Mac DNS Changer Trojan [OSX/Puper] relatively simple; works like the Windows version

“The [Mac DNS Changer] Trojan is relatively simple and works almost exactly the same as its brother for Windows operating systems. In case of execution, the Trojan changes the DNS settings on the machine and reports back to the C&C server,” Bojan Zdrnja reports for SANS Internet Storm Center.

“While the Trojan is relatively simple and not a big threat, two things came to my mind immediately: the bad guys are taking Mac now seriously – this is a professional attempt at attacking Mac systems (and they could have been much more damaging really). The second thing that folks at Sunbelt noticed is that when they sent a sample to VirusTotal there were 0 (zero, nada, nilch) products that detected this,” Zdrnja reports.

“Although the Trojan is really simple, it could have done much worst things (once the installer script has root privileges, it is game over anyway). This malware shows that we must not ignore Mac machines and that Mac users should not think they are invulnerable just by using a Mac and that they can click on absolutely everything,” Zdrnja reports.

Full article here.

McAfee calls this one “OSX/Puper” and rates its risk as “Low” for both home and corporate users, explaining, “Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. This trojan is most commonly installed by going to a malicious site.”

Full article here.

MacDailyNews Take: This is not the first Mac trojan, nor will it be the last. There’s not much else to say here beyond that the old rules still apply: Do not enter your Mac OS X admin password to install anything from an unknown and/or untrusted source.


  1. No computer is safe from a program an administrator CHOOSES to run. Basic smarts apply here; don’t run software from untrusted sources, and anything from a porn or warez or mp3 site should be considered untrustworthy. Stay away from net porn and piracy and you’ve much less to worry about.

  2. The MDN take is the key. This is not a breakdown or hole in MacOS X security. It is a user flaw, and Apple has already set things up to require admin password authorization for installation. You can only go so far with coding to mitigate stupidity.

    I assume that Time Machine could help you to recover gracefully from that stupidity, though.

  3. It has been said before (sorry, can’t attribute correctly, don’t remember):

    You may feel free to get your QuickTime codec updates from a porn site.

    I get my QuickTime updates from the Software Update application.

  4. Please explain how it gets ROOT access if I don’t have that enabled!

    It can only get administrator rights.

    It can only trash the user account that allows it.

    Please report it correctly.

    Incompetent reporters!!

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.