dnschanger
Latest
DNSchanger standby servers will go dark Monday 7/9
It's pretty unlikely that your computer is among the 277,000 worldwide still affected by the DNSchanger malware (63,000 of them in the US, per the FBI and CIO Daily), but just in case you find yourself mysteriously knocked offline Monday morning, here's why. From 2007 until the law knocked on their door in early 2011, an Estonian hacker ring maintained a scam system where infected computers had their DNS settings changed to point to compromised, rogue servers controlled by the criminals. Over the course of their activity, about four million computers were affected worldwide; AV software and system updates cleared most of the malware, but not all of it. The good news is that these particular bad dudes are now in jail. The bad news is that for the infected computers that were pointing at the rogue DNS servers, simply taking the servers offline would have in turn caused the client computers to freak out. To prevent this, the FBI and other law enforcement took over the IP addresses for the rogue servers and have been running legitimate, well-behaved DNS servers there ever since. All good things must end, however, and the FBI isn't going to bear the costs of running those boxes any longer; they're getting turned off tomorrow. You can check your machine using McAfee's free online DNSchanger check, or use Macfixit's rundown to confirm that you're not pointed at the bogus DNS servers. Either way, you can use this opportunity to verify that you're using the optimal DNS settings for your network -- most likely your ISP's recommended settings, or nationwide DNS providers such as Google (8.8.8.8) or OpenDNS (208.67.222.222).
New variant of RSPlug trojan making the rounds
Our friends at Intego sent out an alert this morning, warning users about a new variant of the RSPlug trojan horse, found on several adult websites. The risk to users is classified as "medium." RSPlug trojans, themselves a form of DNSChanger, change local DNS settings to redirect to phishing sites for banks, PayPal, and eBay. All these trojans must be downloaded at the user's request, and an administrator password has to be supplied. When visiting certain sites, the user is alerted that there is a "Video ActiveX Object Error" and is told that their "Browser cannot play this video file." The alert instructs the user to download the "missing Video ActiveX Object." If the user clicks OK, a disk image called "cleanlive.dmg" downloads (which may change in the future). Depending on the user's browser settings, this disk image may mount and installation may automatically start. Intego VirusBarrier X5 users are, as you might imagine, already protected. Updating your virus definitions today will improve detection. And, as always, be careful where you put your mouse online.
Intego reporting new OS X trojan horse in the wild
Ah, Halloween, when all the nasties come out. Just when you thought it was safe to go surfing again, Mac AV vendor Intego is reporting an OS X-specific Trojan horse showing up on some sites and forums. The bit of nasty, which Intego is calling OSX.RSPlug.A and other sources refer to as DNSchanger or Ultracodec/Zlob (Windows version), is delivered on the pretense of installing a QuickTime codec necessary to view adult videos. Once the .dmg is downloaded and the installer is run (with administrative permissions), rather than a new video codec you've got rogue DNS server settings + a cron job that continually sets your DNS back to the bogus entries. Making matters worse, on Tiger the fake DNS settings are invisible in the Network system preference pane.These fake DNS entries might mislead your machine to spyware sites (unlikely to affect your Mac), pay-per-click search engines (annoying but not dangerous), more pornography (potentially troublesome), or -- and this is really the problem -- Potemkin versions of financially sensitive sites like PayPal, eBay or banks, which would presumably capture your login credentials before handing you off to the genuine article.While at least one unfortunate poster at Apple's support forum has been bitten by this malware, some simple precautions -- turning off "Open Safe Files" in Safari and, hmm, I dunno, not installing software downloaded from pornography sites -- will go a long way toward preventing the spread of this malware. Remember, a Trojan does not self-distribute; this code depends on user behavior as the vector of infection, so behave.Update: Rob Griffiths at Macworld has posted helpful detection and removal instructions for the Trojan.via MacTech
