The Rest of the Story
Written on February 12, 2009 by Katherine W. Prawl
When I left off in my last posting, I was going to chase down the last vestiges of malware still apparently lurking on Phil’s MacBook Pro from the DNS Changer trojan horse. Even though I’d eliminated the installer, what it installed was still creating some kind of traffic back to a couple of IP addresses belonging to an ISP in the Ukraine. I could tell this was going on by observing the “network monitor” that is part of the Little Snitch spyware detector. Watching mDNSResponder light up more than once a second with calls to one of two IPs made it very obvious why our bandwidth usage was totally out of sight. As for what it was transmitting, I shudder to think…. Best case (which is not good) would be that its controllers were using Phil’s machine as part of a spam network. Worst case is that they were stealing data from his computer. Needless to say, we will keep a close eye on our various financial reports for any suspicious activity, but so far nothing like that has shown up, thank goodness.
mDNSResponder, by the way, is a software server that enables Apple’s Bonjour network, among other things. It is part of the MacOS. However, I didn’t know that when I started trying to track down all the rogue processes. As I mentioned previously, I blocked mDNSResponder using a Little Snitch “rule”, but I wanted to eliminate what was launching it. To this end, I started up the MacOS utiliy, Activity Monitor, which in addition to showing all the processes running on the computer, allow the administrator to shut them down selectively.
Little Snitch network monitor
Well, to make a long story short, apparently I got carried away. The concept was sound, but since I didn’t take the time to learn enough to really know what I was doing (always a dangerous thing for someone poking around the underbelly of the OS), I must have killed too many instances of the process, or the wrong ones, or something. Every time I tried to open a web page in FireFox, I had to click away a warning dialog, which got very old, very quickly. But the Little Sntich network monitor still showed traffic trying to go out to the Ukraine, even after restarting the computer and reinstalling FireFox!
So, I made an appointment with the “genius bar” at the local Apple Store. The very helpful techs there hadn’t seen this particular problem before, but they were able to isolate whatever it was that was making that call, and shut it down. As it happened, it was a QuickTime™ process, which is not surprising given that Phil probably acquired the trojan by trying to view a video someone had sent him. To help avoid such problems in the future, the “genius” suggested installing a bit of freeware, Perian, a QuickTime component that opens just about any video codec on the Mac without having to go out and find a tool or possibly accept dangerous suggestions from potential malware. Not only that, but “genius bar” help is even free!
So, we’re back to responsible, malware-free telecommunications. Next month, when we try using our Verizon wireless internet gear without the added stress of unwanted transmissions, we’ll reevaluate our experience with that system.
