browser hijack, page reloads

Ask for help about NoScript, no registration needed to post
Sadsaque1

browser hijack, page reloads

Post by Sadsaque1 » Fri Nov 19, 2010 5:36 am

A request: I would love better reload control.

Don't know how this is done, but I would think with scripts -
Just click a few results on the first page:
http://www.google.com/search?q=zombie+ascii+emoticon
Such as:
vendittos.com/borrow-ascii-art-line-breaks
ashq-e-zainab.co.uk/cookin-ascii-art-creator
e-glesia.org/clicker-sample-ascii-resume-for-cna

I would have thought this is just the kind of thing I use NS for ~
[Don't bother flaming me - chances are 1 in 1B that I'll ever look back here.]
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: browser hijack, page reloads

Post by Alan Baxter » Fri Nov 19, 2010 6:01 am

Sadsaque1 wrote:A request: I would love better reload control.

There are some other extensions which control that.

Don't know how this is done, but I would think with scripts -
Just click a few results on the first page:
http://www.google.com/search?q=zombie+ascii+emoticon

Nasty search string! Yup, all three of those are redirects to rogue AV malware. NoScript protects you by blocking the JavaScript on the rogue site.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

User avatar
therube
Ambassador
Posts: 7528
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: browser hijack, page reloads

Post by therube » Fri Nov 19, 2010 6:20 am

Few possibilities.
Server side exploit. Quite common.
Exploit running on server checks referrer & if referrer == google.com | yahoo.com | ..., then redirect to malware_page.
Hacked web pages. Quite common.
Combination of both.

If you look at http://vendittos.com/ , it looks like & is a totally legit web site.
But, & unbeknownst to its owner, it has been hacked; http://vendittos.com/borrow-ascii-art-line-breaks/ .
The page at /borrow-ascii-art-line-breaks/ is something a hacker put on to the site.
Additionally, at times, even before the page would load, you are being redirected to malware.

You could use something like livehttpheaders to get a better understanding of what is going on (what is actually loading & from where).

Again depending on how you open the page, can make a difference.
Typing http://vendittos.com/borrow-ascii-art-line-breaks/ into the URL bar, will load the legit site vendittos.com, further loading the /borrow-ascii-art-line-breaks/ page. Happens to be that that page was put there by a hacker.
If you open http://vendittos.com/borrow-ascii-art-line-breaks/ from a google search, you are redirected to malware.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; rv:2.0b8pre) Gecko/20101110 Firefox/4.0b8pre SeaMonkey/2.1b2pre

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: browser hijack, page reloads

Post by Alan Baxter » Fri Nov 19, 2010 6:37 am

The payload isn't recognized by many AVs yet. Got a VirusTotal score of only 3/42. I've reported the payload to Avast.

Is there an easy way to report these malware links to Google?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: browser hijack, page reloads

Post by Alan Baxter » Fri Nov 19, 2010 7:13 am

Alan Baxter wrote:The payload isn't recognized by many AVs yet. Got a VirusTotal score of only 3/42. I've reported the payload to Avast.

Is there an easy way to report these malware links to Google?

I reported a few of them with this page, but there are just too many of them. Google should be automatically checking them for redirects to malware sites, but apparently Google doesn't.
http://www.google.com/support/websearch ... ng_malware
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

Guest

Re: browser hijack, page reloads

Post by Guest » Fri Nov 19, 2010 7:32 am

Alan Baxter wrote:The payload isn't recognized by many AVs yet. Got a VirusTotal score of only 3/42. I've reported the payload to Avast.

Is there an easy way to report these malware links to Google?

Just out of curiosity which three recognized it? Also are these some of the better known rogue AVs like Anti virus 2009?
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

User avatar
therube
Ambassador
Posts: 7528
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: browser hijack, page reloads

Post by therube » Fri Nov 19, 2010 3:01 pm

It's not a google issue per say.
All they have done is what they do - they've cataloged the net.

BAD found a place (places) where he could lay his hacked pages, complete with lots of "keywords" (or whatever you call that stuff).
Google catalogs the page.
Because the page has all these purposely defined keywords, it gets a high ranking.
User goes searching, looking for 'ascii art', & types that into Google.
Google has cataloged pages containing "ascii art".
BAD has created a "bad" page that is nothing more then a way to get a high ranking from Google.
BAD has also hacked the web site server (the hosting company) of the page where he has placed his "bad" page, that Google has found & cataloged.

Ordinarily, if a user went directly to vendittos.com, all appears fine, & is, generally. Mr. Vendittos has no link to nor knowledge of his "ascii art" page. He did not put it there, does not know it exists. Some hacker did. Ordinarily no user would happen upon that bad page. There is no link to it from any of Mr. Vendittos other pages. It was put there by a hacker. The only reason it is to be found is because Google cataloged it.

(Mr. Vendittos web site is a "good" site, he & it are "trusted". Hey, let's put him into our "whitelist"!)

And with that, BAD, who has also hacked the server (the web hosting company) has a bit of control. The server, the web hosting company gets a request to load a clients page. What the hack did was to redirect that request to MALWARE - but only when referrer == Google (or likely any number other search engines).

If BAD directly affected Mr. Vendittos, it would quickly be discovered. Hey, Mr. Vendittos, I went to go to your website, but instead I ended up in lala land. What's up!? Only the server was hacked. Mr. Vendittos is blind to the fact that the server was hacked & blind to the fact that a rogue page was place on his "domain". The server (hosting) company is either ignorant, or careless, or could care less. Only if made aware, or if enough of their clients realize & complain, will they take action (& assuming they know what to do to fix their problem).
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.15) Gecko/20101027 SeaMonkey/2.0.10

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: browser hijack, page reloads

Post by Alan Baxter » Fri Nov 19, 2010 3:03 pm

Guest wrote:Just out of curiosity which three recognized it? Also are these some of the better known rogue AVs like Anti virus 2009?

Yes, this is one of the classics. I've seen it many times before. I don't know its name. VT score up to 6/41 now.
http://www.virustotal.com/file-scan/rep ... 1290177961
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

Guest

Re: browser hijack, page reloads

Post by Guest » Fri Nov 19, 2010 4:20 pm

Alan Baxter wrote:
Guest wrote:Just out of curiosity which three recognized it? Also are these some of the better known rogue AVs like Anti virus 2009?

Yes, this is one of the classics. I've seen it many times before. I don't know its name. VT score up to 6/41 now.
http://www.virustotal.com/file-scan/rep ... 1290177961

The low VT score doesn't surprise me very much. It is generally quite difficult for AV to catch Rogue AV without a definition.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: browser hijack, page reloads

Post by Alan Baxter » Sat Nov 20, 2010 2:40 am

The payload is just the installer. I guess it's pretty easy to change it enough so it isn't detected without updating the definition files. Finding servers to hack and domains to host the malware must be easy enough to automate.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

Post Reply