What was DNSChanger: Could your Mac still be infected?

What is DNSChanger?

First discovered in 2012, following an extensive FBI investigation, DNSChanger - also known as Puper, Jahlav and RSPlug-F - is a malware virus that can hijack DNS servers and routers. Believed to be the work of an Estonian criminal enterprise, up to 100,000 servers were quietly hijacked around the world without anyone realizing.

Servers disrupted globally

DNSChanger was so prolific that even social networks, search engines and ISPs such as Comcast, COX, Verizon, and AT&T were inadvertently involved in spreading it. With the help of the FBI, these companies were all part of a global effort to remove the problem in 2012.

A coordinated effort was needed to take over this rouge DNS network, with DNS settings that were pointing at one of the many thousands of hijacked servers being automatically taken over and redirected, restoring the rogue network to a legitimate part of the web again.

Redirection wars

It all started several years ago, when an Estonian gang set up a seemingly genuine sounding digital firm, Rove Digital. With some technical know-how, they created a type of adware that redirected web visitors to sites that displayed adverts. You could be going to do some shopping on Amazon, and then without realizing it — because the server your DNS is using has been hijacked — you would be redirected to a website full of adverts and popups.

Annoyingly, for anyone who's DNS servers (where your Internet comes from, basically) had been infected - which is out of your control - this would keep happening, and if any links or adverts were clicked, that would contribute to the profits of this Estonian gang. Over time, the group generated $11 million from adverts and popups that no one wanted to see. It took a joint operation between the FBI and Estonian Police to find the source of this problem and begin restoring thousands of DNS servers to the correct settings. The servers that were hijacked in this case were in Estonia, along with others in Chicago and New York.

For several months after the gang was discovered and operations shut down, governments and the FBI needed to keep the DNS network running otherwise 4 million people around the world would have lost Internet access.

It took time for the number of infected devices to reduce, as Internet providers and search engines updated users and customers with notifications of the infection.

Until the servers could be shut down, the FBI worked with the Information Services Corporation (ISC) to run the servers - albeit without directing anyone to unwanted ads and web pages anymore - giving infected Mac and Window’s device owners a chance to prevent it happening further from their end. Unfortunately, the only way to resolve this problem was to remove the malware, which meant that after the FBI shut the servers down, those who hadn't been able to remove the malware would lose internet access.

How to remove DNSChanger manually?

To start with, although this is an older malware, there is a chance that anyone could have carried it over from one device to another. Any operating system that carries the files and settings of previous devices will keep infections with them unless they're detected and eliminated.

Making it useful to check whether you’ve been infected by DNSChanger in the past. The best way to do that is through one of these websites:

http://www.dcwg.org/detect/

In the US: dns-ok.us

If you’ve got the all clear, then there is nothing to worry about and you don't need to scan and remove any viruses.

If, however, a scan shows this infection still present - even though it isn’t active anymore - then removing it will reduce the risk of other types of malware or trojans using this weakness as a backdoor to infect your device again.

Restore your DNS settings by hand

To do this manually, you first need to restore your DNS settings:

  1. Go to System Preferences > Network
  2. Within Network, set your DNS settings to what they should be (your Internet Service Provider should have that information, or it will be on a router in your home or office);
  3. Click on Advanced to make sure the settings are correct after inputting this change.

Next, this is a type of malware that has infected your web browser; therefore, you need to remove it from whichever browser you use. Here is how to do that with Safari, Firefox and Chrome:

#1: Uninstall DNSChanger from Safari

  1. Go to Safari > Preferences
  2. Click on Extensions
  3. Pick the Extension that you don't recognize to delete
  4. Click Uninstall
  5. Confirm that you want to Uninstall the extension

#2: Remove DNSChanger from Chrome

  1. Open Chrome
  2. Go to the Menu in your browser
  3. Click on More Tools > Extensions
  4. Pick the Extension that you don't recognize to delete
  5. Click Remove
  6. Confirm that you want to Remove the extension

#3: Delete DNSChanger from Firefox

  1. Open Firefox
  2. Go to the Menu in your browser
  3. Click on the Add-ons manager tab
  4. Select the Extension you want to remove
  5. Click Remove
  6. Confirm that you want to delete it

Remove DNSChanger from system files

    Once you’ve removed the extension from your browser, you need to search through several files — including in Libraries - to make sure DNSChanger isn’t hiding anywhere else.

    You should be able to identify applications you aren't familiar with in the following folders:  

    /Applications/
    /Library/Application Support/
    /Library/Internet Plug-Ins/
    /Library/Internet Plug-Ins/
    /Library/Application Support/
    /Library/LaunchAgents/
    /Library/ScriptingAdditions/

    It is also worth resetting your browser settings and making sure that the default search engine is restored to what it was before this unwanted adware and any of its companions took over.

    Now, if all of that sounds like too much work, don't worry. Or if you aren't confident that DNSChanger has gone, then there is another - quicker - way to make your Mac safe.

    Remove DNSChanger with CleanMyMac

    And if you don't want to go through the trouble of manual removal, here is how you can remove DNSChanger quickly and safely.  It involves CleanMyMac X, a tool that recently got a "Product of the Month" award on ProductHunt. This antivirus/cleaner is notarized by Apple, which means it's a safe pick for your Mac.

    1. Download CleanMyMac X (for free);
    2. Click on the Malware Removal tab;
    3. Click Scan to scan for DNSChanger and any other infection;
    4. Click Remove and they will vanish for good.

    Additionally, go to the Maintenance tab and select Flush DNS cache command. This should delete the remains of DNS Changer from your network settings.

    Using this program you can also clear out junk, files, and folders that you don't need, along with dozens of duplicates and backups that aren't needed anymore.


    DNSChanger was one of those rare Mac infections that spread around the world and impacted millions of people. It took an international law enforcement effort to resolve the problem. Keeping your Mac clean of infections with regular scans is the most effective way to detect issues when they occur, then resolve them quickly with a malware removal tool.

    CleanMyMac X
    CleanMyMac X

    Your Mac. As good as new.