Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Hijacked Internet Explorer

from [jayjwa] Network Security [Permanent Link]
Subject: Re: Hijacked Internet Explorer
Date: Tue, 3 Jan 2006 21:08:59 -0500 

On Tue, 3 Jan 2006, Chris Barber wrote:

-> 
-> I have a user on a home network that has an oddity I have not seen
-> before while using search engines.  On the PC we have tried Yahoo,
-> Google, MSN, Lycos, not sure but we may have done a few other, but the
-> actions are all the same.  We enter a search item, say ACE, and the
-> results come back of course ACE Hardware is in the list.  When I mouse
-> over the link the URL displayed IE Status indicates the correct URL
-> for ACE Hardware.  Now when I or he clicks on the link we go to some
-> other ads page, we click back and click the link a second time and get
-> sent to a second ad site. After clicking back a second time and then
-> clicking the link for the third time we get to the ACE Hardware site.
-> One note on this is that the URL we are directed to is not the same as
-> the link so I know it is not a DNS Hijack, but more of a redirect

-> 
-> At this point I am thinking it may be some form of Browser Helper
-> Object or some registry hack, but I am out of ideas to further
-> investigate, clean and protect against this in the future.

I'm guessing registry. I've seen these setup to send the person various 
places, my father's WinXp was set to redirect thru some server 
who-knows-where, and had an attempted "search site" link. I say "attempted" 
because it looks like the adware/spyware was buggy, or didn't fully install, 
as it ended up with junk in some of the MSIE registry keys that showed up in 
the little URL box on top of the browser. There are many keys in the registry 
which dictate how MSIE will operate, more so than probably most people know. I 
was surprised the first time I saw it. I don't remember exactly which hive 
they are under, as I don't have a W32 machine here, but they aren't 
differicult to find. One thing I used to do religiously when I ran Windows was 
back up my registry often, at various points. I switched my father to Firefox 
and that was the end of his weird URL behaviours. Running MSIE is like 
painting a big, red bull's eye right on your (insert appropriate body part 
here).

It could have come thru various scripts, there are so many that can man-handle 
IE. Even if one is aware of them and turns them off or disables them, sooner 
or later they always seem to get re-enabled by something, and end up inviting 
the bad guys in. ActiveX, Java, VBS, and Javascript, applets, CPL's, OCX's and 
more. I shudder to think. 


jayjwa
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Hijacked Internet Explorer, Chris Barber
Next by Date:  Re: Hijacked Internet Explorer, joris744
Previous by Thread:  Hijacked Internet Explorer, Chris Barber
Next by Thread:  Re: Hijacked Internet Explorer, francois
Indexes:  [Date] [Thread] [Top] [All Lists]