Daily Archives: September 30, 2008

Good news for Mac owners

Posted on by
6

So it turns out we may see a respite, even if only for a while, in new infections with the Mac DNSchanger malware.

The story starts with an Estonian company operating out of the US, called ESTdomains, and its associated Web hosting company, ESThosts. ESTdomains is the preferred domain registrar for Eastern European cybercriminals, who often host viruses and malware on its sister company ESThosts.

ESThosts relies on an upstream ISP called Intercage for its connection to the Internet. Happily, Intercage, which has long turned a blind eye to all kinds of criminal activity on the Internet, finally crossed the line and was dropped by its service provider. An new upstream provider rode to its rescue, only to have its packets dropped by an Internet backbone provider.

Why is this happy news for Mac users?

A while ago, I mapped out an underground network of virus and malware droppers, some of which were being used to spread the Mac version of the Zlob, aka OSX.DNSchanger, OSX.RSplug.A, or OSX.RSpluginA, malware.

Many of the sites that spread this malware were disguised as porn sites. Other sites were legitimate sites that had been hacked. Still other sites contained outdated, insecure versions of popular blogging or forum software such as WordPress and PHPnuke, and had been hacked to carry redirectors to the malware. Still other sites disguised the malware as antivirus software, or browser plug-ins, or any number of other things.

But–and here’s the interesting part–all of these fake porn sites, hacked blogs, hacked Web sites, hacked forum sites, and bogus software sites all pulled the malware from the same repository, a server living at IP address 64.28.178.27.

Which is in Intercage’s IP space, and so is currently unreachable.

Meaning that as of right now, the one server being used to spread the Mac DNSchanger malware is offline.

Now, I have no doubt that the bad guys are going to move the Mac malware to a different server at some point. But they are going to have to rejigger the rest of the network to point to the new server, which will take time. In the meantime, we should see a lot fewer infections with this malware.