We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Will your internet service cut off on July 9?

Published June 1st, 2012 at 12:25 PM EDT , modified August 14th, 2012 at 2:46 PM EDT

It’s been a quiet month for Mac users.  New Flashback infections haven’t been reported in about a month, to my knowledge, and the flood of new malware that was popping up in April seems to have tapered off.  There’s a new threat looming on the horizon, however.  Or an old threat that is looming again, to be more precise.  On July 9, some Mac users may find themselves suddenly cut off from the internet, thanks to the effects of an old bit of malware.

For a number of years, a series of trojans commonly referred to as DNSChanger infected Windows and Mac computers alike.  The Mac version of the malware went by a number of different names (RSPlug, DNSChanger, Jahlav and Puper) and first appeared in late 2007.  Regardless of name or platform, DNSChanger would change the DNS settings on the infected computer and would install a script to keep those settings changed if the user manually fixed them.

What are DNS settings, you may ask?  Internet use relies heavily on DNS, or Domain Name Servers.  A domain name server is required to translate a human-readable address (like into a machine-useable IP address (like  As a test, try entering each of those addresses into your web browser’s address bar.  You should see that both take you to the same place, but obviously the IP address is not something a human can easily remember.

The hackers behind the DNSChanger malware ran a number of malicious domain name servers, whose purpose was to redirect attempts to connect to legitimate sites to malicious servers.  For example, suppose you tried to contact from an infected computer.  The malicious domain name server might provide the IP address of a malicious server that mimics PayPal.  Logging in would not actually log in to PayPal, it would give your username and password to the hackers.  Once they had that information, they could use it to steal from you.

This went on for several years, but finally, in November of 2011, the criminals behind DNSChanger were finally uncovered and arrested.  Afterwards, the FBI found themselves in possession of the malicious domain name servers.  The obvious response would be to simply shut them down…  but that would have essentially cut off the internet access for hundreds of thousands of infected users worldwide.  If the domain name server your computer is using stops responding, your computer will be unable to look up IP addresses for domain names, and thus will be unable to connect to web sites specified using a human-readable address.  Under a court order, the FBI instead cleaned up those servers and began running them as legitimate domain name servers.  However, that court order expires (after being extended) on July 9.  The FBI cannot be expected to continue running those servers on US taxpayer dollars forever, and after July 9, those servers will finally be shut down.

So how do you know if you’re infected, and if you are, how do you solve the problem?  Fortunately, the answer to both is simple.  First, visit the DNS Changer Working Group’s website, which has links for a variety of techniques to determine whether or not you are infected.  If you find that you are infected, you can use the free DNSChanger Removal Tool.

Even if you don’t think you’re infected, I still strongly advise checking for an infection.  If you wait until July 9 and you are infected, getting help will become more difficult without internet access!

Tags: , , , , ,


  • Philippe says:

    Hey Thomas,

    Thanks for your post, I didn’t know the whole story. Interesting!

    One question, though: aren’t all decent antivirus like ClamXav, Sophos Home, Intego VB, supposed to detect and protect you from those malware too?

    • Thomas says:

      Yes, they should protect you from this malware. However, many people may have been infected several years ago and no longer even have the malware on their system, but their computers can still be using the formerly-malicious DNS servers. I don’t think anti-virus software will check for that sort of thing.

  • Philippe says:

    I’m not sure I get it… How could their computers “still be using the formerly-malicious DNS servers” if the malware is not on their system anymore? DNS cache?

    • Thomas says:

      The malware changed the system network settings. After that, it could have been removed, but the change of settings would remain. I would expect any decent removal tools to also repair the network settings, but some may not have, and some people may have followed manual removal techniques that didn’t involve changing the network settings. Or perhaps someone got a new computer and migrated user data and settings to the new computer, which could carry the bad network settings over to the new computer without also bringing the malware across. Some people may even have manually copied those settings to a new computer, thinking they were correct. There are many possibilities.

  • Philippe says:

    Thanks for your detailed response, Thomas! You’re always very helpful!

This post is more than 90 days old and has been locked. No further comments are allowed.