the home page and then go to Checkup in the top menu. Different operating systems are listed down the left side of the Checkup page."




    I did a quick preview but didn't trust the site quoted. 


    P.S.  I'm operating in 10.7.3.  I don't know exactly what you mean "asking in the 10.6 area." 


    Thanks for any info.

  • WZZZ Level 6 Level 6 (12,775 points)

    You are running Lion; this is the Snow Leopard (10.6) forum. This is pretty old stuff, so that's why I'm wondering if there's some new development. This is the trojan removal tool from securemac (macscan) for infections that were cirulating in 2008.




    XProtect/Quarantine, which is a limited malware screening tool in 10.6, and I'd assume present also in 10.7 Lion, is showing a definition for the OSX.RSPlug.A Trojan Horse, AKA, the DNS Changer Trojan. But that definition, if something new is happening, may not be up to date. That's all I know right now.

  • ds store Level 7 Level 7 (30,320 points)

    All computers are suspectible to trojans if the user intalls it, 10.7.3 is no different, so if you've installed something with your admin password and your having issues, it could be a trojan. But likely did not get on your machine without your assistance.



    The site you linked too shows a all green light, so it's not malicious.


    I've found the IP's used by the malicious DNS changer network, however it is old news.


    Screen shot 2012-02-22 at 4.25.13 PM.jpg


    DNS stands for Domain Name Server, what this does is when you search for say google.com, or apple.com, it translates the Domain name of apple.com into a IP address (number) that then allows your computer to connect to that site.


    Because servers (computers) are moved around to different hosting services with different IP address, sort of alike a business that changes location if the lease for the location is expired, the name of the domain (like a name of a business) doesn't change so people can still find the site.


    The Domain Name Server handles all the IP changes, proving your computer with the latest IP address to connect too.


    Now in your System Preferences > Network > DNS will be the iP addresses of the Domain Name Server your using, usually it's your ISP's but people often change it to something faster or offers more security or "filtering" of malicious site or even content!


    So what you need to do is check two things, your Mac's and your router's DNS setting to make sure the IP address (two of them usually) are set to IP addressed that you KNOW belong to your ISP or a alternate DNS provider you have selected.


    The only way to find out is to contact your ISP and give them your account/location present DNS IP numbers  and they will tell you the IP address of the closest DNS to your location which is likely what they use.


    If your DNS settings on either the Mac or the router is NOT kosher, then you've got a problem.

  • genoa Level 1 Level 1 (0 points)

    Sorry to sound dumb, but is it safe to run the check found at http://www.dcwg.org. Supposedly the FBI set this up.

  • Klaus1 Level 8 Level 8 (46,960 points)



    You can check here if you have been infected with DNS Changer malware:  http://www.dns-ok.us/

    The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X and allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.


    SecureMac provides a Trojan Detection Tool for Mac OS X.  It's available here:



  • WZZZ Level 6 Level 6 (12,775 points)

    Seems to be on the level.


    http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2012/04/20/national/w110653D95. DTL


    But these are the steps for manually checking for Mac. Appears to be Windows only, so don't know there are steps for checking for Macs.


    http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2012/04/20/national/w110653D95. DTL


    WOT gives the site an excellent rating.

  • Klaus1 Level 8 Level 8 (46,960 points)

    Your are right, your first link links to my link: http://www.dns-ok.us/  !

  • WZZZ Level 6 Level 6 (12,775 points)

    I really don't understand what this is all about. The Secure Mac DNS Changer Trojan is really ancient news. This seems to be something newer than that and for Windows only, yet that site has detection and removal for OS X.

  • genoa Level 1 Level 1 (0 points)

    Thank, Klaus1. I've installed the trial verson of MacScan and it's running now.


    So if nothing is found I don't need to run www.dns-ok.us. Right?


    One other question. Does this trojan only infect intel macs. I have an old G3 that is only use for backup storage and was wondering if I need to run a check on it.



  • WZZZ Level 6 Level 6 (12,775 points)

    Running MacScan probably has nothing to do with this. Run the DNS check; it's not harmful. The original DNS Changer that MacScan identified was both PPC/Intel. As I said, I don't understand what this is about, since it's supposed to be Windows only, but there are instructions for removing it from Macs.