How was I hijacked???

JeffreyD · Cadet Joined: Jun 30, 2004 Posts: 2 Location: USA

Spent hours on this, going nowhere quickly.

The PC is a WinXP box, fully patched, routinely checked with Spybot 1.3 and AdAware 6. I run SpywareBlaster as well. I also use Thunderbird 0.6 and Firefox 0.8. All other family members run Thunderbird on this box. IE6 has not been removed, but is fully patched.

Norton Antivirus Corporate Edition 9.0, AV file 6/25/2004 r19 is running and I've scanned the entire PC twice in safe mode. (ZIP files are scanned 10 deep)

I use a Netgear FVS318 to interface to my Verizon DSL account.

The events as they happened.

1. My son read his email via the web. It included e-cards. He read them. Doesn't remember where they took him, nor does he remember if he used IE6 or Firefox.

2. Long screaming session about things TO do and things NOT to do while on the internet. 278th time. Disabled his account.

3. Mis-typing a URL will now take me automatically to http://www.netidentity.com/ with the mistaken URL clearly identified inside. Identical results on IE6 and Firefox. Java and Javascript are disabled on Firefox. I leave IE6 alone. I use it when I absolutely must go to some bogus activex site, oh, and windowsupdate. But I don't use it otherwise. I always use Firefox.

URLs that caused this include: mapblast, mapquest, abc, def ... through xyz.

Please note: I had typed "mapblast" but had hit Enter rather than Ctrl-Enter, by mistake. The URLs entered are literally those listed, just the word.

They are then transformed to http://mapblast/

NOTE: When I ran this with javascript and java enabled, an asp page was appended. These are normally off on my machine. Sorry that I didn't write it down.

4. SAV CE, Spybot, AdAware, SypwareBlaster were all checked for updates and the entire system was scanned. Nothing found.

** My immediate thought was that Network Solutions was up to their
** old tricks with it's Site Finder business. A quick check of
** another PC in the house eliminated that. It works normally.

5. I checked my syslogs and NULL routed the IP address being used to access http://www.netidentity.com./ The same page comes up sans the graphics and the flash. Another check of the syslogs brings up 64.15.175.5 as generating the pages, apparently a well known open proxy registered to Mailbank.com. It's all the same company in Reno, NV.

** Ran whois, and then looked up the physical addresses. Nothing
** truly surprising ... except that the same business address is
** also used for: "Absolute Swine Insemination" <<<shudder>>>

6. Also ran HiJackThis and went through ALL of the items on it. Nada. Couldn't find the IP addresses or domain names in the registry. I also ran them in reverse notation. Nada.

7. Checked my network settings to make certain that some new DNS server wasn't stuck in. Nope, still set to use the Netgear box. Put 4 different DNS servers in -- still get that stupid site.

8. Using Spybot 1.3, I reviewed the browser search pages. Each of them are what I would consider standard pages. In fact, all of them are identical to the ones that I have at work, sans the compaq pages. I built my PC at home.

9. Ran latest CWS_Shredder. Nothing found.

10. Their exploit works while in "Safe mode w/Networking". Makes me believe that it is not a DLL or EXE related. Is that true?

11. Noticed that it leaves a cookie behind. Javascript is required to be enabled. The cookie includes the bad URL (http://mapblast/) and has "he" <tab> "llo" at the end. I found lots of little pop under scripts on the internet that are using a similar technique. None of them talk about using the exploit in this manner.

12. When run using IE6, another IE window is displayed on the Taskbar, but it will not maximize. What little bit I can read of the button displays fastclick. This appears to fall in line with the javascript code that I saw in item 11.

OK, how are they hiding this? I have searched ALL files on my computer for the word "fastclick", "netidentity" as well as these IP addresses, but nothing.

I ran sysinternals filemon to look for something common between the browsers, but I was overwhelmed by the flood of information. Wonderful tool, but kind of like reading firewall logs, great if you're looking for something specific. I need a summary to display something out of the ordinary.

I have NULL routed the netidentity.com domains and set up a static route to a non-existant IP address for the time being. But NOT knowing what truly IS happening makes me wonder if I don't have a keylogger or worse installed.

Since I don't know if this is just simple adware, or site tracking, I also don't know if it isn't also a keylogger or worse. I am treating it as if it was worse.

In the meantime, the PC is off.

And I am bumming, and quickly falling behind in work I need to do at night. Any suggestions as to where to look next. Would also appreciate any constructive comments on my troubleshooting techniques, as I do this for a living. <ZOIKS!>

JeffreyD
(humbled)

Flustered · Cadet Joined: Jul 29, 2004 Posts: 1 Location: USA

I came at it from the other direction.

I regularly download obvious viruses, trojans and porn-dialers to test my antivirus program. The latest "Hillary Duff Naked" (probable porn-dialer) didn't trip McAfee, which both surprised and annoyed me.

Looking inside the file, it's mostly bitmaps or something regular, but at the end is some text saying XXXSCR (triple-X screensaver) and Solis.org, which diverts to http://www.netidentity.com./ The only thing I see on their pages is a Shockwave Flash thingie which purports to be "scrolecode". There's no obvious malicious code on any of the pages I hit. I see the Fastclick popunder code, but there's nothing in it.

Anyone slamming huge numbers of Usenet groups with XXX screensavers (if that's what it really is) oughta be shot. Period. They're only 3 floors up from the Attorney General's office. Should we tip him off that there's a miscreant right over his head?

Doing a quick net search on the street address popped up:

Rebecca Fine - The Science of Getting Rich!
Certain Way Productions Inc.
350 South Center Street
Suite 500
Reno, NV 89501 USA
Phone: 775-333-5949
Fax: 206-260-9009

and

World Reach Corporation
350 South Center
Suite 500
Reno, NV 89501
800-441-9523

Repeat spammer-for-hire, formerly known as Empire Towers. Tells clients that all their lists are opt-in, refuses to honor remove requests,
frequently jumps to different domains and providers.

Known domains: worldreach.com worldreach1.com worldreach.cc refree.com webhostingpros.net cramz.net yourfinesite.com jetsonville.com masteragents.com poplaunch.com empiretowers.com

There's also a bunch of other names at the same address, like NamePlanet.com, Public Safety Information Systems, Quest, Kotan Publishing, HMX Inc, 1st Corporate Financial LLC, World Trade Group Inc, Exclusive Entertainment Production Group, and the list goes on. Looks a lot like a holding company or shell.

So it wouldn't surprise me at all that they're now doing IE hijacks. I'm not ballsy enough to enable plug-ins on a site like this from my main machine. From their past history above, I'd suspect they manage to rob your address book and add it to their "known good" spam list, which probably gets sold to other spammers on a regular basis.

The current IE-Spyad list blocks all of the domains that I could find.

JeffreyD · Cadet Joined: Jun 30, 2004 Posts: 2 Location: USA

The problem was mine ... sort of.

NetIdentity is a real domain squatter by design. If you want the email address of Jeffrey@domain.com, well, they need to have "domain.com" registered.

So they have TONS of them.

I had setup a domain within my house, that did not LEAVE the house and was not accessible from the outside, MONTHS ago. No problem. My main Pc and this one test Pc had that domain installed in them.

The test pc is long gone and I neglected to remove the test domain, adrian.net from my home pc.

So, since WinXP will append the domain to anything they cannot find ... I ended up at the netidentity site over and over and over.

The problem was not them, it was my networking that was the problem. Once I acted a little more legitimate, all was well.

Sorry for not getting back to this post.

Jeff

ClioB · Cadet Joined: Aug 14, 2004 Posts: 1 Location: USA

Wow, what a HUGE -- and totally wrong -- assumption has been made here.

I work with Rebecca and her company, Certain Way Productions Inc., and it is a publishing company that has nothing to do with anything mentioned in your post. The only connection at all is a shared mailing address.

And that's because many businesses use the services of Corporate Service Center Inc. in Reno, NV. The company provides corporate offices, mail and phone services to Nevada Corporations whose owners live in other places. (They also set up corporations, provide registered agent service, and more.)

If there are spammers or otherwise unsavory companies also using those services, that has NOTHING to do with the totally separate other companies who are clients of CSC: http://www.corporateservicecenter.com/

Seems like it would be a smart idea to check your facts before publishing potentially libelous assumptions like these.

[/url]


	2002-2004 © Computer Cops LLC. All rights reserved. Acceptable Use Policy. Use signifies your agreement. RSS 0.91, RSS 1.0 208ppm 0.521s Engine