It bears repeating
Turn off Safari’s Open “safe” files after downloading under Safari->Preferences.
There’s a program out there in the wild that can download and install itself if that checkbox is checked. It’s possible that the payload is helped along by the Flash vulnerability; I’m not sure, but keep in mind that many websites are using Flash ads that are served from 3rd party servers. Even if you trust the site, the ads may be from nefarious sources.
There isn’t really an easy way to turn Flash off on Safari, unless you remove the plug-in from the
Anyway, the payload from before installs a plug-in into the
/Library/Internet Plug-ins/ directory that changes the DNS server that the Mac uses to resolve domain names. Basically, it means that typing in
http://macphoenix.com may send you to a totally different site, or worse, if going to a banking or bill paying site, it may send you to a site that looks exactly the same, but is controlled by thieves. One of the bad DNS IP entries was
188.8.131.52. There was another IP number, but I didn’t record it. If you have a DNS entry pointing to the above, though, it’s a server in the Ukraine that will send you to whatever it wants to, not where you want to go.
The plug-in disguises itself, so it’s impossible to know what it’s named. The solution was to remove every plug-in from
/Library/Internet Plug-ins/, restarting, and (after checking that the DNS changed back to the original number) installing trusted plug-ins like QuickTime and Flip4Mac. But remember, the first line of defense is turning off that preference that should not be turned on in the first place.
Posted by Jonathan at 08:29 PM, 02 June 2008