Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Terabithia
Terabithia Author
User level: Level 1
15 points

browser redirect hijack virus?

Something weird happened this morning. Whenever I'd click on any link or website or bookmark or whatever, instead my browser would take me to a "message" from Clear saying that my internet account was not paid up. We don't get internet from Clear, we have some other company. I tested and it did it in both Chrome and Firefox, because each time I"d just close the page. Finally I clicked through their "continue using the internet" link to see what would happen, and now its completely gone, and I can't get it to reproduce the behavior even in a new page or new browser. So, I don't know what happened, and whether or not I should still be concerned about removing something from my computer. A little bit of googling seems to indicate that its not a virus per se, but a "browser hijack" or something with the cache, and I don't understand the distinction or what that means or whether its gone. I'm also not aware of having gone to any unusual site right before this happened.

So my question is, what was it? And is it gone? My browser is working fine now, but I'm concerned that maybe something bad is still going on in the background. Should I be worried about the privacy of my data? Or about this happening again? What can I do to check that my computer is ok? I'm not used to the idea of having virus problems on my mac, so I don't really know where to start.

Thanks!

MacBook (white), iPod Touch (1st gen), Mac OS X (10.6.6)

Posted on Mar 31, 2011 6:53 AM

Reply
Question marked as Best reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Posted on Mar 31, 2011 7:00 AM

Sounds to me like a case of DNS cache poisoning. Basically, someone hacked the DNS server your machine uses to translate domain names (eg, www.apple.com, www.mozilla.org, etc) into useable IP addresses. The hacking involved redirecting you to a bogus site.

For more information, see my [Mac Virus guide|http://www.reedcorner.net/guides/macvirus>, specifically:

http://www.reedcorner.net/guides/macvirus/isitmalware.shtml#redirect
View in context
8 replies
Question marked as Best reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Mar 31, 2011 7:00 AM in response to Terabithia

Sounds to me like a case of DNS cache poisoning. Basically, someone hacked the DNS server your machine uses to translate domain names (eg, www.apple.com, www.mozilla.org, etc) into useable IP addresses. The hacking involved redirecting you to a bogus site.

For more information, see my [Mac Virus guide|http://www.reedcorner.net/guides/macvirus>, specifically:

http://www.reedcorner.net/guides/macvirus/isitmalware.shtml#redirect
Reply
User profile for user: Terabithia
Terabithia Author
User level: Level 1
15 points

Mar 31, 2011 8:18 AM in response to thomas_r.

Thanks, that is helpful. I have a follow-up question. It looks like the first two types of hacking you mention in that webpage take place outside of my computer - either my ISP got hacked or my router got hacked. So in those cases, I guess I don't have to worry about someone accessing the data on my computer?

But, in my case, I tested another laptop in the house and it did not have this problem. I suppose I should have verified that it was connected to the right wifi network, but if it was, then does that mean the problem is not with our router or ISP because it would affect all computers then? Or do they affect computers randomly in those cases?

In the third case, the Trojan, it sounds like it would be something installed on MY computer that is messing things up. I don't think I did anything like installing a video plugin, but I suppose it could have gotten there somehow. In that case, do I need to worry about data on my computer being compromised?

When I get home, I'll try one of those scanning tools. But, I'm not sure how to tell if they're working or if the problem is still there given that it stopped happening once I clicked on their "continue to internet" link. Do you know how I can determine that kind of thing? Was it a bad idea to click on "continue to internet"?

Also, should I change my router password just in case? It is NOT left on the default password, but someone could have guessed it or something anyway...

Thanks! Your guide is really helpful.
Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Mar 31, 2011 8:49 AM in response to Terabithia

It looks like the first two types of hacking you mention in that webpage take place outside of my computer \[...] So in those cases, I guess I don't have to worry about someone accessing the data on my computer?


Correct, but even in the case of the trojan, that isn't the primary concern. The data they seek to steal from you would be entered on a web site by you, if you didn't notice that it was bogus. For example, a visit to www.paypal.com might be redirected to a PayPal-lookalike scam site designed just to get you to provide your username and password. That danger is the same regardless of the source of the problem.

As to the issue only appearing on one machine, it depends heavily on the circumstances. DNS cache poisoning is a purely transitory problem... a hacker gets incorrect entries added to the DNS server through trickery, but those entries are eventually replaced as the cache is updated. It's possible that by the time you tried the other machine, the problem had resolved itself.

In addition, these spoofed entries only map certain specific domain names to malicious IP addresses. If you did not visit a site with a poisoned DNS entry on the second machine, you would not see any difference from normal.

It could also be a trojan... that's easy to rule out with something like [ClamXav|http://www.clamxav.com>. Any trojan should be viewed as a serious security breach and responded to appropriately, but in the case of RSPlug, I don't believe it does anything other than DNS redirects.

When I get home, I'll try one of those scanning tools. But, I'm not sure how to tell if they're working or if the problem is still there given that it stopped happening once I clicked on their "continue to internet" link.


If you find a trojan, things are easy... just remove it and you're good. (With RSPlug, simple deletion isn't adequate... there is a free removal tool [here|http://www.dnschanger.com>.)

If there's no trojan involved, things become a little more complicated. You should probably contact your internet service provider to let them know what happened. They may be aware of the issue and can tell you what they have done about it. You would also be wise to change the password in your router, and verify the DNS server settings in the router. Changing the DNS server in your laptop or your wireless router might not be a bad idea as well. Try either the [Google DNS servers|http://code.google.com/speed/public-dns> or [OpenDNS|https://www.opendns.com>.
Reply
User profile for user: Terabithia
Terabithia Author
User level: Level 1
15 points

Mar 31, 2011 10:14 AM in response to thomas_r.

Well, the spoofed page from Clear did ask me something like "what was the name of your first pet?" which I didn't answer. But then when it stopped happening, I did check my email (which was already logged in, I think, so I didn't enter password). I just changed my email password from a different computer just in case. If its a transient problem and they can spoof pages non-obviously, how can I tell if I got fooled? I only noticed because it took me to a page I wasn't trying to go to, with stuff about Clear Internet. How can I tell if it also spoofed a page I actually WAS trying to go to? I guess I should change all my passwords just in case?

Thanks...
Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Mar 31, 2011 5:23 PM in response to Terabithia

Well, the spoofed page from Clear did ask me something like "what was the name of your first pet?" which I didn't answer.


Good.

But then when it stopped happening, I did check my email


That shouldn't matter, unless your e-mail site was also spoofed, which is unlikely. Especially if you're checking mail with an e-mail client like Mail, rather than through a web interface.

If its a transient problem and they can spoof pages non-obviously, how can I tell if I got fooled? I only noticed because it took me to a page I wasn't trying to go to


Well, there's the problem... if it's done perfectly, you might not be able to tell. I've never heard of it being done perfectly, though. Keep an eye out for anything suspicious.

At the same time, I don't want to give you the idea that DNS poisoning (ie, specifically, hacking of the DNS server) is a constant problem that you're going to have to worry about. None of the DNS servers I use have ever been poisoned during my use of them, to my knowledge. A well-secured DNS server will have measures in place to protect against attack. A DNS server that has not been adequately updated may be vulnerable, which may be why yours was attacked (assuming that's what it was), and that may mean that you'll want to change DNS servers as I mentioned in a previous message.
Reply
User profile for user: Terabithia
Terabithia Author
User level: Level 1
15 points

Mar 31, 2011 6:23 PM in response to thomas_r.

Thanks for all the help. Nothing came up on the scan, so I changed my router name and password and changed my DNS servers to the google ones, which I'm guessing are more secure than my not-so-well known ISP.

I was checking mail through a web interface, but it showed my inbox and everything so I doubt it was spoofed. In any case, I changed that password too just in case.

Anyway it seems ok now, as far as I can tell... thanks for all your help!
Reply

browser redirect hijack virus?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up