Home / malware Trojan:OSX/DNSChanger
First posted on 02 November 2007.
Source: SecurityHomeAliases :
Trojan:OSX/DNSChanger is also known as Trojan:OSX/DNSChanger.C, Trojan:OSX/DNSChanger.A.
Explanation :
Trojan:OSX/DNSChanger are detections of installation packages, masked as fake codec installations for Mac OS X computers.
These trojans start in the package install scripts.
The trojan changes the OS X network settings to use a different DNS server. DNS Settings are made with a tool called scutil.
The DNS Server Addresses vary. For example, Trojan:OSX/DNSChanger.A directs traffic to servers located in Ukraine.
Reports Back
After installation, the script sends back an HTTP message with information that it successfully infected the system. The message contains the operating system version and the host name.
Prevents Disinfection
The install script adds a crontab (a configuration file that specifies shell commands to run periodically on a given schedule) to a script to verify the malicious DNS servers remain unchanged. The script is stored in /Library/Internet Plug-Ins and is named plugins.settings.
The trojan infects both 10.4 and 10.5 versions of Mac OS X.
Last update 02 November 2007