Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

safari spyware?

hello everyone,
i have a 15 inch mbp that i bought about 10 months ago. since then i have moved to china to study, my problem is that for about two months my safari has been acting strangely. every once it a while an add will show up. not as a pop-up but it will start at the bottom of the safari window and gradually move up until it is taking up the whole window besides the address bar, bookmark bar etc. it definitely seems to be an add. in fact its always the same add in chinese. i am positive that i have not visited any illicit sites to cause this. i am also behind a wireless router. my first instinct told me to try firefox and sure enough it does the same thing there. a simple reload of the page always solves the problem but it frequently re-occurs. this is my first mac so im not very savy as to how to fix it or if i can. i tried reinstalling both internet browsers but this has not worked.
any help?
is this malware, spyware?
could this just be because im in china?

macbook pro, 2.4 ghz 15inch

Posted on Sep 17, 2009 4:36 AM

Reply
Question marked as Best reply

Posted on Sep 17, 2009 5:37 AM

Greetings,

It's possible you have some sort of malware, but you would have had to install it and authenticate using your Admin password before that could happen. Unless you've done that, you don't have any malware on your system. It's just an ad.

Did you install any ad blocking software, such as Safari Adblock or even Safari Block? Have you changed your DNS addresses to use those from OpenDNS? If not, you should do that, since it will filter and block ads, and OpenDNS should be faster for you, too.

You could also disable JavaScript, since many ads are now JavaScript-based or activated, but most sites now use Flash and JavaScript for some of their content, so that would also prevent you from being able to see those sites.
20 replies
Question marked as Best reply

Sep 17, 2009 5:37 AM in response to danielinchina

Greetings,

It's possible you have some sort of malware, but you would have had to install it and authenticate using your Admin password before that could happen. Unless you've done that, you don't have any malware on your system. It's just an ad.

Did you install any ad blocking software, such as Safari Adblock or even Safari Block? Have you changed your DNS addresses to use those from OpenDNS? If not, you should do that, since it will filter and block ads, and OpenDNS should be faster for you, too.

You could also disable JavaScript, since many ads are now JavaScript-based or activated, but most sites now use Flash and JavaScript for some of their content, so that would also prevent you from being able to see those sites.

Sep 17, 2009 4:50 PM in response to danielinchina

No viruses that can attack OS X have so far been detected 'in the wild', i.e. in anything other than laboratory conditions.

It is possible, however, to pass on a Windows virus to another Windows user, for example through an email attachment. To prevent this all you need is the free anti-virus utility ClamXav, which you can download from:

http://www.clamxav.com/

However, the appearance of Trojans and other malware that can possibly infect a Mac seems to be growing, but is a completely different issue to viruses.

If you allow a Trojan to be installed, the user's DNS records can be modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements. The trojan also installs a watchdog process that ensures the victim's (that's you!) DNS records stay modified on a minute-by-minute basis.

You can read more about how, for example, the OSX/DNSChanger Trojan works here:

http://www.f-secure.com/v-descs/trojanosxdnschanger.shtml

SecureMac has introduced a free Trojan Detection Tool for Mac OS X. It's available here:

http://macscan.securemac.com/

The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X and allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.

(Note that a 30 day trial version of MacScan can be downloaded free of charge from:

http://macscan.securemac.com/buy/

and this can perform a complete scan of your entire hard disk. After 30 days free trial the cost is $29.99. The full version permits you to scan selected files and folders only, as well as the entire hard disk. It will detect (and delete if you ask it to) all 'tracker cookies' that switch you to web sites you did not want to go to.)

A white paper has recently been published on the subject of Trojans by SubRosaSoft, available here:

http://www.macforensicslab.com/ProductsAndServices/index.php?mainpage=document_general_info&cPath=11&productsid=174

Also, beware of MacSweeper:

MacSweeper is malware that misleads users by exaggerating reports about spyware, adware or viruses on their computer. It is the first known "rogue" application for the Mac OS X operating system. The software was discovered by F-Secure, a Finland based computer security software company on January 17, 2008

http://en.wikipedia.org/wiki/MacSweeper

On June 23, 2008 this news reached Mac users:

http://www.theregister.co.uk/2008/06/23/mac_trojan/

More information on Mac security can be found here:

http://macscan.securemac.com/

The MacScan application can be downloaded from here:

http://macscan.securemac.com/buy/

You can download a 30 day trail copy which enables you to do a full scan of your hard disk. After that it costs $29.95.

More on Trojans on the Mac here:

http://www.technewsworld.com/story/63574.html?welcome=1214487119

This was published on July 25, 2008:

Attack code that exploits flaws in the net's addressing system are starting to circulate online, say security experts.

The code could be a boon to phishing gangs who redirect web users to fake bank sites and steal login details.

In light of the news net firms are being urged to apply a fix for the loop-hole before attacks by hi-tech criminals become widespread.

Net security groups say there is anecdotal evidence that small scale attacks are already happening.

Further details here: http://news.bbc.co.uk/2/hi/technology/7525206.stm

A further development was the Koobface malware that can be picked up from Facebook (already a notorious site for malware, like many other 'social networking' sites), as reported here on December 9, 2008:

http://news.bbc.co.uk/newsbeat/hi/technology/newsid_7773000/7773340.stm

You can keep up to date, particularly about malware present in some downloadable pirated software, at the Securemac site:

http://www.securemac.com/

There may be other ways of guarding against Trojans, viruses and general malware affecting the Mac, and alternatives will probably appear in the future. In the meantime the advice is: be careful where you go on the web and what you download!

If you think you may have acquired a Trojan, and you know its name, you can also locate it via the Terminal:

http://theappleblog.com/2009/04/24/mac-botnet-how-to-ensure-you-are-not-part-of- the-problem/

As to the recent 'Conficker furore' affecting Intel-powered computers, MacWorld recently had this to say:

http://www.macworld.co.uk/news/index.cfm?email&NewsID=25613

Although any content that you download has the possibility of containing malicious software, practising a bit of care will generally keep you free from the consequences of anything like the DNSChanger trojan.
1. Avoid going to suspect and untrusted Web sites, especially *********** sites.

2. Check out what you are downloading. Mac OS X asks you for you administrator password to install applications for a reason! Only download media and applications from well-known and trusted Web sites. If you think you may have downloaded suspicious files, read the installer packages and make sure they are legit. If you cannot determine if the program you downloaded is infected, do a quick Internet search and see if any other users reported issues after installing a particular program.

3. Use an antivirus program like ClamXav. If you are in the habit of downloading a lot of media and other files, it may be well worth your while to run those files through an AV application.

4. Use Mac OS X's built-in Firewalls and other security features.

5. Stop using LimeWire. LimeWire (and other peer-to-peer sharing applications) are hotbeds of potential software issues waiting to happen to your Mac. Everything from changing permissions to downloading trojans and other malicious software can be acquired from using these applications.

6. Resist the temptation to download pirated software. After the release of iWork '09 earlier this year, a Trojan was discovered circulating in pirated copies of Apple's productivity suite of applications (as well as pirated copies of Adobe's Photoshop CS4). Security professionals now believe that the botnet (from iServices) has become active. Although the potential damage range is projected to be minimal, an estimated 20,000 copies of the Trojan have been downloaded. SecureMac offer a simple and free tool for the removal of the iBotNet Trojan available here:

http://macscan.securemac.com/files/iServicesTrojanRemovalTool.dmg

Oct 19, 2009 9:25 PM in response to danielinchina

i dont use limewire or any peer to peer downoaders, nor do i download pirated software. i took your advice about trying out mac scan. when it scanned my mbp it found around 60 tracker cookies and not viruses or anything. i though that this has worked. then last week i installed the new snow leopard and i thought that surely this would put an end to my problem then yesterday it started again. i ran mac scan again and it found 8 tracking cookies but thats all. so my question is: do the tracking cookies mean anything? and also is it possible that the internet service would have something to do with it? i am in china and although i have worked as a support tech at an internet company and am weary of blaming the isp, im out of ideas.......

Oct 19, 2009 9:42 PM in response to danielinchina

It's a Flash-based add on a web site. As long as you have Plugins enabled in Preferences > Advanced, those ads are able to appear. It's not a virus because there are no viruses for Mac OS X, and if you haven't installed anything that you didn't expressly download and provide your password for, it's not spyware, either.

All computers that access the web have cookies on them; otherwise the site would not know you had visited them before or what page you went to or how long you spent at the site. None of those cookies are harmful; you can get rid of them when you quit Safari, or at some other pre-determined interval that you choose in Preferences. It's nothing to worry about.

You could use something like Click to Flash, to block all Flash items until you click on them, as well as something like SafariBlock to block other types of ads.

Oct 26, 2009 3:45 AM in response to danielinchina

Daniel, you are not the only one. I live in shanghai and I am experiencing the same problem. The ads appear outside of the page I'm visiting, usually above it. Most of them are for IPTV from China Telecom. They also disable the webpage I'm visiting. Hitting reload gets rid of them for a while. They usually only appear when I first open Safari. Unfortunately none of the suggestions above are the source of the problem. I don't have any illegal software on my computer, I have not downloaded any illegal files or installed anything from suspect websites. Nor has anyone else had any access to my computer. I also upgraded to Snow Leopard recently and that has not fixed the problem. I wonder if the problem is with the ISP allowing spammers to hijack my browser. China MObile allows spam text messages all the time. It's very annoying.

People seem very adamant that viruses don't exist on the Mac but malware obviously does. I'm not sure how they interfere with Safari but I haven't manages to get rid of it yet. I did find tracking cookies on my Mac and deleted them (even though I'm not sure what they are) but the problem reoccurred.

Oct 26, 2009 8:24 PM in response to mickr7an

There are no viruses for Mac OS X. There is some malware, but at the moment it consists of things to redirect your browser to sites you didn't specify. Deleting cookies from Safari isn't going to solve anything, because they aren't the problem.

As long as you have JavaScript and Plugin enabled in the Preferences > Security section, you will see things you don't want to see, including ads. Turn them off and it will go away, as well as your ability to see many web sites that now rely on Flash.

< Edited by Host >

Oct 26, 2009 8:25 PM in response to Golden Shoes

I said exactly what you said – that it is malware and not a virus.

It clearly does not do what you say and 'redirect' to another page. I described these interfering ads in my first response. These are not banner ads. This is content pushing the real pages down to the bottom of the screen and disabling all their links. I doubt www.apple.com has started allowing ads for cheap mobile phones in Chinese to nearly blot out their home page. This is clearly a way someone has discovered to interfere with Safari (it could be other browsers too but I only use Safari as it syncs with my iPod). I have many screen captures of it on different webpages.

As you point out disabling java and plug ins would render the browser partly useless which wouldn't help much and may not stop the ads at all. I have followed other helpful suggestions such as running Main Menu and Little Snitch. I also ran MacScan which suggested I delete 4 tracker cookies. I haven't seen the ads since – but I'm not holding my breath.

< Edited by Host >

Oct 26, 2009 8:24 PM in response to mickr7an

As I said, the only malware at this point redirects your browser to sites you didn't ask for. But it requires that you make the mistake of downloading and installing it first. That can't happen by itself.

Nothing is interfering with Safari; these are JavaScript and Flash ads, and the easiest way to stop them is to disable JavaScript and Plugins in your Preferences. You could install an ad blocker, such as Safari Block, or Safari Adblock. Deleting cookies will not help you in any way, since they aren't the problem.

< Edited by Host >

Oct 26, 2009 9:07 PM in response to Carolyn Samit

Thanks Carolyn. Unfortunately it doesn't... or didn't. It was also happening after my upgrade to 10.6.1. However after following various pieces of advice above it hasn't happened for a while so (fingers crossed) I hope I have gotten rid of that problem. I'll post in a few days if it has stopped but not sure which one of the remedies to recommend.

One thing I can't believe I hadn't done was to turn my firewall on. I had it on before but must have turned it off for some reason and forgotten about it. Very silly.

Oct 26, 2009 9:22 PM in response to mickr7an

A pop up isn't necessarily a virus or spyware. It could have been just an advertisement. Go to Safari / Block Pop Up Windows. More likely then not, it was an ad advising you to purchase anti virus software with a link. Just close the window.

Anti virus software nor malware protection can prevent a pop up ad. They are innocuous unless you click any links in the window.

Since you are in China... you might want to contact your ISP and report the problem.








🙂

Oct 26, 2009 10:26 PM in response to Carolyn Samit

Thanks Carolyn. Please read my first two posts in this thread as they explain in detail what happens and how it is not an ad or a popup and is not part of the webpage I am visiting at all. As I don't click on anything it is disabling Safari without me doing anything other than visiting normal webpages such as Apple's homage. Just opening Safari on www.apple.com for example will make it happen. But hitting the reload button a couple of times will make it go away.

My ISP, China Mobile, is not interested – but I'm not surprised. They were involved in a huge mobile spam scandal about two years ago and apologised in the papers saying it was a bug in their software that allowed several spam text messages a day to be sent to all their mobile subscribers. So all things remain possible. I don't care as long as I can get rid of it. The only certainty is that Safari (and possibly not Safari alone) is vulnerable to interference. But I'm sticking with it as I still prefer it as a browser.

I realise this seems to be unique to China and outside the experience of most other users but it's a real problem and not incompetence on my part or others experiencing this. I'm been using Macs since OS 7.1 and know a thing or two about them.

I wish there was some way to post the screen captures on this thread. I think you'd be very surprised if you saw them. In all my years on the web (since 14k modems were invented) and in many countries I've never seen it happen before.

Still pester free browsing though after almost 24 hours. Keeping my fingers crossed.

safari spyware?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.