There's no such thing as a free lunch is as true today as when it was first written in the 1930s, as well as it's likely origin in the once common practice of saloons in America offering a "free" lunch to any patron who purchased at least one drink.

Today, you can take that adage and attach it to a number of scenarios in technology.  There's no such thing as free email. There's no such thing as free software. And the one we're talking about now - There's no such thing as free wifi.

We'll skip the obvious part about how you paid for the hotel room with "free" or complimentary wifi, or the Starbucks you purchased to sit and enjoy as you use their "free" wifi, or the "free" wifi now available when you walk through any number of retail stores like Target. Instead we're going to talk about something many people consider much more insidious - Adware injected into webpages on "free" wifi networks.

In 2012 Justin Watt was staying at a Courtyard Marriott in New York. Justin happens to be a web developer and as such is a bit more savvy about what he's seeing on the screen than your average web surfer. When Justin went to use the "free" wifi to access his blog he noticed a colored bar at the top of his page that shouldn't be there. His curiosity was peaked and he viewed the source code for part of the site and, "Sure enough I saw some unfamiliar CSS (including the prefix rxg) and JavaScript that had been injected after the <head> tag." Justin goes on to say in his blog, "And I found some unfamiliar JavaScript after the <body> tag."

Justin was immediately concerned his site had been hacked and began digging through his core files. Everywhere he checked his site was intact and unharmed. After much testing and eliminating possibilities Justin determined, "somewhere between the Internet and my computer, someone is injecting JavaScript into EVERY SINGLE PAGE I LOAD."

Justin did not see this as the final answer rather the next place to look. Using a utility that unpacks packed Java he was able to determine that the primary purpose of this JavaScript injection was ad injection / ad takeover, in other words forcing unwanted ads upon the unsuspecting "free" wifi user.

The next question, at least for anyone techy inclined, was had the hotel's wifi been hacked or was their something more malicious at work?  Could the hotel's ISP be involved?  Had the hotel itself brought in this technology to influence guests? Justin was also concerned about who could be notified, who would care about this invasion?

Computer companies spend a great deal of time removing Adware from computers and as a result users spend a great deal of money paying to have Adware, Malware, Viruses and Ransomware removed from their computers. But this is the cost of being online; the Internet is crawling with things we don't want on our computer and we'd like to believe that when using "free" wifi the company providing it has our best interests at heart and has put security in place to keep our systems safe.  Sadly that's not always the case.

Back to that odd prefix tag "rxg", this is how Justin was able to get to the bottom of the injected JavaScript with the help of one of his blog readers.  It turned out that "rxg" was short for Revenue eXtraction Gateway, made by a Nevada company RG Nets.

From RG Nets site, "...the rXg is the perfect platform for clear communication, authoritative control and complete cognizance over your RGN end-user population."  If that doesn't make you weary of ever using "free" wifi again I don't know what will.  RG Nets site goes on to say, "...profitable IP RGNs extract revenue from the end-user community through a combination of direct and indirect mechanisms."

A demo video is available on RG Nets site. A portion of the video transcript, "As you can see the pervasive nature of the advertising banner on all webpages guarantees banner advertising impressions. The RGNets rXg HTML payload rewriting feature is a tremendously powerful tool, with a broad spectrum of applications for Internet marketing programs."  YIKES!

For anyone traveling through Atlanta's International Airport they are listed as an RG Net rXg success story, so be wary of what you see on our screen with that "free" wifi.  A local Nevada success story is the Peppermill Hotel & Casino where the rXg is "...used to advertise resort amenities, restaurants, gaming specials and events." At the Peppermill the rXg is also used to charge for different levels of access including, casino patron, convention attendee or exhibitor, and overnight guess access.

While the Marriott came out shortly after Justin posted his blog and said, "...this functionality has now been disabled." this article does not appear to have harmed RG Nets, although it appears to purchase an rXg you must now contact them directly through a contact page on their website.

Screenshots from an RG Nets online brochure.

On the heels of the ShellShock aka Bash disclosure that Mac OS X is included in the list of vulnerable operating systems comes word that hackers are using Reddit to connect Macs to a Botnet.

First let's start with what is a Botnet?  A botnet is a collection of programs interconnected via the Internet communicating with other similar programs in order to perform tasks. When the program is installed on numerous computers, those programs depend on instructions from the command and control server they are connected to for information on tasks to be performed. They can be connected together by the command and control server to create a spam bot, where machines are brought together to send unwanted or malicious emails, or another example would be when a botnet is used in a DDoS (distributed denial of service) attack often against a government body or corporation.

Cyber criminals have developed a malware, dubbed Mac.BackDoor.iWorm, using C++ and Lua to open a backdoor into Mac OS X machines. When the malware is launched it saves it's configuration in a separate file and attempts to read the /Library directory, then uses system queries to determine the home directory of the Mac OS X account under which it is running, it then writes the data needed for it to continue to operate into this file.  Next Mac.BackDoor.iWorm opens a port on the computer, sends a request to a remote site for a list of control servers, connects to the remote servers and then waits for instructions.

Reddit comes in to play as Mac.BackDoor.iWorm is using the search service at reddit.com to return results listing botnet C&C servers and ports published by the cyber criminals in the comments posted to minecraftserverlists under an account vtnhiaovyd. The malware, now a bot, picks a random server from the list to connect to. When the bot successfully connects to the server, it sends information about the open port on the machine it's infected as well as a unique ID for that machine that was created as a part of the configuration when it installed.

Now that machine waits for instructions from the Command and Control Server. As of the latest reports there is no evidence that these bots have received any instructions. Information obtained by Doctor's Web researches showed 17,658 computers had been infected by the malware and were part of the botnet as of September 26, 2014; a week later there are no available statistics for additional infected Macs. Of those infected over a quarter are in the US.

For anyone who continues to believe that Macs are safe and unaffected by viruses and malware, let this week be a wake up call.  Previously Macs have been a less frequent target not due to their security, but due to their smaller market share.  The more Macs on the market the more cyber criminals will be targeting them.