I recently got a call from a friend who asked, “Why do I keep getting pop-ups in my browser?” As the tech support guru for family and friends, I thought to myself “This will be easy, and I’ve got five minutes to spare.” So they fired up Safari and away we went.
I started with the obvious things first. Did he have the option to ‘Block Pop-up Windows’ checked? Yep, that was the case when checking Safari Preference’s Security tab (see Figure 1).
Figure 1.
“What site are you going to?” I asked, and followed up by going to the same Web page. A quick gander at the page revealed nothing out of the ordinary. A look under the hood [Safari < View < View Source] revealed some Javascript, but no redirects, or modifications.
“Let’s clear the cookies and cache.” Done and done
“Reboot you machine.” Okay.
“Is it happening in other browsers?” Nope.
Now I needed to see first hand what was happening on my friend’s Mac so I began a screen sharing session; I wanted to see the “Page Storm” that they were getting. However, the remote screen sharing option did not work reliably. We did a little triage by checking to see if he was on the right network. I also had him turn off his wireless Airport connection and reconnect to the Internet more directly via Ethernet. Now it was time to get my hands dirty.
The next step was to change his DNS servers temporarily to make sure it wasn’t an Internet Service Provider issue. We did this by going to System Preferences/Network and selecting Ethernet (see figure 2).
Figure 2.
We used the DNS addresses from OpenDNS [http://www.opendns.com/] and still no luck; this was getting uglier and uglier. Nonetheless, at this point, I was thinking nothing was really that bad.
“So, let’s open your hosts file.” I warned them to follow my directions explicitly and to not do anything unless instructed. At this point we were putting on the headgear and going deep into the bowels of the operating system.
Nothing there! It was the vanilla hosts file that comes with the installation. Now I am really scratching my head. What can it possibly be?
“Open your Terminal application.” I said warily. “Now type the following exactly.”
sudo crontab -l
My friend replied with a screenshot of the results. It looked like this:
* * * * * "/Library/Internet Plug-Ins/plugins.settings">/dev/null 2>&1
So I did a little searching, and discovered that there is a Trojan virus out there ‘infecting’ Mac OS X! It was noted in an article on the MacWorld Web site:
http://www.macworld.com/article/60823/2007/10/trojanhorse.html
After a little prodding, it turns out my friend has a penchant for downloading things that he probably shouldn’t, and I surmise this is how the offending Trojan got into his system.
Well, I’m not the “thought police,” rather a friend just trying to help, so I trudge on after issuing an obligatory warning...
“Anytime you download something from an unknown source, NEVER give your administrator password, no matter how much you want to install it.”
We removed the CRON job, the offending Internet plugin, emptied the trash, and rebooted. All was working fine.
An hour later we were wrapping it up. “Just one more thing,” I said, “Once you’ve been compromised, there is no way to ensure you are free and clear.” “If it were me, I would reinstall Mac OS X from the install disk and I would change ALL my passwords immediately. Have a great weekend!”
“Thanks for the help,” my grateful friend replied. “No problem, I learned something new today,” was my retort.
It’s a wild wooly world out there. What’s that about people in ivory towers or glass houses? We Mac users can get bitten, as well; be wary and as Dave Hamilton would say “Don’t get caught!”