I encountered and dissected this one several days before it really hit the news. I was able to track down the installer, and it was quite interesting that it used self-modifying decode-on-the-fly code, written in shell script. For obfuscation purposes though, it was essentially worthless, adding about 10 minutes to my time. Beyond that it lacked any sophistication whatsoever. I suppose you could say I was a bit disappointed.
Yep. I am intimately acquainted with DNSchanger; I helped send its creators to jail.
DNSchanger was the Eastern European Zlob gang's ttempt at dabbling in Mac malware. It was modeled after the Windows malware commonly known as W/32/Zlob, a similar DNS-changing malware package. It reset the Windows machine to point to hostile DNS servers in Russia, and like the Mac version, it was never terribly sophisticated. It didn't have to be.
There's more to intercepting DNS requests than just showing populs for click fraud, though that's one common moneymaking scheme the Zlob gang used. They would also reroute requests for legitimate Web sites to porn sites where they had signed up for affiliate accounts, and in some cases would redirect traffic either to other malware sites or to fake antivirus sites.
