Q: Safari 5.1 suddenly cannot connect to server when accessing Google?

macboydesign wrote:

 

I uploaded the software then did a secure trash of it but didnt get the upload ID im afrai

It should be in your browser history.  Just paste the url here and it will be easy for anybody interested to go there.

If you can't do that then perhaps you recall whether the exact name of the file was "FlashPlayer.pkg" or something else.

macboydesign wrote:

 

Cant see it

It would look something like this one which was uploaded on 7/25 and matches the one that F-Secure says they found http://www.virustotal.com/file-scan/report.html?id=9469c1afe1a2031f082de610b026b 5ed46fbbdd51a23871935034fdcc4086f45-1311595973

I downloaded it on 22/07/11 however I only began to experience problems a few days ago, seems it takes a while to kick in.  Still unsure as to why a hacker might want to hijack a users google access?

Yes you should have had Google issues as soon as you installed it.  BTW, Adobe apparently updated Flash for real today.

Theory is that it's simply to provide advertisments of some sort.  Since the fake site is still inactive it's really hard to say what they are up to.  The use of a Flash update may give others some more agressive ideas, so it's always wise to make certain you're on Adobe's site when you download.

macboydesign wrote:

 

I downloaded it on 22/07/11 however I only began to experience problems a few days ago, seems it takes a while to kick in.

I gave this some thought and I'm fairly certain that you have to reboot in order to pick up changes to your hosts file.  I haven't verified it, but that might explain why there's a delay.

I'm fairly certain that you have to reboot in order to pick up changes to your hosts file.

sudo opensnoop -f /etc/hosts

Linc Davis wrote:

 

sudo opensnoop -f /etc/hosts

Gave me "0     35 DirectoryServic  20 /etc/hosts" every few seconds which seems to mean that DirectoryServices (PID 35) successfully opens the hosts file as "Staff" (GID 20) every few seconds which means my theory is totally wrong.  Right?

Right.

http://www.f-secure.com/v-descs/trojan_bash_qhost_wb.shtml

Has the answer.  Somehow a Trojan posing as a FLASH installer. (See Steve Jobs is right about Flash) modifies the /etc/hosts file.  This file basically says Check ME as the DNS authority BEFORE you go to any DNS on the net and check for Google's legitimate address (74.125.113.106) .

As with ALL Macs, one had to install something (to give it Administrative rights) to actually allow changes to the /etc/hosts file.  In other words one could NOT get this trojan by just visiting a web site or openning an email. At some point or another, a fake Flash installer showed up on your screen and said install?  And asked for the Administrator's password.  When the password was entered the deed was done.

Since this happenned to my daughter's computer, and I HAVE NO IDEA if anything else was modified, I am going to wipe the computer clean with a clean install of Snow Leopard.  That will be the ONLY way to know that any other files modified are removed. 

Sorry to bring you this bad news.

Yes, we discussed this last week.  I am still looking for a sample of the installer packadpge to be uploaded to VirusTotal and clamav so that AV software can be programed to detect it on computers that have already installed it and Macs which are still running older systems that do not detect it.  If the Trojan, probably called "Flashplayer.pkg" or the .zip file originally downloaded is still on her machine the community could greatly benefit from a copy.

Of course, merely detecting the trojan is not enough. Someone needs to analyze the installer package, and if necessary, install it on a tripwired system to see what it does. I will do that if someone sends a link to a Mailinator address and posts a notice in this thread.

I found this thread after I found the solution. However, I have the website that I got the flash installer:

91.224.160.26/FlashPlayer-11-macos.zip

I uploaded the file and uploaded the link. Not sure exactly which site linked this file, but I think it was an mp3 of america the beautiful that I was trying to listen to...

Hope this helps.

Benson Yeh wrote:

 

I found this thread after I found the solution. However, I have the website that I got the flash installer...

Thanks.  We are aware of the site.  It's the same one they used to show the fake Google pages and it's been down ever since.

I uploaded the file and uploaded the link. Not sure exactly which site linked this file, but I think it was an mp3 of america the beautiful that I was trying to listen to...

Sorry, I'm not clear on where you uploaded the file to.  If you still have it can you obtain a mailbox from http://mailinator.com/, upload a copy to it and post the name of the mailbox here please.

If you uploaded it to virustotal.com, please provide the ID you were given.  It should appear in the URL of the page where you were able to observe the results.

Linc Davis wrote:

 

Of course, merely detecting the trojan is not enough. Someone needs to analyze the installer package, and if necessary, install it on a tripwired system to see what it does. I will do that if someone sends a link to a Mailinator address and posts a notice in this thread.

Linc,

I found another possible this afternoon at why can I not connect to google pages? and repeated your appeal.  You many want to track it.

That's a link to the forum index. I can't find the thread.