Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!
Posted on June 1st, 2012 at 12:25 PM EST
It’s been a quiet month for Mac users. New Flashback infections haven’t been reported in about a month, to my knowledge, and the flood of new malware that was popping up in April seems to have tapered off. There’s a new threat looming on the horizon, however. Or an old threat that is looming again, to be more precise. On July 9, some Mac users may find themselves suddenly cut off from the internet, thanks to the effects of an old bit of malware.
For a number of years, a series of trojans commonly referred to as DNSChanger infected Windows and Mac computers alike. The Mac version of the malware went by a number of different names (RSPlug, DNSChanger, Jahlav and Puper) and first appeared in late 2007. Regardless of name or platform, DNSChanger would change the DNS settings on the infected computer and would install a script to keep those settings changed if the user manually fixed them.
What are DNS settings, you may ask? Internet use relies heavily on DNS, or Domain Name Servers. A domain name server is required to translate a human-readable address (like www.reedcorner.net) into a machine-useable IP address (like 126.96.36.199). As a test, try entering each of those addresses into your web browser’s address bar. You should see that both take you to the same place, but obviously the IP address is not something a human can easily remember.
The hackers behind the DNSChanger malware ran a number of malicious domain name servers, whose purpose was to redirect attempts to connect to legitimate sites to malicious servers. For example, suppose you tried to contact www.paypal.com from an infected computer. The malicious domain name server might provide the IP address of a malicious server that mimics PayPal. Logging in would not actually log in to PayPal, it would give your username and password to the hackers. Once they had that information, they could use it to steal from you.
This went on for several years, but finally, in November of 2011, the criminals behind DNSChanger were finally uncovered and arrested. Afterwards, the FBI found themselves in possession of the malicious domain name servers. The obvious response would be to simply shut them down… but that would have essentially cut off the internet access for hundreds of thousands of infected users worldwide. If the domain name server your computer is using stops responding, your computer will be unable to look up IP addresses for domain names, and thus will be unable to connect to web sites specified using a human-readable address. Under a court order, the FBI instead cleaned up those servers and began running them as legitimate domain name servers. However, that court order expires (after being extended) on July 9. The FBI cannot be expected to continue running those servers on US taxpayer dollars forever, and after July 9, those servers will finally be shut down.
So how do you know if you’re infected, and if you are, how do you solve the problem? Fortunately, the answer to both is simple. First, visit the DNS Changer Working Group’s website, which has links for a variety of techniques to determine whether or not you are infected. If you find that you are infected, you can use the free DNSChanger Removal Tool.
Even if you don’t think you’re infected, I still strongly advise checking for an infection. If you wait until July 9 and you are infected, getting help will become more difficult without internet access!