Mac DNS Changer Trojan [OSX/Puper] relatively simple; works like the Windows version

“The [Mac DNS Changer] Trojan is relatively simple and works almost exactly the same as its brother for Windows operating systems. In case of execution, the Trojan changes the DNS settings on the machine and reports back to the C&C server,” Bojan Zdrnja reports for SANS Internet Storm Center.

“While the Trojan is relatively simple and not a big threat, two things came to my mind immediately: the bad guys are taking Mac now seriously – this is a professional attempt at attacking Mac systems (and they could have been much more damaging really). The second thing that folks at Sunbelt noticed is that when they sent a sample to VirusTotal there were 0 (zero, nada, nilch) products that detected this,” Zdrnja reports.

“Although the Trojan is really simple, it could have done much worst things (once the installer script has root privileges, it is game over anyway). This malware shows that we must not ignore Mac machines and that Mac users should not think they are invulnerable just by using a Mac and that they can click on absolutely everything,” Zdrnja reports.

Full article here.

McAfee calls this one “OSX/Puper” and rates its risk as “Low” for both home and corporate users, explaining, “Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. This trojan is most commonly installed by going to a malicious site.”

Full article here.

MacDailyNews Take: This is not the first Mac trojan, nor will it be the last. There’s not much else to say here beyond that the old rules still apply: Do not enter your Mac OS X admin password to install anything from an unknown and/or untrusted source.


  1. No computer is safe from a program an administrator CHOOSES to run. Basic smarts apply here; don’t run software from untrusted sources, and anything from a porn or warez or mp3 site should be considered untrustworthy. Stay away from net porn and piracy and you’ve much less to worry about.

  2. The MDN take is the key. This is not a breakdown or hole in MacOS X security. It is a user flaw, and Apple has already set things up to require admin password authorization for installation. You can only go so far with coding to mitigate stupidity.

    I assume that Time Machine could help you to recover gracefully from that stupidity, though.

  3. It has been said before (sorry, can’t attribute correctly, don’t remember):

    You may feel free to get your QuickTime codec updates from a porn site.

    I get my QuickTime updates from the Software Update application.

  4. Please explain how it gets ROOT access if I don’t have that enabled!

    It can only get administrator rights.

    It can only trash the user account that allows it.

    Please report it correctly.

    Incompetent reporters!!

  5. good points made above – this is an inherit security issue in any OS you run, no matter how many firewalls and security things you run. if you give something permission to access your system, it’s game over.

    no OS is 100% secure against user ignorance. but mac os x is still in better shape than windows, which is fine by me. =)

  6. …pretty much root.

    Oh give me a break. Access rights “are” or “are not”.
    “pretty much” does not cut it.

    And what average user is going to know how to SUDO?

    Once again. There are two levels of access rights. It needs to be reported as such.
    This is not about users also being told to SUDO and then type in terminal to delete something. Anyone who does that is a moron.

    Just following the story, it only gets into the admin rights. They would actually do some good by explaining ROOT, it’s level and what admin is and it’s level. But the security companies want hype and headlines so what’s a little bending of the truth.

  7. to “Think”:

    In order for sudo to work you still need the root password. If root has not been enabled on the machine in question then nothing can happen. If root has been enabled, then the trojan would need the root password….or entice the user into entering it. I’m assuming the trojan would at least try to use the same password entered as the user/admin password for the root….if someone capable enough to have activated root in the first place has used the same password for root as they did for their user/admin account, then they deserve anything they get!

  8. Apple could do well by setting up the computer (like Windows OOBE) with a standard user account instead of an Admin account. From this level, only applications Apple expressly allows should be able to self elevate – such as Apple Update – and should still require the user to enter their admin password. The Admin account should not be “login-able” unless you specifically go into the user preferences and hit the check box “User can log into the desktop” or similar.

  9. The security companies always like to tar Apple’s OS X with the same susceptibility to malware as Windows. But even with trojans, where vulnerabilities are closer, Mac OS X is far less likely to be corrupted. Windows forces users to respond to so many useless dialog boxes — Cancel or Allow — that users turn off the nagging security features to get any work done. Mac OS X users do not often see such warnings, so that social engineering attempts to compromise the operating system on a Mac are far more obvious and thus, it is easier to avoid disaster.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.