mDNSResponder, by the way, is a software server that enables Apple’s Bonjour network, among other things. It is part of the MacOS. However, I didn’t know that when I started trying to track down all the rogue processes. As I mentioned previously, I blocked mDNSResponder using a Little Snitch “rule”, but I wanted to eliminate what was launching it. To this end, I started up the MacOS utiliy, Activity Monitor, which in addition to showing all the processes running on the computer, allow the administrator to shut them down selectively.

Little Snitch network monitor

Well, to make a long story short, apparently I got carried away. The concept was sound, but since I didn’t take the time to learn enough to really know what I was doing (always a dangerous thing for someone poking around the underbelly of the OS), I must have killed too many instances of the process, or the wrong ones, or something. Every time I tried to open a web page in FireFox, I had to click away a warning dialog, which got very old, very quickly. But the Little Sntich network monitor still showed traffic trying to go out to the Ukraine, even after restarting the computer and reinstalling FireFox!

So, I made an appointment with the “genius bar” at the local Apple Store. The very helpful techs there hadn’t seen this particular problem before, but they were able to isolate whatever it was that was making that call, and shut it down. As it happened, it was a QuickTime™ process, which is not surprising given that Phil probably acquired the trojan by trying to view a video someone had sent him. To help avoid such problems in the future, the “genius” suggested installing a bit of freeware, Perian, a QuickTime component that opens just about any video codec on the Mac without having to go out and find a tool or possibly accept dangerous suggestions from potential malware. Not only that, but “genius bar” help is even free!

So, we’re back to responsible, malware-free telecommunications. Next month, when we try using our Verizon wireless internet gear without the added stress of unwanted transmissions, we’ll reevaluate our experience with that system.

First I found Little Snitch, a spyware detector. That certainly made the case for an infestation, as even with the Airport card tuned off, as soon as the application started up it showed a process (mDNSResponder) trying to contact an IP address I didn’t recognize. Sure enough, WHOIS showed it belonging to somebody in Ukraine. Well, as Phil pointed out, it can’t be a Russian spy, as the Ukrainians will be the first to tell you they are not Russians, but it is certain that we don’t particularly want any eastern European entity to receive packets from our computers without our knowledge. So, I used the Rules window of Little Snitch to turn off mDNSResponder until I could find out what that is, and entered a rule into our modem’s blacklist to block the whole range of IP addresses owned by that Ukrainian ISP, since while I was watching there were several other addresses showing up in Little Sntich’s Network Monitor as being targets for whatever process was trying to reach out and touch someone from the MacBook Pro.

That was a good first step or two, but once we saw what was going on, I wanted a way to remove the bad stuff. So, I found MacScan, from SecureMac, and ran the scanner in demo mode on both Macs. On my iMac it found 34 “tracking cookies”, most of which I recognized as belonging to ads in sites I remember visiting, and which don’t offend me since I understand that’s how they justify spending big bucks on informative websites. Many of these anti-virus, anti-malware applications classify such things as “spyware” but just tracking my browsing habits in aggregate form doesn’t rise to the level of spying in my opinion. I went ahead and let MacScan delete them, though. They’ll come back, but so what? There were no trojan horses, viruses or keyloggers on my computer, though, which is a good thing.

Phil’s MacBook Pro was a different matter. As well as 25 “tracking cookies”, it found a real baddie, DNS Changer 1.1, a genuine Trojan Horse. That is probably at least part of the problem, although I think there is still an issue with something trying to call home to the Ukraine. Even after “isolating” the Trojan Horse, when I restarted his computer the Little Snitch Network Monitor showed activity trying to talk to IP addresses 85.255.114.61 and 85.255.112.107, each in turn as the other failed. This was even before I tried turning on the Airport Card! I turned that on, but they still couldn’t get out because of the rule I’d put on the router. Unfortunately, nothing else could get in or out either, since the “call home” process was taking precedence over everything else trying to reach the internet.

So, I have more work to do. Next trick will be to open up Apple’s Application Monitor and identify the process that is doing this if I can, and kill it, once I find out where it lives on the system so I can remove it. But right now Phil is watching a DVD, so this will have to wait till that’s over.

It’s a relief to know there is in fact something bad going on, since knowledge is power, and now it’s just a matter of finding and killing it.

Anyone who has experience with these particular IPs and can suggest a fix, I’d be very happy to hear from you! Meanwhile, I’ll continue my research as long as that gigabyte of bandwidth lasts.