Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Mac
iPod
iPhone
More Products
News
Reviews
Help & Tips
Blogs
Shop & Compare
Forums
NEW iPhone App Reviews
Mac OS X
Entertainment & HDTV
Create
Business Center
Mobile Mac
Digital Photo
Mac IT
Storage & Backup
Games
Security
Magazine
Subscribe & Get a Bonus CD
Customer Service
Macworld
Mac
Software
Utilities
Oct 31, 2007 12:00 am
109 Comments
+ 113 Recommendations
Browse All
Digg
ShareThis
in your browsers URL area, you may be taken there, to a phishing clone of that site, or to another site
completelysuch as a porn site. Where you wind up depends solely on how the malicious DNS
machines are configured. If you consider ebay.com or paypal.com, for instance, the consequences may
be dire.
A cron job (scheduled task) will run every minute to restore the malicious DNS info, in case you
change it.
This is really bad. Really. And even though its targeted at porn surfers today, the malware could easily
be associated with anything else, like a new viral video site, or a site that purports to show commercials
from the upcoming Super Bowl. Because this thing may spread to other such sites, we spent some time
investigating the trojanno, not its source sites!to determine the best way to tell if youve been
infected, as well as how to remove the software if you do find it on your machine.
If youre running OS X 10.5, open your Network System Preferences pane and select your active
interface (AirPort, Ethernet), then click Advanced. On the Advanced screen, click on the DNS tab. The
leftmost box contains your DNS servers, and all the entries should be in black. If the trojan has been
installed on your machine, youll see the phantom DNS in gray, listed above your normal DNS
information, as seen in the image at rightthe first two entries are the evil DNS, the last is the normal
DNS.
Note: There are other situations where the DNS info may be grayit appears that if your DNS is
provided by another machine, for instance, then your legitimate DNS information will be in gray, not
black. So while this may be an indicator, keep reading for the best way to be certain if your machine is
infected.
The easiest way to tell if youve been infected is to go to the top-level /Library -> Internet Plug-Ins
folder, and look for a file named plugins.settings . If you find one there, chances are, youre infected.
However, since the names used by the malware authors may change, its best to check a couple of other
spots as well.
The other thing to check is for the presence of the root cron job. To do this, open Terminal (in
/Applications -> Utilities) and type this command:
sudo crontab -l
Enter your admin password when asked, and Terminal will then display any cron tasks for root.
Typically this will be blank. If you see this output, though, it means youve got the malware:
* * * * * "/Library/Internet Plug-Ins/plugins.settings">/dev/null 2>&1
If you really want to be sure, you can run scutil in Terminal (its an interface to configd, an OS X
system utility). Type scutil and press Return, then type this command at the prompt, followed by
another Return: show State:/Network/Global/DNS . The output will look something like this:
<dictionary> {
ServerAddresses : <array> {
0 : 123.12.34.56
1 : 234.65.43.21
}
}
Those are all the DNS servers your machine knows about. (You can type exit to get out of scutil and
back to Terminal.) Look at that list and compare it to what you see in the Network preferences panel
make sure you click into the two-line DNS Servers box there and use your down arrow key, just in case
there are more servers listed than you can see. The two lists should be the same. If you see servers in the
output from scutil that you dont see in the GUI, then the trojan has probably been installed.
Email
Print
Ads by Google
Malware Trojan Remover
Download Free Trojan & Malware Scan Recommended & Used By The Experts
www.PCTools.com
IDrive for Mac
Secure, fast and reliable online backup for Mac $4.95/Month!
www.idrive.com
Spyware Trojan Remover
Award-winning Spyware Trojan Killer Blocks Popups & more. Download now.
www.STOPzilla.com
I never called it a virus. In fact, I went out of my way to state that it is not a virus. It is a trojan horse,
however, because ... well, the very event that defines the phrase was nothing more than a huge social
engineering hack: a bunch of people convinced some other people to accept this large wooden horse as a
gift. But they didn't get a gift. They got a whole bunch of warriors.
This program is a trojan horse: it presents itself as one thing, gets you to accept it on those grounds, and
turns out to be something completely different.
-rob.
Reply to this comment | Wed Oct 31 15:04:40 PDT 2007
says:
Re: Trojan Horse warning: What you need to know
It's classed as a trojan because it pretends to be an installer for a codec when it's not.
Reply to this comment | Wed Oct 31 15:05:25 PDT 2007
says:
Re: Trojan Horse warning: What you need to know
I am confused by one thing. I followed your instructions (I have Leopard) and in my DNS area I only
have two DNS servers listed neither are black ... both are grey. I just bought this computer on Monday,
so I rather doubt I have a trojan horse, but thought I would touch base here to be positive. and no, I have
not gone to any site or downloaded anything weird. :-)
Trisha
Reply to this comment | Wed Oct 31 15:06:15 PDT 2007
says:
Re: Trojan Horse warning: What you need to know
[indent]Quote:
quotemangler]
I never called it a virus. In fact, I went out of my way to state that it is not a virus. It is a trojan horse: it
presents itself as one thing, gets you to accept it on those grounds, and turns out to be something
completely different.
-rob
/quotemangler]
[/indent]
Precisely.
Whether the payload is a virus or a worm, or some other type of destructive malware isn't germane.
Follow Rule #1.
Simple, eh?
burt
Reply to this comment | Wed Oct 31 15:10:02 PDT 2007
says:
Grey text is not uncommon
Running Leopard here...on a university campus network (Ethernet) where DHCP automatically assigns
everything, although we have to enter in a search domain as required for Entourage to work properly
with Exchange Server.
In my Network preference pane (advanced), the DNS info is all in grey...but legit...so that's not always a
sure-fire way to determine if the rogue application was running (I can't call it a Trojan Horse).
Reply to this comment | Wed Oct 31 15:12:02 PDT 2007
says:
Re: Trojan Horse warning: What you need to know
Rob,
is there any other way the DNS could appear in grey?
I have ONE DNS and I used terminal (just in case) to check for that thing - no I actually haven't been
looking at porn lately and never since I installed 10.5 - and don't have it.
What's also weird is that I have a "Search Domain" too. SAVETIBET. Go figure... I have no idea
whatsoever what that is.
Tnx
Jon
Reply to this comment | Wed Oct 31 15:13:09 PDT 2007
says:
Re: Trojan Horse warning: What you need to know
It appears there is another way, which I didn't catch here in my testing: if your DNS is being provided by
another machine.
So, to update the article, the best way to tell if you have the malware would be to run the 'sudo crontab l' command (and look in the Internet Plug-Ins folder). I'll work on an update to the article. Thanks for
catching this.
-rob.
Reply to this comment | Wed Oct 31 15:16:57 PDT 2007
says:
Re: Trojan Horse warning: What you need to know
The fact of the matter is that it still requires USER INPUT to deploy.
1. 1 Tip: Don't browse shady websites (porn, warez, etc.)
I never called it a virus. In fact, I went out of my way to state that it is not a virus. It is a trojan horse,
however, because ... well, the very event that defines the phrase was nothing more than a huge social
engineering hack: a bunch of people convinced some other people to accept this large wooden horse as a
gift. But they didn't get a gift. They got a whole bunch of warriors.
This program is a trojan horse: it presents itself as one thing, gets you to accept it on those grounds, and
turns out to be something completely different.
-rob.
[/indent]
I was loosly refering to the usage of "Trojan Horse" since it is a term people nowadays associate to
Viruses and Worms. The payload for this is neither. It is in the end just a Malicious Application that only
effects the computer it was ran on. When you say Trojan people go into a mind numbing panic and tend
to think the sky is falling.
Aye classic Trojan in the sense but as far as social engineering goes this is more along the line of
someone putting Sugar water in a gasoline container and leaving it on the road.
If someone were to smart enough to pour it in their tank without sniffing it first it would only blow up
their engine but would not effect anyone else on a network or other cars on the road.
If I were to writet an application that trashed permissions on a computer and named it idiot, then posted
a link on a website for download with a description that said "Running this application will make me
smile."
Loosely it could be thought of as a Trojan. But in reality it is just a malicious application that some poor
soul just had to manually install and have to give permission before installing it.
Ah no worries and no need to discuss symantics, in the end it was very good of you to inform the public
and also give a method of fixing the issue if someone found that watching an unknown explicit video
was worth installing an application from a porn site.
[img]/forums/ubbthreads/images/graemlins/shocked.gif[/img]
I guess the lesson learned here is make sure you only seek out quality porn and only download adult
video from iTunes
[img]/forums/ubbthreads/images/graemlins/grin.gif[/img]
Reply to this comment | Wed Oct 31 15:38:24 PDT 2007
There are 95 additional messages in this thread. Click here to read them
Sign in to post a comment. New to Macworld Comments? Register here.
Sep 21
Cartoon You: Creating easy avatars
Sep 21
The seven most underused Mail features
Sep 21
Adobe unveils Flash Platform Services
See all the latest News
Name
City
Address 1
State
Address 2
E-mail (optional)
Zip
Canadian Residents | Foreign Residents | Gift Subscriptions | Customer Service | Privacy Policy