Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 6 subscribers
  • Views 4157 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

2 Macs infected, Russian redirect, Google images

Bluedog

I think two of my Macs are infected. I keep getting Russian redirects through Google image search. I have five Macs, three other Mac don't seem to be infected.

Outline of equipment.

Gateway SOHO router has IPS/IDS paid deep packet inspection, and AV.
Second UTM server in bridge mode is an Untangle- Lite with Kaspersky and Clam gateway AV with all modules in use.  http://www.untangle.com/Product-Overview
All 5 Macs running Snow Leopard fully updated and firewalls enabled.
All 5 Macs have Firefox 3.6.13 with NoScript,  AdBlocker, BetterPrivacy,  and Ghostery.
The 2 Macs that appear to be infected are my wife's and my daughters that use webkit/Safari mostly.
The 3 I run use Firefox with above add-ons enabled almost exclusively.
All run OpenDNS and OpenDNS is speced in router. ( I test for Macs  running OpenDNS monthly)
Apple updates get updated the same day they are released ( always)
Intego Virus Barrier X6 updated daily  with full scans twice a month, quick scans weekly and ClamXav scans monthly even though Clam has a couple of  Mac sigs, I still do it  for PC viruses. Ran latest definitions on both . Clean.
Ran Sophos when this happened and did it with best practices  disabling on-demand scanners when  other AV is scanning, plus call out AV files as Trusted. Ran latest definitions. Clean.
Ran Rootkit Hunter 0.2 with updated sigs. Clean.



Here is how I found my issue. We have 2 iMacs side by side. Mine and my daughters.  My daughter Googled "difficult color by number printables" and she clicked on the "images" link to get all the images instead of the normal Google links page. She clicked on an image in a newly updated nightly build of Webkit and received the browser warning about  going any farther will damage your computer or something like that. I said cool, let me see if I get that in Firefox. It didn't, so I tried Webkit and still nothing. I tried loading the same image in Firefox on my daughters Mac and it called out malicious site just like Webkit.  The redirects affect both browsers.The redirect would want to go to a XXXXXX.ru address. I would try some other images on the Google image page and her computer would get block pages from the browser. My computer would not, I loaded a clean, non redirected page with no redirect on my computer. Same image   2 different outcomes.  Ran newly imaged Fedora 14 on a machine that never was on the net and all is well with the Google image search.

My wife's computer is running in Admin to my disappointment. My daughters is running in a Standard account, and the Admin account is clean and does not get redirected.

Something is sending me to  .ru .  On the  my daughters infected computer I am also getting  redirected to a link page" Rivasearchpage dot com". Both my daughters and my wife's computer act the same so I m assuming they have the same infection. I just loaded Opera on my daughter computer to see if a new browser would be redirected, it was to a porn page that my OpenDNS filter blocked. It also is going to Rivasearch dot com on 30% of the images.  On my clean computer next to it, I am getting all clean images on clean sites.

Any ideas????

:1001813


This thread was automatically locked due to age.
  • 0

    First things to check:

    Type "open /etc/hosts" into Terminal.app or go to the finder, select Go->Go to Folder... and type in /etc and open the hosts file.  Are there any unexpected redirects listed?

    in Terminal.app, type "ps axc", or open Activity Monitor.app and set the view to "App Processes,  Hierarchically"

    Based on what you've reported so far, you know a bit about network and computer setup.  Is there anything in the process list that stands out?  If you want, you can message me the results for a further review.

    Plus, one question: are the two affected computers both logged in with administrator accounts (user's password enables anything)?

    A few other things: if you search through images.google.ca instead of images.google.com, are the same results shown?  If not, does anything suspicious pop up if you do a spotlight search for google.com?  How about searching for Rivasearchpage dot com?

    :1001815
  • 0

    I PM you, Did you recieve it? It went into a blank white screen when I hit send, so I don't know it was sent?

    Also, another poster on Wilders Security fourms posted this. I have not had time to read this. You should be able to speed read it to see if it is related.

    http://blog.unmaskparasites.com/2010/04/28/hackers-abuse-servage-hosting-to-poison-google-image-search/

    Also my daughters computer, the one I want to work on first. It is a Standard account and the Admin  is never used and is clean. Wife's computer is only in Admin with protest by ME!!

    :1001817
  • 0

    The private message never went through unfortunately; not sure why.

    The Servage post you linked to deals with SEO poisoning, which, while a big issue, is not necessarily what's happening in your case.  As Google has multiple DBs that talk to each other, it *is* possible that's what is happening, in which case none of your machines are infected (this is actually a very plausible scenario, given that your daughter's machine is using a standard account), but it is also possible that either somewhere along your DNS/DHCP chain has been compromised (only for those two computers), or there's malware running on those two computers (which, at this point, I find the least likely scenario).

    A few more things you can try:

    1) create another standard account on one of the affected computers and see if it gets the same results

    2) create another standard account on one of the non-infected computers set up similarly to your Daughter's system and see what results it gets

    :1001821
  • 0

    I added Standard accounts to both machines, still the same.  I then put into Google "difficult color by numbers printables" and here is what came up after hitting the image button to the left to load the images only.

    Clean Mac

    http://www.google.com/images?q=difficult+color+by+number+printables&hl=en&client=firefox-a&hs=jGt&rls=org.mozilla:en-US:official&prmd=ivns&source=lnms&tbs=isch:1&ei=WAkyTYfHJYSq8AavsdDACA&sa=X&oi=mode_link&ct=mode&cd=2&ved=0CA4Q_AUoAQ&biw=1727&bih=919

    So called infected Mac

    http://www.google.com/images?q=difficult+color+by+number+printables&hl=en&client=firefox-a&hs=cwD&rls=org.mozilla:en-US:official&prmd=ivns&source=lnms&tbs=isch:1&ei=dwkyTeOdK8jYgAfYzYSGCw&sa=X&oi=mode_link&ct=mode&cd=2&ved=0CAwQ_AUoAQ

    I did notice that the clean Macs Google image page had more images on it with 4 pages worth of images( 75+) in one scrollable page and the infected one had 25 or so images in only 1 page with the images more spread out width wise.   Two totally different pages served to two computers side by side. 

    I tried adding Norton DNS in both my router and Macs and still the same. I also  complete wiped any traces of Firefox as per Mozila's website and did a reinstall still the same. .ru links. I also deleted router DNS cache and tried again. Same thing. I HAD every machine in manual network cong with all DNS facing OpenDNS and router OpenDNS  too. Now to make it more alike  as possible, I have the DNS calls to my router( Gateway serving DNS)  and it's 10.x.x.x and DHCP to OpenDNS.

    BUT,  there is a piece of me who thinks Google is all screwed up and THEY are poisioned. Because I can hit "find similar images" and then get the clean image to the right site on the so called infected machine.  So now I still wonder why I still get .ru servers wanting to load only on the so called infected machine and not the clean machine. I have noticed I do get some redirects on the clean machine, but never .ru based. It has been a week that it has been going on now. 

    UPDATE Also reflashed Firmware on gateway router. Same outcome. I am also in the process doing an archive and install on the OS.  Update ....Still the same after archive and install.

    :1001825
  • 0

    Here is what I tried to send you the other day.   Also see my  post above,  IF you have not read that yet.

    Daughters so called infected Mac

    tdads-imac-2:~ ash$ open ect/hosts
    The file /Users/ash/ect/hosts does not exist.
    tdads-imac-2:~ ash$ open /ect/hosts
    The file /ect/hosts does not exist.
    tdads-imac-2:~ ash$
    tdads-imac-2:~ ash$ ps axc
     PID   TT  STAT      TIME COMMAND
       1   ??  Ss     0:00.94 launchd
      10   ??  Ss     0:00.68 kextd
      11   ??  Ss     0:00.08 notifyd
      12   ??  Ss     0:00.07 diskarbitrationd
      13   ??  Ss     0:00.76 configd
      14   ??  Ss     0:00.06 syslogd
      15   ??  Ss     0:00.64 DirectoryService
      16   ??  Ss     0:00.18 blued
      17   ??  Ss     0:00.13 distnoted
      30   ??  Ss     0:00.11 ntpd
      31   ??  Ss     0:00.01 cron
      33   ??  Ss     0:00.03 usbmuxd
      36   ??  Ss     0:00.10 securityd
      39   ??  Ss     0:01.51 mds
      40   ??  Ss     0:00.21 mDNSResponder
      41   ??  Ss     0:00.26 loginwindow
      42   ??  Ss     0:00.02 KernelEventAgent
      44   ??  Ss     0:00.01 hidd
      45   ??  Ss     0:00.17 fseventsd
      47   ??  Ss     0:00.00 dynamic_pager
      53   ??  Ss     0:00.01 autofsd
      56   ??  Ss     0:00.23 SophosAntiVirus
      57   ??  Ss     0:03.84 InterCheck
      58   ??  Ss     0:00.09 SophosAutoUpdate
      59   ??  Ss     0:01.13 virusbarriers
      60   ??  Ss     0:04.73 virusbarrierd
      61   ??  Ss     0:00.04 TaskManagerDaemon
      62   ??  Ss     0:00.05 com.intego.netupdated
      63   ??  Ss     0:00.01 integod
      64   ??  Ss     0:00.65 coreservicesd
      76   ??  Ss     0:15.07 WindowServer
      78   ??  Ss     0:00.36 socketfilterfw
      92   ??  Ss     0:00.01 cvmsServ
     103   ??  Ss     0:00.09 coreaudiod
     108   ??  Ss     0:00.08 launchd
     112   ??  S      0:00.79 Dock
     113   ??  S      0:00.37 SystemUIServer
     114   ??  S      0:03.29 Finder
     121   ??  Ss     0:02.20 virusbarrierb
     123   ??  Ss     0:00.85 BehavioralController
     126   ??  Ss     0:00.10 BehavioralInjector_32
     128   ??  Ss     0:00.83 BehavioralInjector_64
     133   ??  S      0:01.08 fontd
     137   ??  S      0:00.00 pboard
     140   ??  Ss     0:00.15 virusbarrierm
     143   ??  Ss     9:13.29 virusbarrierh
     145   ??  S      0:00.18 UserEventAgent
     152   ??  S      0:00.04 AirPort Base Station Agent
     153   ??  S      0:04.46 VBX6StatusItem
     155   ??  S      0:00.04 NetUpdateAgent
     159   ??  S      0:00.07 IntegoStatusItemHelper
     160   ??  S      0:00.18 SophosUIServer
     161   ??  S      0:07.73 smcFanControl
     162   ??  S      0:00.02 iTunesHelper
     163   ??  S      0:01.41 WeatherDock
     164   ??  S      0:00.04 SpeechSynthesisServer
     191   ??  Ss     1:47.11 firefox-bin
     231   ??  S      0:00.03 virusbarriers
     233   ??  S      0:00.02 virusbarriers
     245   ??  S      0:00.48 Terminal
     258   ??  SNs    0:00.05 mdworker
     261   ??  SNs    0:00.09 mdworker
     265   ??  S      0:00.13 Grab
     266   ??  S      0:00.01 virusbarriers
     268   ??  S      0:00.04 cvmsComp_x86_64
     247 s000  Ss     0:00.01 login
     248 s000  S      0:00.01 -bash
     270 s000  R+     0:00.00 ps
    tdads-imac-2:~ ash$

    My so called Clean Mac

    Last login: Fri Jan 14 19:17:12 on console
    Tmans-iMac-2:~ TomST$ ps axc
     PID   TT  STAT      TIME COMMAND
       1   ??  Ss     0:04.48 launchd
      10   ??  Ss     0:01.16 kextd
      11   ??  Ss     0:00.24 notifyd
      12   ??  Ss     0:00.17 diskarbitrationd
      13   ??  Ss     0:04.11 configd
      14   ??  Ss     0:00.28 syslogd
      15   ??  Ss     0:03.21 DirectoryService
      16   ??  Ss     0:00.45 distnoted
      18   ??  Ss     0:00.35 blued
      21   ??  Ss     0:00.70 ntpd
      23   ??  Ss     0:00.08 usbmuxd
      24   ??  Ss     0:00.05 SystemStarter
      27   ??  Ss     0:00.39 securityd
      30   ??  Ss     0:06.89 mds
      31   ??  Ss     0:01.39 mDNSResponder
      32   ??  Ss     0:00.75 loginwindow
      33   ??  Ss     0:00.10 KernelEventAgent
      35   ??  Ss     0:01.42 hidd
      36   ??  Ss     0:00.79 fseventsd
      38   ??  Ss     0:00.00 dynamic_pager
      44   ??  Ss     0:00.06 autofsd
      47   ??  Ss     0:01.50 SophosAntiVirus
      48   ??  Ss     0:04.27 InterCheck
      49   ??  Ss     0:00.23 SophosAutoUpdate
      51   ??  Rs     0:05.81 virusbarriers
      52   ??  Us     0:25.71 virusbarrierd
      53   ??  Ss     0:00.31 TaskManagerDaemon
      54   ??  Ss     0:00.14 com.intego.netupdated
      55   ??  Ss     0:00.05 integod
      56   ??  Ss     0:00.19 ccc_helper
      73   ??  Ss     0:01.83 coreservicesd
      79   ??  Ss     0:01.74 socketfilterfw
      92   ??  Ss     1:46.10 WindowServer
     101   ??  Ss     0:00.06 QuickBackBackground
     107   ??  Ss     0:16.88 virusbarrierb
     109   ??  Ss     0:05.42 BehavioralController
     112   ??  Ss     0:00.53 BehavioralInjector_32
     114   ??  Ss     0:02.93 BehavioralInjector_64
     115   ??  Ss     0:00.01 cvmsServ
     128   ??  Ss     0:00.34 coreaudiod
     133   ??  Ss     0:00.33 launchd
     137   ??  S      0:02.13 Dock
     138   ??  S      0:01.18 SystemUIServer
     139   ??  S      0:06.96 Finder
     145   ??  Ss     0:01.21 virusbarrierm
     149   ??  Ss     1:34.21 virusbarrierh
     150   ??  S      0:00.01 pboard
     154   ??  S      0:01.91 fontd
     163   ??  S      0:00.33 UserEventAgent
     171   ??  S      0:00.12 AirPort Base Station Agent
     172   ??  S      0:26.23 VBX6StatusItem
     174   ??  S      0:00.30 NetUpdateAgent
     175   ??  S      0:00.60 1PasswordAgent
     177   ??  S      0:00.17 IntegoStatusItemHelper
     178   ??  S      0:00.30 SophosUIServer
     182   ??  S      0:00.08 iTunesHelper
     183   ??  S      0:11.80 WeatherDock
     184   ??  S      0:20.83 smcFanControl
     185   ??  S      0:12.38 SpeechSynthesisServer
     209   ??  S      8:42.31 firefox-bin
     274   ??  S      0:02.95 1Password
     285   ??  S      0:08.62 Mail
     301   ??  S      0:00.40 Image Capture Extension
     318   ??  S      0:00.69 Preview
     337   ??  S      1:19.77 Safari
     340   ??  S      0:00.08 AppleSpell
     444   ??  S      0:00.01 WebKitPluginAgent
     532   ??  S      0:00.04 virusbarriers
     537   ??  S      0:00.03 virusbarriers
     556   ??  SNs    0:00.16 mdworker
     559   ??  S      0:00.02 virusbarriers
     560   ??  SNs    0:00.10 mdworker
     574   ??  S      0:00.53 Terminal
     580   ??  S      0:00.12 SyncServer
     583   ??  S      0:00.01 virusbarriers
     576 s000  Ss     0:00.04 login
     577 s000  S      0:00.01 -bash
     584 s000  R+     0:00.00 ps
    Tmans-iMac-2:~ TomST$

    :1001827
  • 0

    Hi,

    Just looking through the output you posted and noticed a typo in your commands when trying to view the hosts file. Please could you try again to view the contents of the hosts file using the command:

    open /etc/hosts

    Thanks,

    CFT

    :1001835
  • 0

    Beyond the typo for "open /etc/hosts", I don't see anything glaringly obvious here, and it does sound like one of Google's image DBs got SEO  poisoned.  If  /etc/hosts is clean, it's likely a Google issue.

    Of course, running VirusBarrier and InterCheck at the same time might cause some issues as well, but not that kind of issue.

    :1001837
  • 0

    Both computers have the exact same hosts output

    ##
    # Host Database
    #
    # localhost is used to configure the loopback interface
    # when the system is booting.  Do not change this entry.
    ##
    127.0.0.1    localhost
    255.255.255.255    broadcasthost
    ::1             localhost
    fe80::1%lo0   

    I  see nothing.

    Thanks for your help!!!

    :1001839