NEWS FROM THE LAB - Thursday, February 28, 2008

Mac Case Posted by Sean @ 16:53 GMT

Patrik's Mac DNS Changer video recently generated some viewer mail.

RLV wrote us the following:

Thank you for your video about the DNS changer trojan horse being targeted to Mac computers.
I was wondering if you could offer assistance. My computer has been infected by this trojan horse…

Green Apple
This is what happened:

RLV thought that his Mac was infected with a DNSChanger trojan and so he started doing some research. His search results located our video but the demo and his personal experience didn't sync because he wasn't prompted for his password as was demonstrated.

He then contacted us and we requested his samples. Well, his sample files were indeed a variant of Trojan:OSX/DNSChanger.

So we followed-up again. With a few more details, we realized that he had installed Intego's VirusBarrier before the "infection" and not afterwards as we had original thought. So the trial version of VirusBarrier had done its job and had prevented the installation of the DNSChanger.

Any AV activity being an uncommon event on a Mac, RLV interpreted the "infected files" notification on his hard drive as a successful system infection.

With another round of messages, we expressed confidence that his Mac was fine and provided him with information on DNS settings along with suggestions on how to test his system in order to confirm that it was clean. If his DNS settings were okay, then his personal information was okay as well. In any case, DNSChangers are more interested in making money by altering search results.

Excerpts from RLV's last message:

Thank you again for your message and for your really great help.

I called Apple and spoke with a couple of their reps. […] The reps were incredulous about the existence of malware specifically targeting Macs. They looked up articles about it while we were on the phone — they wouldn't believe me until they looked it up for themselves.

Doesn't hurt to be informed, or to doublecheck, even though it is a rare occurrence for Macs. Everyone I talked to was denying any malware vulnerability for Mac platforms, which struck me as not the best attitude to take.

I'm grateful for the help offered by you and f-secure and hopefully I won't be needing it again!

We hope so too. In his messages, RLV came across as a gentlemen. There are several Mac users here in the lab and we were happy to assist him with something a bit outside of our normal routine.