Is this a Mac virus????

Discussion in 'Mac Basics and Help' started by efcjimbo, Jul 27, 2009.

  1. efcjimbo macrumors newbie

    Joined:
    Apr 21, 2008
    #1
    This just happened

    When I go to enter youtube.com in Safari
    I get redirected to a totally different site

    I thought youtube had been hacked, then I tryed it with Firefox same again no youtube on firefox.

    I thought it might be my ISP so I opened Parallels Desktop, firefox on my mac and got proper youtube site, so its not ISP blocking Youtube

    I then tryed another mac on my home network and got proper youtube.

    So I reset Safari on my mac, getting rid of caches, cookies etc.
    Still the same, none youtube comes up.

    So what the hell is this?????
    I've been using Macs for 10 years never came across anything like this

    This what I'm getting when I enter youtube
    [​IMG]
     
  2. r.j.s Moderator emeritus

    r.j.s

    Joined:
    Mar 7, 2007
    Location:
    Texas
    #2
    Have you installed any torrented software recently? Or any video codecs for quicktime?
     
  3. thegoldenmackid macrumors 604

    thegoldenmackid

    Joined:
    Dec 29, 2006
    Location:
    dallas, texas
  4. madog macrumors 65816

    madog

    Joined:
    Nov 25, 2004
    Location:
    Korova Milkbar
    #4
    No viruses for the Mac, yet.

    Only thing out there right now are Trojans. Like the poster above me, have you installed any torrented software, or possibly any random/unknown software for "video codecs" or the like?

    I don't even know if this can be done on the Mac, but I know for Windows there is a host file one can modify to redirect a named address to any IP address you put in it. I wouldn't know off the top of my head where, or even if that can be done with Mac OS X, but maybe an app modified that file or someone is pulling a prank on you.
     
  5. guydude193 macrumors 6502a

    Joined:
    May 15, 2009
    Location:
    MI
    #5
    ^^
    +1. Don't download illegally gained software.
     
  6. BlueRevolution macrumors 603

    BlueRevolution

    Joined:
    Jul 26, 2004
    Location:
    Montreal, QC
    #6
    I love how quick we are to accuse people.
     
  7. poolish macrumors regular

    Joined:
    Jul 23, 2007
    Location:
    south coast, uk
    #7
    you could check if something has enabled a proxy server in your network settings?

    or /etc/hosts, but that couldnt have been changed without your password.
     
  8. geoffreak macrumors 68020

    geoffreak

    Joined:
    Feb 8, 2008
    #8
    Sounds like you have a Trojan. You should stay away from torrenting.
    Go ahead and disconnect your computer from the network as it may be part of a botnet already. Hopefully this is just simple malware, but it can be easily removed regardless so long as you can figure out what it is.
     
  9. efcjimbo thread starter macrumors newbie

    Joined:
    Apr 21, 2008
    #9
    It could be torrents, but I don't think so I haven't done anything recently. (Months) Unless a trojan is set on a delay. I was looking at Youtube yesterday and today's computer use was, sent a few emails, then went to youtube using Safari (4.0) it crashed after opening youtube. When I reopened safari, this then this occurred.

    The question now is how is it happening and how do I sort it out.
    Its happening with Firefox too so it must be a system wide thing.

    Could it be something thats come through Flash? I keep seeing flash is vulnerable to attack?

    Ok youtube is back to normal, I've done nothing to change this.
    Should I be worried for future,?
     
  10. geoffreak macrumors 68020

    geoffreak

    Joined:
    Feb 8, 2008
    #10
    You should only be worried if it appears again. The company in the picture seems legit, but the links may be to a malicious website.
     
  11. RandomKamikaze macrumors 6502a

    RandomKamikaze

    Joined:
    Jan 8, 2009
    Location:
    UK
    #11
    If it happens again, do an nslookup, search youtube.com and then see what the results are.

    Then boot up your Windows VM, do the same, see what results you get.

    If you get different compare DNS servers

    If you get the same, you know it's not a DNS error
     
  12. manowarwi macrumors member

    Joined:
    Oct 14, 2008
    #12
    There was a trojan that went around and keeps on poking its head up every now and then that comes down as a fake video codec, but really installs a malicious program in your /Library/Internet Plug-ins folder which redirects your DNS traffic through bad DNS servers that redirect banking pages to fake sites.

    Check out info here: http://www.macworld.com/article/60823/2007/10/trojanhorse.html
     
  13. Consultant macrumors G5

    Consultant

    Joined:
    Jun 27, 2007
    #13
    THERE ARE NO VIRUSES on OSX.

    Since there are no viruses, anti-virus cannot determine what is a virus at this time.

    How to check for Trojans
    http://www.macworld.com/article/60823/2007/10/trojanhorse.html

    Giz Explains: Why OS X Shrugs Off Viruses Better Than Windows
    http://i.gizmodo.com/5101337/giz-explains-why-os-x-shrugs-off-viruses-better-than-windows

    The Mac Malware Myth
    http://www.roughlydrafted.com/2009/01/29/the-mac-malware-myth/

    The Unavoidable Malware Myth
    http://www.roughlydrafted.com/2008/...-apple-wont-inherit-microsofts-malware-crown/
     
  14. steve knight macrumors 68020

    steve knight

    Joined:
    Jan 28, 2009
    #14
    this looks like the rootkit I got in xp last month. it did the same thing redirected to a different site from a google search.
     
  15. EmperorDarius macrumors 6502a

    Joined:
    Jan 2, 2009
    #15
    A DNS Changer perhaps? A just-too-be-sure scan with iAntivirus wouldn't hurt.
     
  16. localoid macrumors 68020

    localoid

    Joined:
    Feb 20, 2007
    Location:
    America's Third World
    #16
    Umm... open up Terminal and run "whois youtube.com". The resulting DNS info is rather "interesting"... One line from whois, follows:

     
  17. Tumbleweed666 macrumors 68000

    Joined:
    Mar 20, 2009
    Location:
    Near London, UK.
    #17
    Looks to me like a router problem. If it happens again, switch your router off for a couple of minutes, then try again.
    Also, and to descend to the same levels of paranoia as you and some other posters here, do you know what the admin password for your router is, did you change it, or have you left it at default? If so, its more likely your router was compromised than your Mac.
     
  18. Joined:
    Jun 30, 2009
    #18
    whois does not show the correct information for big web sites like google and so, apparently.
     
  19. Nermal Moderator

    Nermal

    Staff Member

    Joined:
    Dec 7, 2002
    Location:
    New Zealand
    #19
    Open up Terminal, type the following command, then post the results back here.

    cat /etc/hosts
     
  20. localoid macrumors 68020

    localoid

    Joined:
    Feb 20, 2007
    Location:
    America's Third World
    #20
    Actually, it's just a trick. ;)
     
  21. BlueRevolution macrumors 603

    BlueRevolution

    Joined:
    Jul 26, 2004
    Location:
    Montreal, QC
    #21
    That's a cunning trick used by phishers and such. People assume that google.com.aliencollective.com is a part of google.com. Makes sense, because we read left to right, yeah? Actually, it goes the other way. .com is what's called a top-level domain, with aliencollective.com being one of many domains within that TLD. I control the domain aliencollective.com, so I can add as many more subdomains as I want. google.com.aliencollective.com is actually a part of com.aliencollective.com, which in turn is part of aliencollective.com.

    Everything after the "/" is normal. aliencollective.com/foo/bar is a subdirectory of aliencollective.com/foo, and so forth.

    Sorry if that doesn't make much sense, DNS is confusing stuff. I still have trouble believing that it actually works. It all sounds so shaky.
     
  22. surflordca macrumors 6502a

    surflordca

    Joined:
    Nov 16, 2007
    Location:
    Ontario, Canada
    #22
    Boy it's amazing how users on the forum says about illegal software but when it comes to movies how many replies there are recommending "Handbreak" and "Mac The Ripper" :p
     
  23. jamesarm97 macrumors 65816

    Joined:
    Sep 29, 2006
    #23
    The whois on youtube is interesting. Here is the complete whois:

    YOUTUBE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
    YOUTUBE.COM.ZZZZZ.DOWNLOAD.MOVIE.ONLINE.ZML2.COM
    YOUTUBE.COM.NOT.RESPECTED.BY.CALITEC.NET
    YOUTUBE.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
    YOUTUBE.COM.LOVES.HILPERS.COM
    YOUTUBE.COM.IS.N0T.AS.1337.AS.WWW.GULLI.COM
    YOUTUBE.COM
     
  24. r.j.s Moderator emeritus

    r.j.s

    Joined:
    Mar 7, 2007
    Location:
    Texas
    #24
    In most cases, people are using those apps to rip DVDs they own, so they can use them on their iPod. Big difference.
     
  25. 1ne macrumors regular

    Joined:
    Jun 16, 2009
    Location:
    Canada Oil Country
    #25

Share This Page