August 02, 2008

I Got a Mac OS X Trojan and Infected CenterNetworks. Oops.

As a sometimes smug Mac user for the overwhelming majority of my computer-using life, virus warnings, anti-virus software and security updates were always something "those other guys" had to deal with. Using my Mac, I would even have colleagues send me attachments from their Windows machines which they thought were viruses, so I could open them up in a text editor and see what mischief they had intended to cause. But today, I realized my laptop had somehow acquired a rare trojan that does hit Mac OS X, and the results of the bugger were actually more harmful for Allen Stern of CenterNetworks than they were for me. Oops.

This morning, Allen Stern presented a new video following a press conference he held that discussed his take on the "firing" of my son Matthew, who had secured a short-lived position in CenterNetworks' San Francisco bureau. As usual, Stern's tongue-in-cheek humor and deadpan delivery were very good. The conclusion reached by his video was that Matthew would be compensated out of court with the delivery of an "I love New York" t-shirt, and I quickly commented on his site that we agreed to the settlement.

But amusingly, having posted my comment, I noticed that virtually all of the ads on Allen's site were for pills that solved erectile dysfunction, and all the banners were rotating images of Viagra, Cialis and Levitra, which made no sense on Allen's tech blog, and had absolutely zero to do with his story on my kid. So, I made screenshots, and jokingly sent a note to FriendFeed, saying, “I Just Hope the Money from these Ads Keeps CN "Up".


CenterNetworks' Ads Were All In Pill Form for Me

Allen, looking at the pictures and then back at his site, thought I was joking. But I wasn't. When he realized I was serious, this set off a flurry of calls by him to his advertising partners, swapping out of ads, and testing both on his side and mine, as we tried to figure out... was it him, or was it me?

Turns out it was all me, and separated by 3,000 miles, I was causing Allen's blood pressure to rise for no good reason. It turned out that at some point, recently, some file I downloaded hijacked my DNS settings on my MacBook Pro, and selectively overlaid his banner ads from Tribal Fusion, on both CenterNetworks and HTMLCenter, with these stupid Viagra ads. Meanwhile, my wife's laptop was fine, showing normal ads, while I was viewing the world through an odd filter.

So, I did some searching on the Web and found I had likely run into one of the few pieces of known Mac OS X malware out there, a Trojan, which disguised itself as a clean file. So, I decided to finally get some real anti-virus software to take a look at it, and found a solution from Intego called Virus Barrier, which looked a lot more Mac-friendly than dreck the Symantec guys offer. Sure enough, after paying to buy their software, installing, and rebooting, the offending file was found, masquerading as a QuickTime extension. The Intego software let me delete it, and all of a sudden, all was well. Allen's site now shows normal ads, and he doesn't carry the mark of a dope dealer.


Intego Virus Barrier Going Through My Files



Aha! A trojan has been located and destroyed!

Of course, this now raises the question... how did I get this on my machine? Some of the stories I read said the trojan could have been hiding in the form of a fake card game application, and others, as a tool that lets you watch adult videos. So... neither one of those makes sense. But despite that mystery, the good news is that I think it's all resolved. I have a product that will protect my Mac in the future if anything like this happens again, and I still know Allen Stern is on the up and up - a great blogger with a good sense of humor and values as well. It's just disappointing my stupid error somewhere dragged him through the mud through my "learning process".