Home > Emerging Threats, Malwares > Unusual Pop-up Ads

Unusual Pop-up Ads

If you thought Trojan DNSChanger is dead, think twice ‘coz lately there has been series of reports from Mac OS X users experiencing unusual pop-up ads in their machines. Most of the infected users noticed that the unusual ads is coming from IP Address 216.255.xxx.xxx or as shown in the screen shot above.

This IP Address points to Intercage [AS27595] which is hosted by Atrivo in US, which apparently related to Russian Business Network(RBN). This domain host different names related to fake codec and rogue applications such as spysheriff, winspykiller, AntiVirGear and lot more. [Further Reading]

Unusual pop-up ads and internet browser results were amongst visible symptoms of this threat. Infected user should immediately change their DNS Settings and remove the following files in this folders:

~/Library/Internet Plug-Ins/plugins.settings
~/Library/Internet Plug-Ins/sendreq (usually the malware deletes this, but just double check)
~/Library/Internet Plug-Ins/QuickTime.xpt
~/Library/Internet Plug-Ins/Mozillaplug.plugin
Related Post:

Analysis of Trojan DNSChanger
Malware Retailer Includes Trojan for Mac
Fake YouTube Installs OS X Trojan DNSChange

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: