For years, Macintosh users did not have to worry about the threat of computer malware as it was all targeted towards computers running the Windows operating System. Things have changed now. The DNS Changer Trojan Horse became known in 2008 as a Trojan Horse that attacks Macs running OS-X.
(*Note the article has been updated to include additional files that newer versions of the DNS Changer Trojan infect on your computer)
DNS Changer Trojan Virus Description
The DNS Changer Trojan also goes by these aliases: OSX.Jahlav-C, OSX.Puper, and OSX.RSPlug.A with subsequent variants of the Trojan being known as OSX.RSPlug.X. The Trojan is found on a number of porn and Warez sites and tricks the user into downloading the malware onto their computer by pretending to be a required video codec to watch the pornography on the computer. Once you install the Trojan, it will then change the DNS setings on your computer which will then re-direct web surfing to malicious websites that pose a personal information security risk.
How to Tell if Your Mac has the DNS Changer Trojan
The good news is if you have protected your MAC with anti-virus and anti-spyware protection with name brand products such as Norton Antivirus for the MAC, then your malware software will detect infection by this Trojan and remove it. If you do not, however, you will need to open your Network System Preferences app and choose the current active interface “Airport or Ethernet”. Then, select the “Advanced” menu tab and single click the “DNS” menu tab. If the Trojan is on your computer, you will see the new DNS entry in gray vice black like your legitimate entries. There are some cases where a legitimate DNS will be gray. On newer versions of the DNS Changer Trojan, it may not be grayed out, but will start with the numbers 93 or 83. A good check for this is to unplug and reseat your ethernet cable if connected via that means. The valid address will appear and then be automatically changed to the malicious DNS address.
How to Manually Remove the DNS Changer Trojan Virus on the Mac
If you believe you have the DNS Changer Trojan on your Mac, then the following steps will help you remove the parasite:
Step 1 – Open the “Finder” on your computer. Then, open “Library > Internet Plug-Ins”. Once you have the folder open, delete the “plugins.settings” file and empty your computers trash bin. For newer versions of the DNS Changer virus, you will also need to remove the following files:
Step 2 – Open your computer’s terminal. Then enter “sudo ctrontab -r” and input your admin password when your computer requests it. This deletes the part of the Trojan that checks your comptuer’s DNS settings and changes them to the malicious website if it notes a change. To verify your command worked, then input “sudo crontab -l” and you should see “no crontab for root” returned.
Step 3 – Open the “Network System Preferences” panel and select the “DNS Server box”. Copy the IP address entries to TextEdit. THen, repaste then back into the preferences box and select “apply” (note this is for older versions of OS X and the first version or two of the original DNS virus. It is very likely that you can skip this step if on a newer version of OS X or if your computer has been recently infected).
Step 4 – Restart your computer and get some coffee or water while waiting for the rebooting process (I rarely turn my Mac off and forget how long the boot cycle takes since its a bit over 2 years old…).
Step 5 – Open the Network System Preferences panel again and verify that the DNS address no longer changes to the malicious address that you saw before (ie is grayed out or starts with 83 or 93).
DNS Changer Trojan Virus Conclusions
I expect that we will continue to see an evolution of this Trojan with the Mac marketshare in the home and business computer markets continuing to grow. Don’t be “That Guy” or “That Gal” who puts off protecting his or her computer and makes the news for having your identity stolen, bank account hacked, etc! If you surf to sites such as Warez, Pornography, or others known for infecting computers with malicious code, make sure you are doing so smartly and virus scanning any and all downloads that you make to your computer.
Related Articles to the DNS Changer Virus MAC Security Threat: