Ah Ha!

Written on February 8, 2009 by Katherine W. Prawl

On the advice of our good friend, Mark (whom you may recall showed us his on-the-road internet setup, which got us started down the mobile WiFi path), I’ve been looking into the possibility that Phil’s MacBook Pro could have some kind of malware that is sucking up all our bandwidth.

First I found Little Snitch, a spyware detector. That certainly made the case for an infestation, as even with the Airport card tuned off, as soon as the application started up it showed a process (mDNSResponder) trying to contact an IP address I didn’t recognize. Sure enough, WHOIS showed it belonging to somebody in Ukraine. Well, as Phil pointed out, it can’t be a Russian spy, as the Ukrainians will be the first to tell you they are not Russians, but it is certain that we don’t particularly want any eastern European entity to receive packets from our computers without our knowledge. So, I used the Rules window of Little Snitch to turn off mDNSResponder until I could find out what that is, and entered a rule into our modem’s blacklist to block the whole range of IP addresses owned by that Ukrainian ISP, since while I was watching there were several other addresses showing up in Little Sntich’s Network Monitor as being targets for whatever process was trying to reach out and touch someone from the MacBook Pro.

That was a good first step or two, but once we saw what was going on, I wanted a way to remove the bad stuff. So, I found MacScan, from SecureMac, and ran the scanner in demo mode on both Macs. On my iMac it found 34 “tracking cookies”, most of which I recognized as belonging to ads in sites I remember visiting, and which don’t offend me since I understand that’s how they justify spending big bucks on informative websites. Many of these anti-virus, anti-malware applications classify such things as “spyware” but just tracking my browsing habits in aggregate form doesn’t rise to the level of spying in my opinion. I went ahead and let MacScan delete them, though. They’ll come back, but so what? There were no trojan horses, viruses or keyloggers on my computer, though, which is a good thing.

Phil’s MacBook Pro was a different matter. As well as 25 “tracking cookies”, it found a real baddie, DNS Changer 1.1, a genuine Trojan Horse. That is probably at least part of the problem, although I think there is still an issue with something trying to call home to the Ukraine. Even after “isolating” the Trojan Horse, when I restarted his computer the Little Snitch Network Monitor showed activity trying to talk to IP addresses 85.255.114.61 and 85.255.112.107, each in turn as the other failed. This was even before I tried turning on the Airport Card! I turned that on, but they still couldn’t get out because of the rule I’d put on the router. Unfortunately, nothing else could get in or out either, since the “call home” process was taking precedence over everything else trying to reach the internet.

So, I have more work to do. Next trick will be to open up Apple’s Application Monitor and identify the process that is doing this if I can, and kill it, once I find out where it lives on the system so I can remove it. But right now Phil is watching a DVD, so this will have to wait till that’s over.

It’s a relief to know there is in fact something bad going on, since knowledge is power, and now it’s just a matter of finding and killing it.

Anyone who has experience with these particular IPs and can suggest a fix, I’d be very happy to hear from you! Meanwhile, I’ll continue my research as long as that gigabyte of bandwidth lasts.

Be Sociable, Share!

• 

Posted in Anti-virus, MacOS X, malware, Software, Trojan Horse, wireless