For years, Macintosh users did not have to worry about the threat of computer malware as it was all targeted towards computers running the Windows operating System. Things have changed now. The DNS Changer Trojan Horse became known in 2008 as a Trojan Horse that attacks Macs running OS-X.

DNS Changer Trojan Virus Description

The DNS Changer Trojan also goes by these aliases: OSX.Jahlav-C, OSX.Puper, and OSX.RSPlug.A with subsequent variants of the Trojan being known as OSX.RSPlug.X. The Trojan is found on a number of porn and Warez sites and tricks the user into downloading the malware onto their computer by pretending to be a required video codec to watch the pornography on the computer. Once you install the Trojan, it will then change the DNS setings on your computer which will then re-direct web surfing to malicious websites that pose a personal information security risk.

How to Tell if Your Mac has the DNS Changer Trojan

The good news is if you have protected your MAC with anti-virus and anti-spyware protection with name brand products such as Norton Antivirus for the MAC, then your malware software will detect infection by this Trojan and remove it. If you do not, however, you will need to open your Network System Preferences app and choose the current active interface “Airport or Ethernet”. Then, select the “Advanced” menu tab and single click the “DNS” menu tab. If the Trojan is on your computer, you will see the new DNS entry in grey vice black like your legitimate entries. There are some cases where a legitimate DNS will be grey.

How to Manually Remove the DNS Changer Trojan Virus on the Mac

If you believe you have the DNS Changer Trojan on your Mac, then the following steps will help you remove the parasite:

Step 1 – Open the “Finder” on your computer. Then, open “Library > Internet Plug-Ins”. Once you have the folder open, delete the “plugins.settings” file and empty your computers trash bin.

Step 2 – Open your computer’s terminal. Then enter “sudo ctrontab -r” and input your admin password when your computer requests it. This deletes the part of the Trojan that checks your comptuer’s DNS settings and changes them to the malicious website if it notes a change. To verify your command worked, then input “sudo crontab -l” and you should see “no crontab for root” returned.

Step 3 – Open the “Network System Preferences” panel and select teh “DNS Server box”. Copy the IP address entries to TextEdit. THen, repaste then back into the preferences box and select “apply”.

Step 4 – Restart your computer and get some coffee or water while waiting for the rebooting process (I rarely turn my Mac off and forget how long the boot cycle takes since its a bit over 2 years old…).

DNS Changer Trojan Virus Conclusions

I expect that we will continue to see an evolution of this Trojan with the Mac marketshare in the home and business computer markets continuing to grow. Don’t be “That Guy” or “That Gal” who puts off protecting his or her computer and makes the news for having your identity stolen, bank account hacked, etc! If you surf to sites such as Warez, Pornography, or others known for infecting computers with malicious code, make sure you are doing so smartly and virus scanning any and all downloads that you make to your computer.

Save $5 on Norton AntiVirus 10.0 for Macintosh when purchased via the US store! Click Here

Related Articles to the DNS Changer Virus MAC Security Threat:

Mac Spyware Removal

Logic bombs are programs or parts of programs that are inserted into legitimate software systems and will conduct a malicious action once preconditions are met. These preconditions could be a certain date, time, or action conducted by the end-user. Many times, computer viruses or computer worms will contain a logic bomb that will then deliver a malicious payload at a pre-determined time or set of circumstances. For example, Friday the 13th is a popular date for logic bombs to be set off as well as political dates and anniversaries. A Trojan Virus that is activated on a set date is considered to be a variant of a Logic Bomb…sometimes called a Time Bomb.

What Does Code Have to Have to be a Logic Bomb?

To be considered a logic bomb, the offending piece of software has to be unknown to the user of the computer not be desired in the program or code. A logic bomb could be made to wait until a remote hacker sends a network message to program telling it to do malicious actions on the end-user’s computer, or it could simply be set to read the system date and time of the infected computer and conduct its malicious actions once those pre-conditions are met. It can also be designed to activate when a computer database exceeds a pre-defined size or to go off if a computer user doesn’t log in to a system for a set amount of time. This is a popular variant of a logic bomb used by disgruntled computer developers who want to get back at the company that fires them. These types of logic bombs are dangerous and hard to defend against, because they go off when something does not happen. They don’t spread to other computers, but they will normally do greater damage than those designed to start on pre-conditions of action or time. Sometimes logic bombs are used to bribe a company into payment to prevent significant damage to their Information Technology resources.

How to Defend Against Logic Bombs

Professionally targeted logic bombs are very hard to defend against. They are normally personalized programming code inserted by a company insider and require other programmers to detect. Cloud computing-based computer defense systems show promise at being able to prove more effective at defense agaist this type of logic bomb in the future, but for now the most effect defense is relying on prudent management techniques of immediately removing employee access to computing systems that could be capable of planing logic bombs in the event of their dismissal. For the normal computer user, you are most at risk of computer spyware and malware that contain logic bombs as part of the malware. The best defense in this case is to keep your computer anti-virus program up to date and adhere to good computer security practices.

Trojan Viruses take their name from the lore of the Trojan Horse. A Trojan virus is computer malware that is disguised as something useful that encourages you to download or open the file or program which contains the malware. Once opened, the Trojan virus infects your computer. They are capable of downloading or containing “payload” applications that are other computer malware which can do harm. A Trojan Virus is not able to self-replicate like a computer virus, but rather relies on other malware or computer users to spread the infection.

Trojan Virus Payloads

Many Trojan Viruses are designed to allow a hacker to have remote access to your computer. Once you have a Trojan installed on your computer, potential operations that a hacker can perform are:

- Using your machine to help conduct a Denial of Service attack against another website or service.

- Stealing your personal information (banking, credit cards, passwords, etc)

- Installing other computer malware

- Deleting or modifying files on your computer

- Keylogging and screen captures of your activities to send back to the controlling hacker

- Uploading of files to your computer

Methods of Trojan Virus Infection

Trojan viruses normally spread one of two ways: 1 – By being combined with a legitimate looking software program that the user will download and execute on their computer, and 2- disguising themselves as a useful file such as a MP-3 or movie file. They are also known to be sent via email, and sometimes directly injected by hackers through security holes in Web Browsers and Operating Systems.

Trojan Virus Trends

Trojan viruses have increasingly been used as a gateway to other computer malware on the Internet. Hackers have grown savvy to the lack of anti-malware software being used by the general public and have been taking advantage. The majority of Trojan virus infections could be prevented if computer users would simply update their operating system and anti-virus software. Hackers have also been using social networking sites such as Myspace, Facebook, etc to spread Trojan viruses through peer-peer games, message attachments, and DirectX attacks to upload Trojans to unsuspecting computer users.

Win32.Fake Raken Description

Fake Raken is one of the latest rogue anti-spyware malware programs to hit the Internet. It claims to scan your computer for malware and will display fake infection warnings after it has been installed on your computer. It will then attempt to convince you that a paid malware removal tool needs to be purchased. Unlike some of the other rogue anti-spyware programs, Fake Raken is adaptable and will change its look and feel depending on the variant your computer has become infected with. It is classified as both a Trojan Virus and as Spyware.

Win32.Fake Raken Aliases

Fake Raken goes by several other names to include: XP Anti-Spyware 2009, XP Security Center, PC Anti-Spyware 2010, Home Anti-Virus 2010, and PC Security 2009.

Symptoms of Fake Raken Infection

Fake Raken symptoms will vary depending on the variant that has infected your computer. Some system changes that you may see are the following files installed on your computer:

Binaries1.cab

Binaries2.cab

Binaries3.cab
%Program Files%\XP_AntiSpyware\AVEngn.dll
%Program Files%\XP_AntiSpyware\htmlayout.dll
%Program Files%\XP_AntiSpyware\pthreadVC2.dll
%Program Files%\XP_AntiSpyware\Uninstall.exe
%Program Files%\XP_AntiSpyware\wscui.cpl
%Program Files%\XP_AntiSpyware\XP_Antispyware.cfg
%Program Files%\XP_AntiSpyware\XP_AntiSpyware.exe
%Program Files%\XP_AntiSpyware\data\daily.cvd
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcm80.dll
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcp80.dll
%Program Files%\XP_AntiSpyware\Microsoft.VC80.CRT\msvcr80.dll

The following registry entries made on your computer:
Key: HKCU\Control Panel\don’t load
Value: scui.cpl Data: “No”
Value: wscui.cpl Data: “No”

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value: ForceClassicControlPanel
Data: 0×1

Key: HKLM\SOFTWARE\Microsoft\Security Center
Value: AntiVirusDisableNotify
Data: 0×1
Value: FirewallDisableNotify
Data: 0×1
Value: UpdatesDisableNotify
Data: 0×1

Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP_AntiSpyware\
Value: DisplayName
Data: “XP Antispyware 2009″
Value: UninstallString
Data: “%Program Files%\XP_AntiSpyware\Uninstall.exe”

The Following Shortcuts Installed on Your Computer:
%Start menu%\Programs\XP_AntiSpyware\XP_AntiSpyware.lnk
%Start menu%\Programs\XP_AntiSpyware\Uninstall.lnk
%Desktop%\XP_AntiSpyware.lnk
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\XP_AntiSpyware.lnk

Display of  fake infection dialogues, pop-ups, and warnings.

Fake Raken Infection Methods

Computer users who don’t enable their firewall are leaving the door open for Fake Raken infection. Once it is on your computer it will attempt to download:  Binaries1.cab, Binaries2.cab, and Binaries3.cab to your computer and then extract them to the Program Files directory. It may or may not display a dialogue box before installing the files on your computer. The Trojan is known to take advantage of web browser security holes and operating system vulnerabilities for the initial infection. Fake Raken also known to display a fake Microsoft security center window on your computer after it has infected it.

Fake Raken Removal Information

Fake Raken is complex and it is not recommended to attempt manual removal. Automatic removal using an updated anti-virus program is the recommended means for removal. If you are seeing what you believe to be “Fake” infection notifications, then your computer is likely already infected with the Spyware and the Trojan virus that deployed it to your computer.

Description of FakeXPA Malware

FakeXPA is type of application and it is a Trojan that also functions as Spyware. It has hidden functionality, which may include the data mining, hacks, Malware, Spyware and Adware. This FakeXPA is a kind of family of programs, which will claim to scan the system for malware and after scanning, it issues fake warning like malicious viruses and programs have been detected. This will tell the user to pay money in order to register for the software so that non-existent threats can be removed. The FakeXPA might display a dialog that exactly mimics the Windows Security Center.

Installation of FakeXPA Spyware

The Trojan FakeXPA uses different methods for installation using the system modifications and filenames that will be able to differ from one to the next variant. This Trojan has been in distribution with different names. The user’s interface and few other details will vary so that it reflects each of the variant’s branding individually.

Characteristics of FakeXPA Spyware

Performs various updates silently

System’s excessive resources are used.

Browsing activity of the user is tracked

It will download various files that are unsolicited

Floods with various internet connections

It will divert to various websites

Data and keystrokes will be hijacked

Symptoms of FakeXPA Spyware

 The following changes in the systems will indicated the presence of the FakeXPA

Presence of the files such as “%ProgramFiles%\XP Antivirusxpa.exe”, “%ProgramFiles%\XP Antivirusxpantiviruspro.exe” and “%ProgramFiles%\XP Antivirusxpa2008”

When the above files are seen, you can make sure that your system is infected by the Trojan FakeXPA.

FakeXPA Spyware Basic Removal Steps

Fake XPA Spyware can result significantly slowing down your computer. As a result, you should  remove Fake XPA Spyware using an anti-virus program if you are not savvy with registry modifications and computer security. Click here for automatic removal instructions for removing the Fake XPA Spyware.