The Life of Lou Ruppert

The mystery of 85.255.115.45

It all started with a series of mysterious connections to DNS servers in the Ukraine. (I know, technically you’re supposed to refer to it simply as Ukraine, and never The Ukraine, but call me a child of the Cold War.) All of the articles I’d found on the net about the connections were cries for help from people whose DNS had been hijacked by Windows spyware. Our security team met on the issue and decided to put the offending addresses into administrative lockdown, pending a rebuild of their virus-ravaged systems.

Dubious wisdom from the Apple Store

This morning we got a call from a Mac owner, who I will call Adam for no particular reason. It’s not his name. Adam had taken his Mac to the Apple store to get it reinstalled, like we’d asked, and they told him that Macs are invincible and cannot get viruses, so it must all obviously be a great misunderstanding. Adam showed up demanding to know why we had exiled his machine, because Macs can’t get viruses. What kind of amateurs would forget to consult the experts at The Apple Store? To be honest, I was rather surprised myself.

iPod Mafia-Edition

So, in one corner we had the reports our new IDS system was giving us, along with the dubious reputation of the Ukrainian data servers, and in the other we had mommy’s precious child with his new laptop and Apple-branded idealism. Who should we believe? Plagued by doubts, I began to Google every bit of information I had on the case. I checked the addresses, the types of lookups I was seeing, tried cross-referencing it with Macintosh terms, and finally settled on the name of the guy who owned the addresses and the name they were registered to. It returned something.

Andrew Sotov

Andrew Sotov is a name associated with all kinds of trouble on the Internet. He’s got comment-spam bots advertising pharmaceuticals, browser-hijacking malware, and apparently the first Mac-based trojan in the wild. And that’s just the first couple screens once you Google his name. The Mac thing was what interested me, though. Someone had finally managed to pull off a Mac trojan. Granted, you had to give it admin rights in order for it to install, but what mattered was that it existed, and that it matched the symptoms we’d been seeing.

Malware’s October Revolution

As of October of 2007, Macintoshes are no longer invincible. It’s still difficult to get infected, but with enough determination, anyone can do it. Here’s the SANS article describing it. What seems to happen to the Mac user is the following.

Somewhere in College Town, USA, after a night of frenzied art-making, right around when the patchoulli-scented candles have almost burned down to the point where he can barely make out the life-sized poster of Steve Jobs on his wall, the misunderstood Mac user decides to go on a porn-safari. He clicks site after site, until finally he arrives at one which shows promising thumbnail images that don’t have that “edited in Windows” look to them. The videos were probably done in iMovie! He clicks, but the site asks to install a special video codec in order for him to watch them. It’s no problem, because the fact that the site even tries to support Macintosh compels him to support them. He types in his password, and the show is over. He’s owned.

Lou’s easy home test

So now you probably want to know how to tell if you’ve got the infection. It’s easy.

1. Press command-shift-A and wait for the Applications window to pop up.
2. Open the Utilities folder
3. Right-click on the Terminal program (just kidding, I know you only have one button. Double-click it.)
4. Type the following in the terminal and press enter: more /etc/resolv.conf
5. You should see lines that look like this:

   nameserver 85.255.116.71
   nameserver 85.255.115.45
   

6. If the first two numbers in either address starts with 85.255, the chances are extremely high that your Macintosh is infected.

What now? Is there an after-school special I should watch, or maybe a support group?

The best course of action for any infected machine, Mac or PC, is to reinstall it with the disks it came with. You can’t trust anything you see on an infected machine, because the parts that you use to check it could also be infected. Think of it as an act of penance.

Trackback URI | Comments RSS