How to remove malware from Mac 10.5.8 Leopard

First of all, there isn't any currently known "virus" that can impact a Mac.

This is disingenuous.

You and I had a recent exchange about the mopping up we are still doing after the Rove viruses.

Details: http://www.fixmydns.com/

I have since come across another infection.

Whilst these viruses are no longer being downloaded there are probably thousands of Macs still infected.

Neville Hillyer wrote:

First of all, there isn't any currently known "virus" that can impact a Mac.

This is disingenuous.

You and I had a recent exchange about the mopping up we are still doing after the Rove viruses.

Sorry, but I don't consider the Mac version to be a virus by anybody's definition. It was a Trojan installed using a fake CODEC. See http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml.

The generally accepted definition is: "A computer virus is a computer program that can replicate itself and spread from one computer to another."

I have since come across another infection.

Which is?

Whilst these viruses are no longer being downloaded there are probably thousands of Macs still infected.

Other than definitions, I don't think we see this any differently.

There actually have been a couple of viruses that affected either the OS or a Mac Application in the past, but all were quickly patched by Apple. So it is possible that somebody running very old software could have a virus infection, but I have not run into any in modern times.

Message was edited by: MadMacs0

The The DNS Changer Working Group site I gave the link to says:

"The criminals operated under the company name "Rove Digital", and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses."

Several sites say it can move from an infected computer to other computers and routers within a LAN - see:

http://dns-ok.gov.au/information.html#What_DNSChanger_does

Disregard.

Neville Hillyer wrote:

The The DNS Changer Working Group site I gave the link to says:...

"The criminals operated under the company name "Rove Digital", and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses."

Yes, those are all descriptions of the various Windows version. The Mac version was known as RSPlug and all variants that were identified were Trojans. There has never been even a hint that they could move to other computers and the only router I ever found was almost certainly infected by a Windows computer on the same network.

That is interesting.

As you may recall I tried to discover the method used to move from computer to router and a few sites mentioned the possibility of it using standard login names (eg admin) and trying a range of passwords. This may be credible with Netgear routers as many have been left with their default name/password ie admin/password. I was unable to discover if http was used for this.

Why could this not work on OS X if this works on Windows?

DrDinTN wrote:

Rarely get software updates. Think they forget about us "old timers".

They officially quite updating 10.5.8 over a year ago, but then suddenly issued a Flashback Removal Tool for Intel Macs last month, so it's hard to say what the actual policy is, but experience has been that they support two versions, currently Snow Leopard and Lion, so with Mountain Lion just around the corner I expect Snow Leopard to be left in the dust before the year is out.

I had a chance to get a "reboxed" macbook from Best Buys... the one that is being replaced... 2 GB, 4-something, for $899-10%= $809.99 & it was sold right out from under me. Could have been upgraded from Lion to newer version for free. A whole new learning process. I am trying to find the same computer online as they are sometimes cheaper & often NO taxes.

MacFixIt just published this today Tips and checks for buying a used MacBook.

Neville Hillyer wrote:

a few sites mentioned the possibility of it using standard login names (eg admin) and trying a range of passwords. This may be credible with Netgear routers as many have been left with their default name/password ie admin/password. I was unable to discover if http was used for this.

Why could this not work on OS X if this works on Windows?

You've found a bit more than I have on this subject, but it all sounds like speculation. I tend to only check the A-V vendor blogs as they tend to give the technical details I need, based on a lab analysis of the malware itself. I have not been able to find any of that.

Although there were several versions of the Mac RSPlug installer, all the sample payloads I could locate were identical in terms of what they did, and none of them were that complex. They simply modified the appropriate file for resolving DNS preferences.

The only other possibility is that something in one of the variant's installer scripts attempted to infect the router, but I have not been able to examine any of the installers to see if that happened.

Your theory sounds credible, just haven't seen the evidence yet. Every time I think it might be a router problem, some other explanation ends up being the problem, with the one exception I mentioned.

DrDinTN wrote:

Looking at Snake Sites/Pics & several times it said, Caution for malware. Anyone know how to remove any malware from Mac 10.5.8, Leopard for Free.

It was probably just a warning from Google that some of those sites were on a malware blacklist. There would only be a small chance that any of that malware was targeted at Macs.

If you are concerned about these issues but unwilling or unable to upgrade, update Leopard, run the Flashback removal tool for Leopard, and turn off Java (but not Javascript) in Applications > Utilities > Java Preferences.