2 Macs infected, Russian redirect, Google images

I think two of my Macs are infected. I keep getting Russian redirects through Google image search. I have five Macs, three other Mac don't seem to be infected.

Outline of equipment.

Gateway SOHO router has IPS/IDS paid deep packet inspection, and AV.
Second UTM server in bridge mode is an Untangle- Lite with Kaspersky and Clam gateway AV with all modules in use. http://www.untangle.com/Product-Overview
All 5 Macs running Snow Leopard fully updated and firewalls enabled.
All 5 Macs have Firefox 3.6.13 with NoScript, AdBlocker, BetterPrivacy, and Ghostery.
The 2 Macs that appear to be infected are my wife's and my daughters that use webkit/Safari mostly.
The 3 I run use Firefox with above add-ons enabled almost exclusively.
All run OpenDNS and OpenDNS is speced in router. ( I test for Macs running OpenDNS monthly)
Apple updates get updated the same day they are released ( always)
Intego Virus Barrier X6 updated daily with full scans twice a month and ClamXav scans monthly even though Clam has a couple of Mac sigs, I still do it for PC viruses. Ran latest definitions on both . Clean.
Ran Sophos when this happened and did it with best practices disabling on-demand scanners when other AV is scanning, plus call out AV files as Trusted. Ran latest definitions. Clean.
Ran Rootkit Hunter 0.2 with updated sigs. Clean.



Here is how I found my issue. We have 2 iMacs side by side Mine and my daughters. My daughter Googled "difficult color by number printables" and she clicked on the "images" link to get all the images instead of the normal Google links page. She clicked on an image in a newly updated nightly build of Webkit and received the browser warning about going any farther will damage your computer or something like that. I said cool, let me see if I get that in Firefox. It didn't, so I tried Webkit and still nothing. I tried loading the same image in Firefox on my daughters Mac and it called out malicious site just like Webkit. The redirects affect both browsers.The redirect would want to go to a XXXXXX.ru address. I would try some other images on the Google image page and her computer would get block pages from the browser. My computer would not, I loaded a clean, non redirected page with no redirect on my computer. Same image 2 different outcomes. Ran newly imaged Fedora 14 on a machine that never was on the net and all is well with the Google image search.

My wife's computer is running in Admin to my disappointment. My daughters is running in a Standard account, and the Admin account is clean and does not get redirected.

Something is sending me to .ru . On the my daughters infected computer I am also getting redirected to a link page" Rivasearchpage dot com". Both my daughters and my wife's computer act the same so I m assuming they have the same infection. I just loaded Opera on my daughter computer to see if a new browser would be redirected, it was to a porn page that my OpenDNS filter blocked. It also is going to Rivasearch dot com on 30% of the images. On my clean computer next to it, I am getting all clean images on clean sites.

Any ideas?

 

Have you tried with firefox and noscript enabled from the other two pcs?

Seems more like noscript blocked a malicious script that redirected the other browsers the .ru site.

Panagiotis

 

Yes, I tried every combined senario and every one pointed to 2 infected Macs that love to redirect to Russia. With Noscript you see the xxxxxx.ru wanting to load if you hit the option button that calls out what server wants to load on your computer.

 

Are you sure that on your pcs you don't see the xxx.ru blocked for the same images? I am getting the same redirect results here if the safesearch is on moderate (change it to strict). The sites that host the images (those that I checked are clean), googles search cache seems poisoned or gets poisoned results from the hosting providers e.g. http://blog.unmaskparasites.com/201...ervage-hosting-to-poison-google-image-search/

Panagiotis

 

Good call, I will look at it later tonight. Here is what I am getting.

My NON-REDIRECT

http://www.google.com/imgres?imgurl...&ndsp=45&ved=1t:429,r:28,s:0&biw=1538&bih=907




Daughters Russian redirect

http://www.google.com/imgres?imgurl...ge=1&ndsp=47&ved=1t:429,r:10,s:0&tx=135&ty=98

 

Both links that are different above get the browser warning on my daughters Mac and both links get the all clear good site with my computer. What are you getting?

 

I tried those links and both get redirected.

Seems that maybe Ghostery?, Addblock Plus? (or another plug-in), blocks the redirection on your firefox.

Panagiotis

 

I disabled all my add-ons and both links are still clean for me. I am going to run a full system cache clean and other maintenance stuff right now on both computers. Should be back in 15 mins plus. What OS/browser are you running?

 

Ran every conceivable cleaning script in Snow Leopard Cache Cleaner on the so called clean and infected Mac and everything is still the same. My daughters Mac is still getting redirected and mine is not.

 

OP,

I am running Ubuntu here with the latest Chromium (and it's sandboxed with AppArmor). At any rate, I reproduced your problem as outlined:

1) google search for "difficult color by number printables"

2) Click on images

3) Click on the image of the dude with the hat

I am getting the same warning. No matter what image I click on, I am getting the same warning about the xxxx.ru website. However, if I do another random google search and click on images, I am not getting the redirect.

Are you saying that no matter what google search you do that you are getting redirects? (I am not clear on that). But to be clear, I am getting redirects on that one google image page no matter what image I click, and I am positive my machine is not infected (my browser is sandboxed both by Chromium and by AppArmor. I also run from a user account). There must be some other issue here.

 

OK, I fired up my Fedora 14 machine that was I used testing the same images yesterday and that was a new image, so it was clean. I also get the warnings. So could the so called clean running Mac have the issue?

 

http://www.google.com/support/forum/p/Web Search/thread?tid=510730e6a874e5ba&hl=en

I suppose the "clean" Mac has safebrowsing disabled. If it's not that I'd create a fresh firefox profile and see if this changes anything.
http://kb.mozillazine.org/Profile_manager#Mac_OS_X

 

Katio, I think you are on to something!! My Intego Virusbarrier on a couple of my Macs would call out Firefox-bin to suspicious behavior and that went away past what my logs have saved, so I can't see the time frame of the warnings. I don't have time right now, but it will be the first place I look.

Here is another thing to put into this mess. While 2 of the Macs get the Russian redirect even after deleting cookies, my other so called clean Macs that don't get redirected or get the browser warning always go to the clean sites. More less, the so called clean macs don't get browser warning because they don't get "fed" malware infected sites. Where clearly in the back ground you can see you have been sent to the redirected or bad site by the grayed out background screen on the so called infected Macs. I will have to read more on your links and do a Clean Profile switch on all the Macs to take that out of the equation. Thanks again!


ADDED NOTE after posting this,

Then what about Safari/Webkit? Clean surfing on the clean Macs and browser warnings on the so called infected Macs. I think their could be more to this? CRAP

 

Could be the domain isn't serving the same page to everyone...
Maybe something like this:
https://www.wilderssecurity.com/showthread.php?p=1813583

 

Have you tried to run a scan with ESET Cyber Security? Try the Trial version.
http://www.eset.com/home/cybersecurity-for-mac

 

I will try that even though I think all these Mac AVers are not up to speed like PC AV. I think it is something obscure that is not life threatening and they could care less.

 

I highly doubt this is a security issue.

 

i tried both links and they do redirect its server problem

they are redirected to ayjfblduzs.ru

where

Website for this image

american-home-cleaning.com ( even thats site name looks funny to me)

not your pc but whats is looks to me server might me compromised

if you have even wot toolbox addon even it block site at background so no need to worry

 

Its a server issue.
If I block reffers lets me in OK to the site without redirect to the russian site.
Not had chance to look further, train to catch.

 

Server serves up a 302 redirect to the russian site.

 

Worked with Sophos engineer. That's what he came up with. But why 2 Macs side by side getting total different redirects. Even after a achieve and reinstall.

http://openforum.sophos.com/t5/Soph...cted-Russian-redirect-Google-images/td-p/1813

 

BTW since you are a VirusBarrier user you might want to take a look at
this: -http://mac.softpedia.com/get/Antivirus/VirusBarrier-Express.shtml

It's a new (FREE) On-demand AV scanner from Intego Named VirusBarrier Express.

IMO, why Intego choose to release a FREE AV scanner right now, is ALL due to the Free Antivirus for Mac that Sophos released a while ago

 

This is a server issue.
Noones machine is infected.

If the server detects a refferer (not sure if its specific to google) in the header you send to request the page in your browser it redirects to the russian site.

If there is no refferer, the server lets you in to the site.

Refferers are being blocked on one machine (privacy setting/tool/addon at a guess).

The server looks like it has been compromised.
If you visit http://american-home-cleaning.com/index.php and view source you will see someone has written in a load of spam links.

I shall contact the host and inform them.

Cheers, Nick

 

Hosted by godaddy. Reported to them.

 

there is 100% sure (american-home-cleaning.com) site problem thats all. If you scan that site on norton safe search

https://safeweb.norton.com


you see the results