Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!
Posted on December 6th, 2012 at 9:53 PM EDT
Windows users have been plagued for years by malware and junkware that causes their web browsers to redirect to undesired pages, advertisements to be injected in web pages, changes to the home page and search engine settings and other undesirable behaviors. Unfortunately, this is now spreading into the Mac world. Reports of these kinds of issues are becoming increasingly common, and confused users don’t know how to handle it. (I hear a lot of comments like, “I Googled it, but all the instructions were for Windows users!”) So what is a Mac user supposed to do when faced with such problems?
First, it’s important to understand the root cause of such problems. Most of the time, when being redirected to sites like Findgala, tracking999 or Gossip Center (just to name a few I’ve seen recently), users will try to Google the symptoms and will find multitudes of references to “viruses.” However, these things are rarely caused by malware of any kind in reality. What they typically are, in the Windows world, are junk software installed surreptitiously by some other junk software. For example, it may be a browser toolbar installed by a video game. It could also be adware injected into the installer by an unethical host, such as CNET’s Download.com.
There can also be other causes. Sometimes, free wifi networks will inject code into every site you visit. That code typically inserts advertisements into the pages, and when clicked they generate revenue for whoever is providing that network. The ethics of this behavior tend to be a bit murky… after all, the wifi network must be paid for somehow, and if the choice is between no network at all or one that injects ads, many people are likely to choose the ads. Still, there’s a bit of a dishonest feel to someone furtively changing the code of pages that you’re loading in your web browser!
Other times, sites themselves may be hacked to contain ads that they normally would not contain or to redirect to other sites, domain name servers can be hacked to redirect legit sites to phishing sites, settings of wireless routers can be changed to send you where the hacker wants you to go, etc. It could even possibly be malware, although that is very unlikely on a Mac at the time of this writing.
To solve these sorts of problems, one first needs to isolate the cause. There are three tests that will need to be done:
- Test multiple devices on the same network as the affected machine. (These devices need not all be the same. Mac, Windows, iOS, Android, all will work for this test. Just be positive they are actually connected to the same network as the affected device, and are not using some other network, like a cellular data connection!) Do all devices show the same behavior?
- Test the affected machine on multiple unrelated networks. (For example, take your computer to a neighborhood coffee shop, library or other location offering free wifi, or try a work machine on your home network or a home machine at work.) Does the problem happen on all networks?
- Test multiple web sites on every affected network and device. Do the problems happen only with one or more specific sites?
Your answers to these questions will determine what the possible causes of your problems are. In the table to the left of each paragraph below, a ‘Y’ means that particular question was answered with a “yes,” an ‘N’ means “no” and a question mark (‘?’) means that either answer is applicable.
If you are having problems with only one site, or a small selection of sites, but not with most sites, this often means that the sites in question have been hacked. It is common for hackers to use a variety of techniques to insert malicious code into legitimate web sites. If you answered “yes” to both questions 1 and 2, it’s extremely likely that those sites were hacked. However, if you said “no” to either or both of the other questions, it could also be something else, related to your network or your computer, that is causing symptoms to only appear on specific sites.
If all devices are exhibiting the same behavior, on all networks you have tried, with all web sites, there’s only one reasonable explanation (barring coincidental issues on multiple devices): a large-scale issue with the internet service provider that handles the service for all the networks in question. (If you only see the problem with a few specific web sites, this could still be a cause of the problem, but the problem could also be caused by the sites being hacked, as described in the previous paragraph.) One possibility is that a domain name server (DNS) being used by all those networks has been “poisoned.” Try changing your DNS server settings, as described below in the Domain name server issues section. If that doesn’t work, you need to report the issue to your internet service provider.
If all devices have the problem, but only on one specific network, then the problem is related to a problem with that network. This could also be a DNS poisoning issue, which would again be fixed by changing your DNS server settings (see Domain name server issues). However, it could also be an issue with the wireless router managing the network. See Wireless router issues for how to approach that problem. It could also simply be a perfectly normal effect of using a free wireless network. You can complain to the owner of that network, though there are no guarantees that doing so will have positive results.
If the problem only affects your Mac, and affects it on all networks you try, then the problem has to be with your Mac itself. The most likely possibility is that you have some kind of junk software installed that is causing the problem (see Browser plug-in issues). It’s also possible that the issue is caused by the DNS server settings on your computer, so you can try changing those settings (see Domain name server issues). Very unlikely, though still possible, is that something has screwed up your hosts file settings (see Hosts file issues). Both of the latter would cause redirects only, not ads being injected into legit pages.
Browser plug-in issues
If your problem is caused by some kind of browser plug-in, there are multiple places to look for the culprit. The first is a browser-specific plug-in. If the problems only appear in one web browser, and any other browsers on the same machine work fine, a browser-specific plug-in is undoubtedly the culprit. Different browsers have different ways of accessing their plug-ins. For Safari, go to the Extensions pane of Safari’s preferences window. Normally, no extensions will be installed, so anything you see in the list can be removed or disabled. In Firefox, they are found by choosing Add-ons from the Tools menu. Disable or remove any that you don’t recognize, but be aware that there are normally a number of plugins installed. (Firefox has three different kinds of add-ons, in categories titled Extensions, Appearance and Plugins. Be sure to check all three categories.) In Chrome, select Chrome -> Preferences, and on the page that loads, click Extensions in the list on the left side. For other browsers, check their documentation.
If you only have one browser, or if the problem affects multiple browsers, there are a couple other places to check. First, in the Finder, choose Go To Folder from the Go menu and paste the following path into the window that opens:
Anything in that folder is a potential suspect. It is normally empty. Quit your web browser, move any unfamiliar items from that folder to the desktop, then start up the browser again. If the problem is gone, one of the items you removed was the culprit. To narrow it down to one particular plug-in, you could just remove one at a time, restarting the browser each time, and testing until the problem goes away. Then the other plug-ins can be replaced, and the guilty plug-in can be deleted.
If the cause isn’t found in that folder, there’s one other place to look. In the Finder’s Go To Folder window, paste in the following path this time:
You may notice that this is the same as the previous path, only without the tilde (‘~’) character. The lack of that one character means it’s in a different place, though! Also, note that it is normal for there to be things in that folder, as there are several plug-ins preinstalled on a fresh Mac OS X system, so you should not remove everything from there willy-nilly. On a bare Mac OS X 10.8.2 system, the list of preinstalled plug-ins in that folder is:
JavaAppletPlugin.plugin Quartz Composer.webplugin QuickTime Plugin.plugin nsIQTScriptablePlugin.xpt
There are other plugins commonly found there as well. For example, there will be a couple Flash Player items in that folder if you have Adobe Flash Player installed. Anything unfamiliar, though, should be moved temporarily to the desktop for testing, just as with the previous Internet Plug-Ins folder.
Although it’s not strictly a browser plug-in, some adware has recently used the third-party software SIMBL to display its ads. SIMBL is software that provides the capability to modify the normal behavior of applications, and although it has some potential uses, it can also introduce instability or, in this case, be used for malicious purposes.
To remove any unfamiliar SIMBL plugins, open the Finder’s Go To Folder window and paste in the following path:
If it complains that the folder can’t be found, you either don’t have SIMBL installed or don’t have any SIMBL plug-ins installed. If that folder opens, remove anything that you didn’t explicitly install. Restart your web browser afterwards.
To remove SIMBL entirely, hold down the option key and select the Library item from the Finder’s Go menu. In the folder that opens, find and remove the following items:
Application Support/SIMBL/ LaunchAgents/net.culater.SIMBL.Agent.plist ScriptingAdditions/SIMBL.osax
Domain name server issues
Domain name servers (DNS) are what map human-readable site names into IP addresses, which are required for connecting to any server on the internet. For example, a DNS lookup will tell your computer that “www.reedcorner.net” is mapped to the IP address 184.108.40.206. However, if a hacker compromises the DNS server being used by your network, he can cause that DNS server to return a different IP address for “www.reedcorner.net,” which would send you to a different site than you should end up on. This is called “DNS poisoning,” and it’s typically caused by phishing attempts by hackers who want to redirect users from financial sites (bank sites, Amazon, PayPal, etc) to malicious sites designed to intercept login credentials.
This can be fixed by changing your DNS server settings, either for your computer or for your entire wireless network (by changing the settings in the wireless router). Rather than using the server provided by your internet service provider, try changing to the OpenDNS DNS servers or the Google DNS servers. (See those links for complete instructions for changing your settings.)
Wireless router issues
If someone has enabled remote administration, meaning that the router settings can be changed from anywhere remotely, and if the router’s password is left at its default setting, it is possible that a hacker anywhere in the world could change those settings for malicious reasons. If this is your home network, try resetting the router to factory defaults and set up your network again from scratch. Make sure NOT to enable remote administration, and change your router’s administrative password to something that nobody will be able to guess. (Note that this is entirely different from the password required to access your wireless network, and should be a different password!) See the manual for your wireless router for instructions.
It is also possible that someone local, with access to your wireless network, may have changed the settings. This is especially likely if you are using an unprotected wireless network (ie, no password is required to join the network) and you have not changed your router settings from their defaults. Again, the fix would be resetting the router and making sure that you change the admin password. However, in such a case, you should also make sure to secure the network itself with WPA2 encryption. A wireless network with no password, or with weak WEP encryption, is not secure, and anyone nearby could be watching exactly what you’re doing online at all times!
Hosts file issues
The hosts file is a file buried in an out-of-sight location that maps certain special domain names to IP addresses. Ordinarily this file should not be modified without a very good reason, but sometimes people do make changes to it for a variety of reasons, such as to block a particular site. Malicious software can also make changes to this file. (The only Mac malware known to do this is QHost, which has not been seen in the wild in a while now.)
To determine if your hosts file has been modified, open the Terminal app (found in /Applications/Utilities) and enter the following command:
After entering that command, press return. This will display the contents of the hosts file. You should see something like this:
## # Host Database # # localhost is used to configure the loopback interface # when the system is booting. Do not change this entry. ## 127.0.0.1 localhost 255.255.255.255 broadcasthost ::1 localhost fe80::1%lo0 localhost
If your hosts file looks different, you may have a problem. You can fix this, but you will need a copy of TextWrangler. (Do not get the version of TextWrangler that is available in the App Store; download it from the Bare Bones web site! The version in the App Store is limited, due to sandboxing restrictions, and cannot edit the hosts file.) While logged in to an admin account, open TextWrangler, then choose Open File by Name from the File menu. Enter “/etc/hosts” (without the quotes) in the box and click the Open button. The window that opens should show the same thing that the Terminal showed as the contents of the hosts file. Change the file so that it only contains the text shown above. (When you try to edit the file, you will be asked if you want to unlock the hosts file. Click the Unlock button, then finish making the changes. When complete, save the file, and enter your admin password when asked. Then you can close the file, and should restart the computer to make the changes take effect.