Query: Possible DNS Redirect Trojan

[Slux]

Hi,

Earlier this evening I noticed that Facebook on my macbook pro began redirecting to an unknown internet advertising site. I fixed this by rebooting the machine, but then noticed that YouTube was redirecting me to another unknown site.

Needless to say my suspicions were aroused. Trying the same sites on my PC showed no problems. Bad news.

I've done some searching around the net and these forums, and apparently there is such a thing as a DNS redirecting trojan which causes behaviour similar to what I am seeing.

However, I have run the Clamxav scan, and followed other directions available on the net for detecting this trojan and it has come up clean.

I checked my /etc/hosts file, and found the following:

127.0.0.1	localhost
255.255.255.255	broadcasthost
::1             localhost 
fe80::1%lo0	localhost

That last entry looks odd to me, is it normal?

Anyway, I removed it and for the last hour have not noticed any strange behaviour. Sadly, I don't think this means I am off the hook yet.

Any thoughts or suggestions on the above would be greatly appreciated. Particularly with regards to the /etc/hosts file and the last entry, or other ways to detect this malware.

Thanks.

 

[GGJstudios]

Mac google redirecting virus - Mac Forums

 

[Slux]

Thanks, I had actually read that thread which is why I was looking at the /etc/hosts file.

The other instructions linked from that thread for detection / removal did not find anything.

 

[GFLPraxis]

I haven't been experiencing any issues other than noticing network slowness lately (but I just moved and have a new router and location).

However, I just checked my hosts file, and it looks identical to the OP.

Can someone else confirm that this is normal?

 

[GGJstudios]

Can someone else confirm that this is normal?

Yes, it's normal.

 

[angelwatt]

The DNS re-routing could be an issue on your router rather than your machine. There have been some malware that uses a trojan to hijack the router. One example is the zlob.

 

[Slux]

The DNS re-routing could be an issue on your router rather than your machine. There have been some malware that uses a trojan to hijack the router. One example is the zlob.

Interesting. It that was the case though, wouldn't I have seen the same behaviour on my PC that is also going through the same router?

 

[angelwatt]

Interesting. It that was the case though, wouldn't I have seen the same behaviour on my PC that is also going through the same router?

Potentially. Would just depend on how the trojan works. It could treat Mac differently than Windows. I just wanted to present another possibility. Hard to say for certain what's going on.

If there's a domain that is giving you problems every time you enter, open up Network Utility, go to the Traceroute tab, and enter the domain into the field. It may take a while to run. Interpreting the results may not be straight forward either, but would give you another thing to look into if the problem is persisting.

 

[Makosuke]

That last entry looks odd to me, is it normal?

Yes, it is. fe80::1%lo0 is the approximate equivalent of 127.0.0.1 for IPv6, which is to say it translates to "this computer" were it in English. It of course won't do anything unless you're using IPv6, which you're probably not, but it's not the cause of any problem, and any recent MacOS install will have that line.

As for what's causing your problems, I don't have anything useful to add to the suggestions above.

 

[Slux]

Thanks, that was really useful information. I'll re-add the line back in tonight.

I may also re-run the DNS Changer Removal tool, as I have a suspicion that the version I downloaded was 1.1 rather than 2.0.

Will post results if they are useful.

 

[Slux]

FWIW, I returned my hosts file to the default configuration last night. Also checked the DNS settings on my router. No problems.

I have not seen the original redirection behaviour now for a couple of days. I am beginning to wonder whether it was a trojan at all, or some problem on the other end, ie. a scripting problem related to the google / facebook ads displayed on the target pages.

Seems a long shot, but why would a trojan redirect me to an advertising website? It didn't offer me any products or try to get any personal information. Seems like incompetence rather than malice.

Anyway I'll keep scanning periodically, but I'm cautiously optimistic.

 

[Makosuke]

Your new theory sounds reasonable, particularly given how well hidden something would have to be/have been to remain undetected with all the things you've tried.

I will add that, while it's a somewhat different problem, I've occasionally had weird redirect issues on YouTube myself. In my case I will periodically get redirected to the mobile version of the video--bare, with no associated web page--at random when clicking through "related" links. I'm pretty sure this is a side effect of ClickToFlash, since I can't imagine it being a widespread problem that I wouldn't have heard of, but it just confirms that oddball redirects can occur without malice.

 

[Slux]

OK, it's back.

Confirmed that it only affects one computer (the new MBP), the PC and older Powerbook are unaffected. Additionally, it affects both Firefox and Safari on the MBP.

I caught it with a traceroute this time. While displaying the advertising page ("Advantate" - some internet advertising company from Melbourne), the traceroute was as follows:

traceroute to www.facebook.com (117.55.235.235), 64 hops max, 52 byte packets
 1  mygateway1.ar7 (10.1.1.1)  3.831 ms  1.638 ms  1.555 ms
 2  lns1.sydney.netspace.net.au (203.17.101.81)  37.324 ms  37.590 ms  38.091 ms
 3  core1-hs-tengige-4-1.sydney.netspace.net.au (203.12.53.70)  37.893 ms  37.854 ms  38.092 ms
 4  as24557.sydney.pipenetworks.com (218.100.2.103)  38.099 ms  37.619 ms  37.590 ms
 5  gi0-1-3.bdr2.cbr1.as24557.net.au (203.88.112.2)  42.209 ms  42.007 ms  41.348 ms
 6  * * *

After about 20 minutes, I found that I could load facebook normally. The "normal" traceroute is:

traceroute to www.facebook.com (210.15.241.8), 64 hops max, 52 byte packets
 1  mygateway1.ar7 (10.1.1.1)  4.219 ms  1.900 ms  1.313 ms
 2  lns1.sydney.netspace.net.au (203.17.101.81)  43.101 ms  37.876 ms  37.800 ms
 3  core1-gr-vlan1.sydney.netspace.net.au (203.12.53.84)  37.534 ms  39.142 ms  40.712 ms
 4  core2-cr-pos-1-1-0.melbourne.netspace.net.au (203.17.96.41)  50.331 ms  51.382 ms  51.764 ms
 5  a210-15-241-8.deploy.akamaitechnologies.com (210.15.241.8)  50.758 ms  50.538 ms  50.246 ms

So it doesn't appear to be the browser, or the router. AV scan comes up clean and DNS Changer Remover finds nothing.

Any ideas?

 

[Makosuke]

Huh. The IP Address that's coming up for Facebook.com according to that traceroute--117.55.235.235--resolves to an Advantate server, which obviously it shouldn't. What's particularly odd is that Advantate is, as far as I can tell, not a particularly sleazy business--they appear to be just an internet marketing firm. It looks, as best as I can tell, that the "bad" traceroute you posted is redirecting to a content delivery network other than Akamai (which I'm guessing here is what Facebook uses).

Here's a possibility: A lot of big sites (like Facebook or Google services) direct traffic from various regions of the planet to local caching servers in those regions--it's a lot faster (and probably cheaper) to get data from a server in Australia if you're in Australia, rather than connecting to a server in California.

It's possible that the distribution network is flaking out and directing the URL in question to the wrong server.

Something similar could also happen if your ISP uses a proxy server and it's being flaky, although I'm not sure how a proxy redirect would appear in a traceroute.

Question: Since there was another post recently about someone in Australia having trouble with their ISP's proxy setup, that'd be something to look into. Go to the Proxies tab of the Advanced section of the Network pref pane, and see if anything is checked there--if so, that might well be it.

Even if not, it's still possible they're doing some redirects without telling you--again, someone else here was having a related problem, though I can't find the thread now. You might even try calling tech support and see if they can tell you something useful about the issue (or confirm that it's definitely not something their network is doing, which would narrow down the troubleshooting a lot).

 

[Slux]

Hi again, and thanks again for a well thought out response.

I'll call my ISP tomorrow and discuss. However it still strikes me as strange that only one of my computers is affected. In the scenario you describe, I would expect to see this behaviour across all of my machines.

I noticed that a "dscacheutil -flushcache" command cleared up a similar problem I was having with another website (actually, these forums. They were redirecting to a failed google search page, which was pretty bizarre). So I'm wondering if this is all just something screwy with the network settings on this laptop.

What I did notice is that the laptop was set to a static IP locally ("DHCP with manual IP address"), yet the router was allocating the IP dynamically. Both IPs matched so I don't know if that was a problem, but I've fixed it to dynamic on both sides and I'll see how I go.

Really hope this is all just due to my own incompetence rather than a virus

 

[Slux]

Update: Called ISP and they have nothing to report regarding their DNS, and have not received similar complaints from other customers.

Next steps:
1) Wait to see if issue recurrs after my IP address change above
2) If so, force the ISP DNS settings on my router rather than using automatic configuration
3) If problem persists, switch to Google open DNS and see what happens

Don't know what else I can do really.

 

[shaynaleahy]

Redirect issues

I'd love to hear if you (or anyone) are able to solve this. My redirects are happening through Google, not FB or YT, but I haven't been able to discover the root of the issue yet on my MacBook (unibody).

I specifically got a Mac because I didn't want to be searching out issues like this. I can follow directions well, but I'm not tech savvy enough to dig into my settings in depth on my own.

Thanks!
Shayna

 

[angelwatt]

I'd love to hear if you (or anyone) are able to solve this. My redirects are happening through Google, not FB or YT, but I haven't been able to discover the root of the issue yet on my MacBook (unibody).

I specifically got a Mac because I didn't want to be searching out issues like this. I can follow directions well, but I'm not tech savvy enough to dig into my settings in depth on my own.

Well, you're not really giving any information to go on. You don't state what sites specifically the redirects are happening on (saying Google isn't enough) and you're not mentioning where you're being redirected to. All I can suggest is using the traceroute tool in Network utility that I mentioned a few posts back.

 

[Slux]

Update on my troubleshooting:

The trivial change to IP address allocation that I mentioned did not solve the problem, this is not a suprise.

So I have gone ahead and set my DNS servers on the MBP to reference the DNS of my ISP directly, rather than obtaining them from the router.

So far so good on this, but it has only been one day so far. Fingers crossed.

Now for a bit of related conjecture!

I'm going to assume for the moment that the issue is not caused by malware. The only other significant change that has occured in my system prior to observing this behaviour was the installation of Safari 5.

I know I know, Safari 5 is everybody's favorite whipping boy right now. However consider that Safari now implements DNS prefetching in this version. This is new.

What if there is a subtle bug somewhere in the Safari implementation of DNS prefectching. Alternatively, if there is a bug in my router firmware that can't handle the volume of DNS requests generated by prefetching (I tend to use the "top sites" page a lot, which I can only imagine contains a lot of links to prefetch all at once).

What would the symptoms of this problem be? Getting the wrong IP back from the router, and sending an incorrect URL to that IP address. For example, if I were trying to browse these forums, but sent the request to google.com instead, I might see something like this: http://www.google.com/forumdisplay.php?f=78

This is exactly what I see when the problem occurs for this site.

Similarly, if I got an IP address for an advert instead of the IP address for facebook, I would try to visit that IP at the root address (ie. http://www.advertisers.ip/ instead of http://www.facebook.com). That would likely send me to a generic advertising page rather than the ad or facebook.

That is also exactly what I see.

I noted above that I also saw this behaviour in Firefox. However, I ran up firefox after visiting the site in Safari to check. Given that, my local DNS cache would have already contained the incorrect IP for that site. Clearing the cache fixed the problem for both browsers.

OK there are a few logical leaps in there, but it is starting to make some sense. Can anyone confirm or deny this theory?

Or ... I might just have a virus.

 

[Makosuke]

What if there is a subtle bug somewhere in the Safari implementation of DNS prefectching. Alternatively, if there is a bug in my router firmware that can't handle the volume of DNS requests generated by prefetching

Now that's actually a pretty interesting theory. I'm not inclined to believe it's Safari 5 itself, or I think we'd have seen a lot of complaining about it already, but the idea that a large volume of nearly-concurrent DNS hits is causing them to get mixed up somewhere along the line would explain the behavior quite well, as you conjectured. It would also very neatly explain why the erroneous DNS hits would be to legit advertising IP addresses, rather than phishing sites--lots of ads around, so lots of target addresses to get prefetched.

I was under the impression, however, that most routers just store the entered (or provided, via DHCP) DNS server addresses and pass them along via DHCP to connected computers. I didn't think consumer routers did any kind of lookup or caching on their own, though I suppose it's possible. Some kind of routing issue, though, who knows.

In any case, something along these lines seems drastically more likely than a virus or worm, since such a thing is exceedingly rare on a Mac and it would additionally have to be exceptionally well concealed to have not popped up in any of the things you've already tried.


Did you hear anything from your ISP about proxy caching they're doing? I reiterate, there was another thread by someone having trouble with a major AU-based ISP doing some funky caching business.

 

[shaynaleahy]

I wish I could give more detailed information. Literally when I do a Google search (it doesn't matter for what), every single link provided on that search results page takes me to a different ad site. Once I hit that site and go back, clicking the link a second time takes me to the correct page.

Resetting Safari seems to fix the problem for 2 days and then it comes back. I also can't reproduce this with any regularity. If there is an intermediary web address before going to the ad site, it flashes so quickly on the browser bar that I cannot tell what it is.

I am running Safari 5, I do use a wireless router, but I also use my iPhone on the same router and do not have this issue when Google browsing on that device.

If there are specific details you need, please let me know what they are and how to find them, and I will be happy to oblige!

Thanks again!
Shayna

 

[Slux]

Makosuke: Yeah I called my ISP and asked them if anything has changed recently with their DNS, and they said no changes for a very long time.

shaynaleahy: This sounds like a different problem to mine. Have you tried AV scans and the DNS Changer Removal tool? Are you running any 3rd-party plugins for Safari?

 

[Makosuke]

every single link provided on that search results page takes me to a different ad site.

This would narrow it down: Does a link like this:

https://www.macrumors.com/2010/06/07/apple-announces-safari-5/

still show the full URL in the menu bar? And, if so, do you get a "proper" page at that ad site, or an error page (test by typing some gibberish onto the end of the URL and see if you get the same thing).

If it's giving you an error page (or whatever the site gives "bad" URLs), then that would indicate a DNS issue, where the correct URL is getting passed to the wrong server, which of course doesn't know what to do with it. If it's a "proper" page, then the server would be expecting the connections that way, which would point to it being intentional somehow.

Come to think of it, I'm wondering how most of these servers would respond to a request for a domain not hosted there--I've never tried it, but I'm thinking an unknown vhost domain would give a specific error...

 

[EDWW]

I am having what seems to be a similar problem since installing Safari 5. When I go into topsites and click on a page an entirely different one will load sometimes. This did not happen with Safari 4. For example, I clicked on cymbalholics.com in topsites and google.com search page loaded. In the address bar it shows it as cymbalholics.com/ - google. Another time when trying to go to factnet.org my facebook page loaded instead. I also clicked on a topsites page one time and the page that loaded was one that I had never visited before.

BTW, I just tried cymbalholic.com in Firefox and I get google.com but after rebooting the modem/router the problem seemed to clear up for Firefox as well as Safari. This has been going on for a few days now.

 

[Slux]

EDWW: Interesting, that sounds fairly similar to what I am experiencing. Is your DNS in network settings set to your router, or directly to your ISP DNS?

At this point I have still not experienced the issue again since changing my DNS from the router IP to the ISP DNS servers.

If this persists, I think I will conclude that the dodgy old D-Link router I am using cannot keep up with the volume of requests generated by the top sites page.