New User? Need help? Click here to register for free! Registering removes the advertisements.

Computer Cops
image image image image image image image image
Donations
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
image
Prime Choice
Hot Files
Find a Cure!

Ian T's (AR 32)
Bill G's (CO24)
Paul's (AR 5)
Robin's (AR 3)
Ian T's Archive
Bill G's Archive
Paul's Archive
Robin's Archive
image
Security Central
 Home
 Wireless
 Bookmarks
 CLSID List
 Community
 Contest
 Downloads
 Feedback (send)
 Forums
 Gallery
 HijackThis
 Journal
 LSPs
 Members List
 My Downloads
 Newsletter
 PremChat
 Premium
 Private Messages
 Proxomitron
 Quizz
 RegChat
 Reviews
 Google Search
 Sections
 Software
 StartupList
 Statistics
 Stories Archive
 Submit News
 Surveys
 Top
 Topics
 Web Links
 Your Account
image
Toolkit
Email Virus Scan
UDP Port Scanner
TCP Port Scanner
Trojan TCP Scan
Reveal Your IP
Algorithms
Whois
nmap port scanner
image
Survey
Why would you use pirated software?

I would not use pirated software
it costs too much
you don't use it enough
you don't want to spend any money
To test it (try before you buy)



Results
Polls

Votes: 5807
Comments: 46
image
Advertisement
image
Translate
English German French
Italian Portuguese Spanish
Chinese Greek Russian
image
Browse Safely
Get Firefox!
image
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsFavForums 

 FREE LICENSE GIVEAWAY 
The CastleCops Free License giveaway is underway. The ENTRY PERIOD begins on 10:00 PM Eastern Standard Time on September 8, 2004 and ends on 10:00 PM Eastern Standard Time on September 22, 2004. Go here for complete details and rules.

How was I hijacked???

 
Post new topic   Reply to topic       All -> FavForums -> Browsers
View previous topic :: View next topic  
Author Message
JeffreyD

Cadet
Cadet



Joined: Jun 30, 2004
Posts: 2
Location: USA

PostPosted: Wed Jun 30, 2004 12:20 pm    Post subject: How was I hijacked???
Reply with quote

Spent hours on this, going nowhere quickly.

The PC is a WinXP box, fully patched, routinely checked with Spybot 1.3 and AdAware 6. I run SpywareBlaster as well. I also use Thunderbird 0.6 and Firefox 0.8. All other family members run Thunderbird on this box. IE6 has not been removed, but is fully patched.

Norton Antivirus Corporate Edition 9.0, AV file 6/25/2004 r19 is running and I've scanned the entire PC twice in safe mode. (ZIP files are scanned 10 deep)

I use a Netgear FVS318 to interface to my Verizon DSL account.

The events as they happened.

1. My son read his email via the web. It included e-cards. He read them. Doesn't remember where they took him, nor does he remember if he used IE6 or Firefox.

2. Long screaming session about things TO do and things NOT to do while on the internet. 278th time. Disabled his account.

3. Mis-typing a URL will now take me automatically to http://www.netidentity.com/ with the mistaken URL clearly identified inside. Identical results on IE6 and Firefox. Java and Javascript are disabled on Firefox. I leave IE6 alone. I use it when I absolutely must go to some bogus activex site, oh, and windowsupdate. But I don't use it otherwise. I always use Firefox.

URLs that caused this include: mapblast, mapquest, abc, def ... through xyz.

Please note: I had typed "mapblast" but had hit Enter rather than Ctrl-Enter, by mistake. The URLs entered are literally those listed, just the word.

They are then transformed to http://mapblast/

NOTE: When I ran this with javascript and java enabled, an asp page was appended. These are normally off on my machine. Sorry that I didn't write it down.

4. SAV CE, Spybot, AdAware, SypwareBlaster were all checked for updates and the entire system was scanned. Nothing found.

** My immediate thought was that Network Solutions was up to their
** old tricks with it's Site Finder business. A quick check of
** another PC in the house eliminated that. It works normally.

5. I checked my syslogs and NULL routed the IP address being used to access http://www.netidentity.com./ The same page comes up sans the graphics and the flash. Another check of the syslogs brings up 64.15.175.5 as generating the pages, apparently a well known open proxy registered to Mailbank.com. It's all the same company in Reno, NV.

** Ran whois, and then looked up the physical addresses. Nothing
** truly surprising ... except that the same business address is
** also used for: "Absolute Swine Insemination" <<<shudder>>>

6. Also ran HiJackThis and went through ALL of the items on it. Nada. Couldn't find the IP addresses or domain names in the registry. I also ran them in reverse notation. Nada.

7. Checked my network settings to make certain that some new DNS server wasn't stuck in. Nope, still set to use the Netgear box. Put 4 different DNS servers in -- still get that stupid site.

8. Using Spybot 1.3, I reviewed the browser search pages. Each of them are what I would consider standard pages. In fact, all of them are identical to the ones that I have at work, sans the compaq pages. I built my PC at home.

9. Ran latest CWS_Shredder. Nothing found.

10. Their exploit works while in "Safe mode w/Networking". Makes me believe that it is not a DLL or EXE related. Is that true?

11. Noticed that it leaves a cookie behind. Javascript is required to be enabled. The cookie includes the bad URL (http://mapblast/) and has "he" <tab> "llo" at the end. I found lots of little pop under scripts on the internet that are using a similar technique. None of them talk about using the exploit in this manner.

12. When run using IE6, another IE window is displayed on the Taskbar, but it will not maximize. What little bit I can read of the button displays fastclick. This appears to fall in line with the javascript code that I saw in item 11.

OK, how are they hiding this? I have searched ALL files on my computer for the word "fastclick", "netidentity" as well as these IP addresses, but nothing.

I ran sysinternals filemon to look for something common between the browsers, but I was overwhelmed by the flood of information. Wonderful tool, but kind of like reading firewall logs, great if you're looking for something specific. I need a summary to display something out of the ordinary.

I have NULL routed the netidentity.com domains and set up a static route to a non-existant IP address for the time being. But NOT knowing what truly IS happening makes me wonder if I don't have a keylogger or worse installed.

Since I don't know if this is just simple adware, or site tracking, I also don't know if it isn't also a keylogger or worse. I am treating it as if it was worse.

In the meantime, the PC is off.

And I am bumming, and quickly falling behind in work I need to do at night. Any suggestions as to where to look next. Would also appreciate any constructive comments on my troubleshooting techniques, as I do this for a living. <ZOIKS!>

JeffreyD
(humbled)
Back to top
View users profile Send private message
Flustered

Cadet
Cadet



Joined: Jul 29, 2004
Posts: 1
Location: USA

PostPosted: Thu Jul 29, 2004 1:10 am    Post subject: One possibility on the "Netidentity.com" hijack
Reply with quote

I came at it from the other direction.

I regularly download obvious viruses, trojans and porn-dialers to test my antivirus program. The latest "Hillary Duff Naked" (probable porn-dialer) didn't trip McAfee, which both surprised and annoyed me.

Looking inside the file, it's mostly bitmaps or something regular, but at the end is some text saying XXXSCR (triple-X screensaver) and Solis.org, which diverts to http://www.netidentity.com./ The only thing I see on their pages is a Shockwave Flash thingie which purports to be "scrolecode". There's no obvious malicious code on any of the pages I hit. I see the Fastclick popunder code, but there's nothing in it.

Anyone slamming huge numbers of Usenet groups with XXX screensavers (if that's what it really is) oughta be shot. Period. They're only 3 floors up from the Attorney General's office. Should we tip him off that there's a miscreant right over his head?

Doing a quick net search on the street address popped up:

Rebecca Fine - The Science of Getting Rich!
Certain Way Productions Inc.
350 South Center Street
Suite 500
Reno, NV 89501 USA
Phone: 775-333-5949
Fax: 206-260-9009

and

World Reach Corporation
350 South Center
Suite 500
Reno, NV 89501
800-441-9523

Repeat spammer-for-hire, formerly known as Empire Towers. Tells clients that all their lists are opt-in, refuses to honor remove requests,
frequently jumps to different domains and providers.

Known domains: worldreach.com worldreach1.com worldreach.cc refree.com webhostingpros.net cramz.net yourfinesite.com jetsonville.com masteragents.com poplaunch.com empiretowers.com

There's also a bunch of other names at the same address, like NamePlanet.com, Public Safety Information Systems, Quest, Kotan Publishing, HMX Inc, 1st Corporate Financial LLC, World Trade Group Inc, Exclusive Entertainment Production Group, and the list goes on. Looks a lot like a holding company or shell.

So it wouldn't surprise me at all that they're now doing IE hijacks. I'm not ballsy enough to enable plug-ins on a site like this from my main machine. From their past history above, I'd suspect they manage to rob your address book and add it to their "known good" spam list, which probably gets sold to other spammers on a regular basis.

The current IE-Spyad list blocks all of the domains that I could find.
Back to top
View users profile Send private message
JeffreyD

Cadet
Cadet



Joined: Jun 30, 2004
Posts: 2
Location: USA

PostPosted: Tue Aug 03, 2004 11:36 am    Post subject:
Reply with quote

The problem was mine ... sort of.

NetIdentity is a real domain squatter by design. If you want the email address of Jeffrey@domain.com, well, they need to have "domain.com" registered.

So they have TONS of them.

I had setup a domain within my house, that did not LEAVE the house and was not accessible from the outside, MONTHS ago. No problem. My main Pc and this one test Pc had that domain installed in them.

The test pc is long gone and I neglected to remove the test domain, adrian.net from my home pc.

So, since WinXP will append the domain to anything they cannot find ... I ended up at the netidentity site over and over and over.

The problem was not them, it was my networking that was the problem. Once I acted a little more legitimate, all was well.

Sorry for not getting back to this post.

Jeff
Back to top
View users profile Send private message
ClioB

Cadet
Cadet



Joined: Aug 14, 2004
Posts: 1
Location: USA

PostPosted: Sat Aug 14, 2004 2:05 am    Post subject: NOTHING to do with spam, hijacking, XXX screensavers
Reply with quote

Wow, what a HUGE -- and totally wrong -- assumption has been made here.

I work with Rebecca and her company, Certain Way Productions Inc., and it is a publishing company that has nothing to do with anything mentioned in your post. The only connection at all is a shared mailing address.

And that's because many businesses use the services of Corporate Service Center Inc. in Reno, NV. The company provides corporate offices, mail and phone services to Nevada Corporations whose owners live in other places. (They also set up corporations, provide registered agent service, and more.)

If there are spammers or otherwise unsavory companies also using those services, that has NOTHING to do with the totally separate other companies who are clients of CSC: http://www.corporateservicecenter.com/

Seems like it would be a smart idea to check your facts before publishing potentially libelous assumptions like these.

[/url]
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Browsers All times are GMT - 5 Hours
Page 1 of 1

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB 2.0.10 2001 phpBB Group