lots of hyperlinks in this article so be sure to visit the newsletter article online....
"Are You Trying To Get To Google?
Are you trying to get to Google?
Your computer is running software that doesn't allow you to use Google.
The above is a message that many thousands of unfortunate browser hijack victims have been seeing recently, while trying to use certain major search engines. Someone has released a browser hijacker that exploits flaws in the Internet Explorer web browser to drop a bad HOSTS file on infected machines.
A HOSTS file is used to tell Windows that a web site is located at the IP address listed next to its name. When you load a web site, Windows checks this list to see if the site is listed there. If the site is not listed, Windows then checks your ISP's domain name servers to find the IP address of the web site.
This bad HOSTS file tells Windows that google.com, altavista.com, yahoo.com and other major search engines are located at the hijacker's IP address. Thankfully, it would seem the web host that owns that IP address terminated the attacker's account. Most likely, the attacker was running a pay-per-click search portal of his own and was hoping to profit from his victims.
In the place of whatever used to be at that address, someone has placed a link to a particular post at TweakXP's message board, that has instructions on fixing a HOSTS hijack. Unfortunately for TweakXP, so many victims clicked through to go to the page that it overwhelmed their web server.
How is it spreading?
There are several possible means of distributing this hijack. The most common way is to spam people with a link to a web site hosting the malicious code. Some email clients also may download and execute a malicious java applet as soon as the attacker's email is opened or previewed.
Please do not be fooled by "experts" who downplay the danger of this and other flaws by saying the victim would first have to visit a malicious web site. There are many ways to force a victim's computer to load a particular web site. We help dozens of victims of such hijacks every single day at the support forums.
Victims show none of the regular symptoms of a browser hijack other than a bad HOSTS file. There are no suspicious activex objects or other tell-tale signs of infections. This leads me to believe that the victim was hijacked using either Microsoft Java VM or MSHTA.
The CWS trojan is one example of malware that exploits the ByteVerify flaw in Microsoft's proprietary version of Java. Faulty code checking allows an attacker to run arbitrary code on the victim's machine. This flaw has been patched in an updated version of Microsoft VM. My advice is to install the much more secure Sun Java and to use that instead of Microsoft Java.
The other possibility is the object data flaw I've written about previously. A flaw exists in Microsoft Internet Explorer that allows a malicious hacker to fool it into running malicious scripts with reduced security restrictions. Microsoft released a patch for this flaw, but unfortunately it failed to fix the problem. A workaround is either to disable ActiveX controls and plugins in Internet Options > Security or to run the HTAStop program from NSClean.
What's the fix?
This is the easy part. Download Hosts File Reader to the location of your choice on the computer. Run the program, click the "Read Hosts File" button, click the button labeled "Reset Defaults" and click "Save Changes". That kills the hijack.
After you have done this, update the antivirus program on the computer and run a scan. There are several trojans exploiting both of these flaws and most likely the machine is infected with one or more of them."
spywareinfo.com |
