A Macintosh User’s Cautionary Tale -- the MacTrojan
Fast
version: if you may be infected with a virus or trojan, Read this article
http://www.macworld.com/article/60823/2007/10/trojanhorse.html
The Whole Story
Recently I, or rather security sleuth Richard Gadsden discovered malware (call it a trojan or a virus, who knows?) had been installed on my Mac Notebook. That's right, on a MAC! Aren’t we supposed to be above all that? Not any more.
How it got on my computer is a bit of a mystery. Perhaps when I was searching for inspiration on one of those evangelical sites. I suspected the malware got in through my virtual machine running Windows, but Richard say he wasn't so sure. There are trojans written specifically for Macs.
Anyway, what this thing did was install two "ghost" DNS entries in my network preferences file. These entries would try to redirect my DNS queries to mob controlled sites in the Ukraine. The phony DNS entries were grayed out and could not be deleted. In the graphic below, however, they are shown in dark type for emphasis.
View in System Preferences > Network > Advanced > DNS
When I followed-up on this, Richard told me “... [We] pro-actively block all outbound DNS packets, from ANY MACHINE on MUSC's network, if they are addressed to any of the InHoster DNS servers. It's a known class of attacks, so we just cut them all off at the knees.”
Ok, so the MUSC network was safe, but what about my computer? After all, I didn’t know what this thing was capable of. Could it delete files or capture passwords?
I had heard from MUSC computer security folks that dreaded advice: “wipe your drive clean and reinstall everything!”
Yikes! I didn’t want to do that. I needed another option.
I must have tried 50 different Google searches combining trojan attacks and inHoster DNS sites and all I could find were sites relating to Windows users (surprise).
I tried different tactics for days until I stumoogled (what I call stumbling into information via Google) onto the one site that helped me dig out. Now, before I give you the link, I want to warn you that this is not for the faint of heart. It involves using Unix commands in the Terminal and changing DNS Server entries in the network preference pane. So if you find yourself in this mess, I recommend you call the help desk (792-9700).
OK, here we go this is where I got the information that helped me get rid of the trojan/virus: http://www.macworld.com/article/60823/2007/10/trojanhorse.html. It's a year-old MacWorld article that was focusing on another virus.
Read the article above for the full story and how to get rid of the trojan.
First, confirm that you have this trojan by going into your Terminal app. and typing:
scutil <return>
show State:/Network/Global/DNS
[you should see something like this]
<dictionary> {
ServerAddresses : <array> {
0 : 128.23.1.4
1 : 128.23.110.5
2 : 128.23.203.10
}DomainName : library.musc.edu.
}
>
[then type exit, and quit Terminal]
Your domain may be different--I'm in the Library--but you shouldn't see anything that doesn't begin with 128.23.xxx.xxx. If you do, you're infected, especially if you see any containing 85.255.xx.xx
How could this happen to me?
After reading several articles on the subject, It appears that the most effective (though certainly not the only) way to become infected is through trying to watch or download a video file. The infected site replies that you don't have a proper codec and sends you off to get one. That's when you get zapped.
Moral
So, remember, DO NOT try to download or watch a video (like the religious program I was trying to see), on any site outside of MUSC. And, protect yourself at all times. Download Norton's Antivirus or McAfee, both available from the MUSC software site.
George Spain