How to remove the DNS Changer malware

Published July 7th, 2012 at 10:17 PM EDT , modified July 8th, 2012 at 8:58 PM EDT

Monday is the day that the FBI will shut down the DNS Changer servers. Mac users may have been infected with the DNS Changer malware, more commonly known as RSPlug (among other names), and though all effects of the malware may seem to be gone, they will strike many tomorrow. Worse, it turns out that the commonly-recommended removal tools are not always detecting the malware!

Unfortunately, I’ve never actually seen this malware, and it disappeared from common distribution on the Mac before I started studying malware. So, Al Varnell, a helper on both the ClamXav and Apple Support Communities forums, was instrumental in helping to put together a manual removal guide. I could not have done this without his assistance!

First, determine whether you’re infected or not by going to www.dcwg.org. The sites on their Detect page can determine if you’re infected more directly than by scanning your computer – by detecting what DNS server you’re using.

If you are infected, be sure you are logged in to an admin account on your Mac, open the Terminal app (in /Applications/Utilities) and enter the following command:

sudo crontab -l

followed by the return key.

Enter your admin password when asked (be aware nothing will be displayed when you type), and Terminal will then display any cron tasks for the root user. Typically this will be blank. If you see the following output, though, it means you’ve got the malware:

* * * * * "/Library/Internet Plug-Ins/[TrojanName]">/dev/null 2>&1

where [TrojanName] will be “plugins.settings”, “AdobeFlash”, “QuickTime.xpt” or perhaps something else. If you see that, you need to go to the /Library/Internet Plug-Ins folder and delete the item named [TrojanName].

Once you have done that, go to the Terminal again and enter:

sudo crontab -r

followed by the return key, and your password again (if necessary).

Finally, you need to change your DNS server settings. How this is done varies depending on the version of Mac OS X you are running. On recent versions, you open System Preferences -> Network, select your network type (Ethernet or Airport), then click the Advanced button, then the DNS tab. Remove any servers from the list using the [-] button at the bottom of the list, and then replace them with the OpenDNS servers (208.67.222.222 and 208.67.220.220) by clicking the [+] button to add each address. Then click OK.

On older versions of Mac OS X, go to System Preferences -> Network, select your network type (Ethernet or Airport) and click the Configure button, then click the TCP/IP tab. Delete everything from the DNS Servers field and enter the OpenDNS server addresses (208.67.222.222 and 208.67.220.220). Enter one address, then press return to go to the next line and enter the second address. Then click Apply Now.

Some people have recommended flushing the system’s DNS cache. Neither Al nor I believe that to be necessary. I think this step has stemmed from attempts to help people who were supposedly clean, according to removal tools that missed some variants, but were still seeing that they were listed as using bad DNS servers. However, if you want to be sure, on Mac OS X 10.7, enter the following command in the Terminal:

sudo killall -HUP mDNSResponder

In Mac OS X 10.5 and Mac OS X 10.6, enter the following command:

dscacheutil -flushcache

On older systems, enter the following command:

lookupd -flushcache

Tags: DNS Changer, malware, RSPlug, trojan