So it turns out we may see a respite, even if only for a while, in new infections with the Mac DNSchanger malware.
The story starts with an Estonian company operating out of the US, called ESTdomains, and its associated Web hosting company, ESThosts. ESTdomains is the preferred domain registrar for Eastern European cybercriminals, who often host viruses and malware on its sister company ESThosts.
ESThosts relies on an upstream ISP called Intercage for its connection to the Internet. Happily, Intercage, which has long turned a blind eye to all kinds of criminal activity on the Internet, finally crossed the line and was dropped by its service provider. An new upstream provider rode to its rescue, only to have its packets dropped by an Internet backbone provider.
Why is this happy news for Mac users?
A while ago, I mapped out an underground network of virus and malware droppers, some of which were being used to spread the Mac version of the Zlob, aka OSX.DNSchanger, OSX.RSplug.A, or OSX.RSpluginA, malware.
Many of the sites that spread this malware were disguised as porn sites. Other sites were legitimate sites that had been hacked. Still other sites contained outdated, insecure versions of popular blogging or forum software such as WordPress and PHPnuke, and had been hacked to carry redirectors to the malware. Still other sites disguised the malware as antivirus software, or browser plug-ins, or any number of other things.
But–and here’s the interesting part–all of these fake porn sites, hacked blogs, hacked Web sites, hacked forum sites, and bogus software sites all pulled the malware from the same repository, a server living at IP address 64.28.178.27.
Which is in Intercage’s IP space, and so is currently unreachable.
Meaning that as of right now, the one server being used to spread the Mac DNSchanger malware is offline.
Now, I have no doubt that the bad guys are going to move the Mac malware to a different server at some point. But they are going to have to rejigger the rest of the network to point to the new server, which will take time. In the meantime, we should see a lot fewer infections with this malware.
How easy is it to get infected and is there protection you’d recommend?
The DNSchanger malware is easy to get rid of; in fact, there’s even sautomated software to do it.
I don’t recommend antivirus software for Mac users. The AV software out there tends to be buggy, bloated, and problematic, and using software that can disrupt your system for the sake of avoiding one piece of malware seems silly. The DNSchanger malware can’t infect a Mac by itself. It relies on trickery; you have to deliberately run it, type in your administration password, and then deliberately choose to install it.
It tries to trick you into doing that, usually by pretending to be a Web movie that you need to download special software in order to see. The way to deal with it is by being smart about what software you choose to install, and by being skeptical of the claims made by Web sites that promise to show you Britney Spears’ tits if only you will install software on your computer first.
Thank you. I went and double checked, and I don’t have it.
I must not lead an interesting enough life 😛
How easy is it to get infected and is there protection you’d recommend?
The DNSchanger malware is easy to get rid of; in fact, there’s even sautomated software to do it.
I don’t recommend antivirus software for Mac users. The AV software out there tends to be buggy, bloated, and problematic, and using software that can disrupt your system for the sake of avoiding one piece of malware seems silly. The DNSchanger malware can’t infect a Mac by itself. It relies on trickery; you have to deliberately run it, type in your administration password, and then deliberately choose to install it.
It tries to trick you into doing that, usually by pretending to be a Web movie that you need to download special software in order to see. The way to deal with it is by being smart about what software you choose to install, and by being skeptical of the claims made by Web sites that promise to show you Britney Spears’ tits if only you will install software on your computer first.
Thank you. I went and double checked, and I don’t have it.
I must not lead an interesting enough life 😛