Spyware on macosx

It’s sad to say it, but I had my first incident of spyware… on nothing less than my macosx.

I found out because I had these popups that came up when browsing in firefox:
spyware

It always pointed to the same ip adress 216.255.186.11. At first I thought it was something wrong with popup blocker in firefox, so I installed adblock in hopes that it help. It didn’t. That was what pointed me in the right direction.

I installed MacScan, and what do you know. It found a Trojan called DNSChanger..

I have managed to stay ahead of the game so far by being careful about what I install. Obviously, that didn’t help. So I guess… no more gay porn for me. (Hey, JUST KIDDING!)

Unfortunately, after many trials I discovered that MacScan didn’t do their job properly to remove the file. It only removed a file named plugins.settings, but there was a lot more than that happening. I started searching out more information about the problem and found a site containing analysis of what the trojan does. So, here is what one must do to remove it:

Crontab contained this line:
sudo crontab -l
* * * * * “/Library/Internet Plug-Ins/QuickTime.xpt”>/dev/null 2>&1

I removed it using this command (DELETES ALL CRONTABS FOR ROOT) : sudo crontab -r

Delete: /Library/Internet Plug-Ins/plugins.settings
Then I deleted /Library/Internet Plug-Ins/QuickTime.xpt

After this session – No more popups for me !!! *Celebration*
Previous history:

Update: DAMN! That popup is still there !!! So what in the hell is it? Firefox is in “show no popup” mode.
So I tried this solution and set privacy.popups.disable_from_plugins = 3 (instead of 2). Hopefully that helps..

Update2: Apparantly, that didn’t help as well. Now I’m really baffled. And it makes no sense, because it pops up randomly on different sites.. *thinking hard*

Update3: My last desperate act is to search through all files on my harddrive looking for the ip adress in question (though time consuming). A tip is to delete all history files (clear browser history etc) where the ip adress might appear.
sudo find . -exec grep ‘216.255.186.11’ {} \; -print

I got a hit on these files:
~/Library/Application Support/Firefox/Profiles/7kojvnaz.default/places.sqlite
~/Library/Application Support/Firefox/Profiles/7kojvnaz.default/places.sqlite-journal
So I renamed the file too places.sqlite-journal.old.The files is used for preserving Firefox browsing history. In my case – will not be missed. That didn’t help – the popup is still there.

~/Library/Application Support/Firefox/Profiles/7kojvnaz.default/sessionstore.js
Firefox session data

haridasi

About haridasi

integrity - the state of being whole, entire, or undiminished.
This entry was posted in Technology and tagged . Bookmark the permalink.

5 Responses to Spyware on macosx

  1. Newsha says:

    You know, I just stumbled across your blog because I am getting these ridiculous pop ups from 216…whatever that IP address is. And it is really really annoying.
    I’m on a PC, but if you figure anything out, let me know, and if I figure anything out and I’ll let you know.
    Keep on keepin!
    N

  2. Asle says:

    Seems to be a plugin installed in ~/Library/Internet Plug-Ins/
    Tried a -find but no luck.
    I did a scan with MacScan and found a trojan in one of the plugins. Sorry I was so mad and frustrated I can?t even remember the name of the file. But I removed it and no more popups. It was a trojan called DNSChanger. MacScan found it. http://macscan.securemac.com/ You get full working 30-day trial. Time enough to fix up.

  3. haridasi haridasi says:

    Asle: That is very strange, because I removed that trojan, I still have the same problem. I remember the file had plugins.settings.

    After some more research I found out that MacScan didn’t do its job properly on my computer. It didn’t finish the trojan off.

    But now it’s fixed. Thank you for making me check it a little bit closer. Saved my day :-)

    Even my browsing seems to go much faster now.

  4. subface says:

    I have the same problem w/ Safari, and so far MacScan has done the trick. I have a feeling it snuck its way in with some torrent I downloaded in the recent past. Thx for the tip!

  5. hyrcan says:

    You may also want to check what your DNS is set to on both your computers and on your local router. The DNSChanger targets both PC and MACs but also D-Link (and others) routers.

    If you’re DNS is set to 85.255.*.* you’re still not in the clear. You’ll need to change that as well, clearing it or manually inputting what your ISP tells you will help.

    Here’s some more info on the problem:
    http://www.net-security.org/article.php?id=1150&p=1

    http://isc.sans.org/diary.html?storyid=3595

    Hope this helps…

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>