Browser Hijacking: Follow-Up

Andrew Mutch amutch at waterford.lib.mi.us
Thu Jun 21 18:23:54 EDT 2001


I spent quite a bit of time today investigating the apparent "hijacking"
of our browsers and what I discovered was in some ways was not as bad as
I thought and in some ways worse than I expected.  I'm posting this out
so that anyone else who encounters this, and we are not the only library
that has run into this problem, will know where to start looking. Also,
I'm hoping that someone who has a better handle on the inner workings of
the Internet might shed some light on the mystery part of what we
encountered.

After much investigation on the workstation side, I was able to rule of
the possibility that the browsers had been compromised.  I searched out
spyware, registry changes, proxy settings, etc. all without finding
anything that indicated that these were the cause of the problem.  I
next started tracking down the domains that were redirecting to the
"www.bigred.com" site.  These domain names were mispellings and
"nonsense" names that didn't seem to have any connection to each other.
When I PINGed each of these domains, I found that they all resolved to
the same IP address:

64.78.44.127

However, when I checked these domain names using WHOIS, I discovered
that the domains are listed as available.  At that point, it was clear
that something was wrong with DNS at some point in the process.

The first thing that I wanted to see where in the process that DNS was
being "hacked".  I was able to telnet into our library cooperative's
server and use Lynx to try to browse these domain names.  I was unable
to access any of the domains that had resolved to "bigred.com" locally.
I now knew that something was messed up in our local DNS records but
that the problem didn't extend to our "parent" DNS servers at the
cooperative.  Our network administator then checked our local DNS
servers and found that the domains were appearing in our DNS cache.
This is where things become fuzzy.  Is it possible that someone had
hacked into our DNS servers and added the entries to the cache?  Or is
it possible that someone was intercepting the attempts to resolve the
DNS so that they were appearing as a root or a top-level domain name
server and sending back the "64.78.44.127" address?  What was even
stranger is that the behavior stopped just as we were getting a track on
what was going on.  The problem has gone away but the mystery remains.

We weren't done with our sleuthing and we decided to see what was going
on with the relationship between the "64.78.44.127" address and
"www.bigred.com". What we discovered was this:

If you browse to this address, "64.78.44.127", a frameset is spawned.
one frame which contains the "www.bigred.com" site.  The other frame
opens to this site:

http://startpage.ms/error.php

This second page contains code for an IE-specific function that
generates an alert box that call this page:

http://startpage.ms/yeeha.php

which contains the Javascript code that will set this page:

http://\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Hit Enter or Return to
Continue\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~@startpage.ms/

as your home page.  All this new "home page" contains is this:

<META http-equiv="refresh"
content="0;URL=http://www.bigred.com/index.php?ref=roberts">

So you can see, there is a constant attempt to drive traffic to the
"www.bigred.com" domain.  Most every time that our staff or patrons
entered an "unknown" domain, they were hit with this frameset that
prompted them to reset their home page.  Either way, another hit was
generated on the "www.bigred.com" site.  If you check these various
domains and addresses, there doesn't seem to be a common connection
between the various parties but clearly something wrong is going on
here.

I'm hoping that someone out there can make some sense of all this and
let us know whether this is something we need to investigate further
locally or more of a heads-up to the library community about the
deceptive practices of some web site operators.

Andrew Mutch
Library Systems Technician
Waterford Township Public Library
Waterford, MI


On Thu, 21 Jun 2001, Andrew Mutch wrote:

> Just in the past day or two, I've had a rash of staff and public
> browsers that appear to have been victims of browser hijacking.  When
a
> user tries to browse to an invalid domain, they are redirected to this

> site:
>
> http://www.bigred.com/
>
> I've found that visiting sites related to this one will prompt, in IE,

> for you to reset your home page, which seems to be part of the
process.
> However, even after changing the home page back to your original home
> page, "bad" domains will continue to redirect you to the "bigred"
site.
> I've checked for the usual suspects such as proxy settings changed in
> Internet Explorer but I didn't find anything there.  I suspect there
may
> be some "spyware" that is being downloaded and is causing this strange

> browser behavior but I haven't been able to pin it down to one
> particular site or "spyware" company.  I did some searching last night

> but didn't encounter anything related to "bigred".
>
> Has anyone else encountered this behavior or had problems relating to
> this particular site?  I will be doing more scanning with the Ad-Aware

> freeware to see if I can detect any "spyware" on our machines but any
> other leads would be appreciated!
>
> Thank you,
>
> Andrew Mutch
> Library Systems Technician
> Waterford Township Public Library
> Waterford, MI
>




More information about the Web4lib mailing list