Home > Daily Thoughts, Emerging Threats, Malwares > New DNSChanger Hacks Router In Mac?

New DNSChanger Hacks Router In Mac?

DNSChanger has two executables: EXE for Windows and DMG for Mac OS X. This threat has been around for quite sometime, but there’s nothing exceptional until last week a new variant captured our attention. [Read WashingtonPost blog]

A new EXE variant of DNSChanger is capable of changing users’ DNS settings by hacking the configuration page of the wireless router. Is this true ? Yes, it’s targeting a list of routers and performs dictionary attack.

Below are the extracted strings from EXEcutable file.

TrustedSource Blog published an analysis of this EXE variant.

Is there similar variant affecting Mac? Let’s check the latest downloadable DMG file, courtesy of several PornTube sites roaming around the net.

If you’ll notice, the installer package doesn’t contain anything new. As I mentioned in my previous post about OS X DNS Changer analysis, the malicious file here are preinstall and preupgrade (which contains exactly the same code).

The latest DNSChanger in Mac are obfuscated, which is a minor modification. Going further, the deobfuscated script clearly suggest that there’s nothing new except the variable IP address (s1 and s2).

So, the new behavior found in the latest DNSChanger in Windows doesn’t exist yet in Mac.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: