[WEB4LIB] Browser Hijackings

Helfrich, Gair GHelfrich at acmail.aclink.org
Thu Jun 21 13:14:37 EDT 2001 

Andrew,

We experienced problems with http://www.bigred.com/ a couple months ago. It
seemed to hit us branch by branch (we have 9) and behaved as you described.
One or two branches a day seemed to be affected, but not all of them at one
time. 

We use IE 5.5 in the library. If a user entered a bad domain we most
frequently ended up at bigred.  Occasionally we would get a bad domain name
message, but most often we were diverted to bigred.  On the surface it
appears like an innocuous directory of websites; however, one of our patrons
found that putting the word "porn" in their search field brought up lots of
"lovely" sites. 

Thinking it was spyware I did a thorough search on it found virtually
nothing about it. This site generated more phone calls than I care to think
about, but, it disappeared as suddenly as it appeared, and the phone calls
stopped. We haven't seen it for a month or 6 weeks or so...or maybe the
branches have just stopped calling me.  But, that's probably not the case,
as it had appeared on my machine as well and I haven't seen it for some
time.

Hope this helps,
Gair Helfrich

__________
Gair Helfrich
PC/Network Support
Atlantic County Library
40 Farragut Avenue
Mays Landing, NJ 08330
609-625-2776 ext. 6313  Fax: 609-625-8143

-----Original Message-----
From: Andrew Mutch [mailto:amutch at waterford.lib.mi.us]
Sent: Thursday, June 21, 2001 9:23 AM
To: Multiple recipients of list
Subject: [WEB4LIB] Browser Hijackings


Just in the past day or two, I've had a rash of staff and public
browsers that appear to have been victims of browser hijacking.  When a
user tries to browse to an invalid domain, they are redirected to this
site:

http://www.bigred.com/

I've found that visiting sites related to this one will prompt, in IE,
for you to reset your home page, which seems to be part of the process.
However, even after changing the home page back to your original home
page, "bad" domains will continue to redirect you to the "bigred" site.
I've checked for the usual suspects such as proxy settings changed in
Internet Explorer but I didn't find anything there.  I suspect there may
be some "spyware" that is being downloaded and is causing this strange
browser behavior but I haven't been able to pin it down to one
particular site or "spyware" company.  I did some searching last night
but didn't encounter anything related to "bigred".

Has anyone else encountered this behavior or had problems relating to
this particular site?  I will be doing more scanning with the Ad-Aware
freeware to see if I can detect any "spyware" on our machines but any
other leads would be appreciated!

Thank you,

Andrew Mutch
Library Systems Technician
Waterford Township Public Library
Waterford, MI

More information about the Web4lib mailing list