Monthly Archives: July 2010

Malware on Mac OS X

17 Saturday Jul 2010

Posted by in apple mac, Computers, Software

4 Comments

Tags

, , , , ,

On Friday I saw a Trojan Horse on an OS X (snow leopard) system in the wild. It was the first time I ever saw an infected Mac. Interesting, in the same way seeing a poisonous snake is interesting. Windows malware is common and is everywhere. This was different.

The infected Mac had a DNS hijack trojan. It changed the DNS server addresses to 85.255.116.150 and 85.255.112.148  A whois showed these to be shared hosts in the Ukraine. Going into the DNS settings (system preferences > networking > advanced > dns) and changing these to the desired dns servers did not “stick”, that is they would change back to the wrong ones by the trojan process. When web surfing, sometimes the Mac behaved normally and sometime it would go to seemingly random web sites.

A bit of google research turned up references to a trojan horse called OSX.RSPlug.A This cannot replicate itself, it was installed in error by the user who thought he was installing an updated codec. He was on a “questionable” site … ok he was trying to see a pornographic video and the site said he needed to install a codec update to see it. So here we have the crux of the matter, it was a user error that got this trojan on his mac. Self inflicted.

I found the removal solution at Macworld.com  here:  http://www.macworld.com/article/60823/2007/10/trojanhorse.html To prove the system has this trojan, use the terminal app and enter

sudo crontab -l

the last character is a lower case letter l, not the digit 1. cron is the unix/linux program that runs tasks or jobs at a specific time or interval. crontab is the program which lets you create, view, change, delete these scheduled tasks. If you see something like

* * * * * "/Library/Internet Plug-Ins/plugins.settings">/dev/null 2>&1

you have this malware. This says cron will run the script named plugins.settings on a regular basis. To cancel this,  in terminal enter

sudo crontab -r

then delete the plugins.settings file.  I found it in ~/Library/Internet Plug-Ins directory, not in /Library/Internet Plug-Ins. Do a search to see where it is and delete them all.

This worked, the infected Mac was cured.

Shooting Range Open House in Prescott, Az

11 Sunday Jul 2010

Posted by in Competitive Shooting, guns, IDPA, Prescott_AZ, Shooting, USPSA

1 Comment

Tags

, , ,

Update 8/1/2010  Gary took photos at this open house, they’re here.

If you are interested in checking out Prescott Action Shooters (formerly Yavapai Recreation League), a private shooting club in Prescott, Az, here’s your chance. On July 31, 2010 from 9 am to 2 pm they are having a free open house. Here’s some info from their email:

Our club is having a Family Open House on July 31, from 9am to 2pm.  The event will be open to the public , club members, and friends.  There will be demonstrations of all the shooting disciplines, plus steel stages set up for our guests to try.  This is a great opportunity for us to show off our range, demonstrate what we do, and hopefully attract people that will become future members and/or shooters.  The event will be free to the public, including the first 20 rounds of rimfire ammo.

Bays 1,2,3 will have steel stages for our guests to try rimfire 22’s. Bays 4,5,6, and 11 will be demonstration stages for USPAS, IDPA, COWBOY, AND ICORE .

There will be a free hot dog lunch.

Gary and I are members of this organization and I recommend it highly for shooters in the Prescott area.