Home > Daily Thoughts, Emerging Threats, Malwares > Begin 777 withLove by OSX DNSChanger

Begin 777 withLove by OSX DNSChanger

What’s new? Here’s a static analysis of this new variant. Notice the header, it seems the compression used was changed. 

dmg-header

The preinstall/preupgrade script now looks like this: 

preinstall1

Which previous variants contains code or sequence of strings as follows: 

preinstall_preupgrade01

Before,the installer name was “MacVideo” and “Porn4Mac”, today it’s “MacAccess”. 

Most known IPs and nodes of this threats is currently active serving this variant. 

Stay safe and report Dodgy websites!

  1. Steve
    November 19, 2008 at 2:44 pm

    “Notice the header, it seems the compression used was changed”…

    Why do you look at the disk image? It’s just an archive which changes each time you create a new image with the same content.

    What you didn’t notice is that it is a Downloader.

    In the last uudecode stage there’s a perl script which download binaries and launch them in a loop.

    The server is down now, but yesterday I downloaded 2 files with different lengths. That’s a new DNSChanger variant.

  2. Methusela Cebrian Ferrer
    November 23, 2008 at 6:02 am

    Thanks Steve! i already got “jah” and “withlove” =) Btw, I sent you an email offline.

  3. frolika
    November 26, 2008 at 6:05 pm

    you can see a screenchot of RSPLUG-D from the Intego security memo webpage :
    http://www.intego.com/news/ism0806.asp

  4. December 1, 2008 at 7:20 pm

    Greetings,
    I was wondering if it would be possible for you to send us samples of the new DNSChanger variant for OS X for further analysis. Thank you for your time and assistance!

  5. Methusela Cebrian Ferrer
    December 3, 2008 at 12:24 am

    Hi Nicholas, i’ll send you an email offline.

  6. m
    December 11, 2008 at 2:55 am

    what if I accidently installed it? how can I remove it now and make sure that I dont not have a virus on my computer??

  7. Ismael
    December 11, 2008 at 9:47 am

    Hello, i don’t know how to uninstall this “MacAccess”, I installed it accidentally and now It doesn’t appear in my Finder, what should I do?

  8. December 19, 2008 at 5:00 am

    I just accidently installed macAccess too. What can I do?

  9. erico dias
    December 23, 2008 at 11:04 am

    same problem with me.. heeeelp how to uninstall this ????

  10. Arty
    December 24, 2008 at 3:43 am

    For more information on how to delete malicious files created by this exploit, go to https://ithreats.wordpress.com/2008/01/11/analysis-of-osx-trojan-dns-changer/ inside this same site. It’s a very good analysis and how to solve recipe. After the very clear explanation on comments, I eliminated the file created by the installer package and voila. Even better than VirusBarrier and without paying even a penny.
    Hope this could be useful. Cheers!

  11. Methusela Cebrian Ferrer
    December 26, 2008 at 12:17 pm

    Cheers Arty!

    I have been receiving continuous infection report about this threat and I can’t help but to reply and send manual removal instruction to each email I receive. So, I decided to publish a step-by-step removal instruction here:
    https://ithreats.wordpress.com/2008/12/26/how-to-remove-macaccess-trojan/

    I hope this helps!

    ~ Meths

  12. Arty
    December 31, 2008 at 3:04 am

    Dear Meths. I’ve seen your entry and I found it perfect for all folks that could have problems with this trojan. I’m sure that your explanation will be very useful (more useful that any anti-virus program, as this ones does not detect reliably this kind of infections).

    ~Arty

  1. December 4, 2008 at 2:03 pm
  2. December 12, 2008 at 9:38 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: