New malware

Discussion in 'NZ Computing' started by Fred Dagg, Dec 2, 2006.

  1. Fred Dagg

    Fred Dagg Guest

    I've just come across some nasty new malware infecting several
    independent machines.

    It redirects websites (google, etc) to advertising sites. Whilst not
    particularly new or exciting, the interesting thing is that it happens
    on any browser.

    HOSTS and DNS are fine, and NSLOOKUP returns the correct IP address.
    Just visiting the site redirects it.

    None of the usual tools knew anything about it.

    We managed to clean them all by clearing out lots of suspicious
    things, but the techie who worked on them didn't keep good records,
    and hence we're none the wiser on what it was or which specific
    processes/temp files etc were causing it.

    Anyone come across this before?
    Fred Dagg, Dec 2, 2006
    #1
    1. Advertising

  2. Fred Dagg

    David Empson Guest

    Fred Dagg <> wrote:

    > I've just come across some nasty new malware infecting several
    > independent machines.
    >
    > It redirects websites (google, etc) to advertising sites. Whilst not
    > particularly new or exciting, the interesting thing is that it happens
    > on any browser.
    >
    > HOSTS and DNS are fine, and NSLOOKUP returns the correct IP address.
    > Just visiting the site redirects it.


    Perhaps the malware set up a web proxy (probably running on the same
    computer). Does your OS (presumably Windows) have system-wide
    configuration for this, which is recognised by all web browsers?

    A proxy server can do anything it likes to redirect an HTTP request to
    different servers or ports, or it can service a request itself (e.g. a
    web cache). DNS isn't affected.

    Some firewalls might also be configurable in a similar way to redirect
    outgoing requests to a specific port so they are serviced by a process
    on the computer, which can then do anything it likes.

    --
    David Empson
    David Empson, Dec 2, 2006
    #2
    1. Advertising

  3. Fred Dagg

    jasen Guest

    On 2006-12-02, Fred Dagg <> wrote:
    > I've just come across some nasty new malware infecting several
    > independent machines.
    >
    > It redirects websites (google, etc) to advertising sites. Whilst not
    > particularly new or exciting, the interesting thing is that it happens
    > on any browser.
    >
    > HOSTS and DNS are fine, and NSLOOKUP returns the correct IP address.
    > Just visiting the site redirects it.
    >
    > None of the usual tools knew anything about it.
    >
    > We managed to clean them all by clearing out lots of suspicious
    > things, but the techie who worked on them didn't keep good records,
    > and hence we're none the wiser on what it was or which specific
    > processes/temp files etc were causing it.
    >
    > Anyone come across this before?


    not I,

    Could be it intercepted outbound HTTP connects and gave fake
    redirect responses to specific requests.



    --

    Bye.
    Jasen
    jasen, Dec 2, 2006
    #3
  4. Fred Dagg

    Fred Dagg Guest

    On 2 Dec 2006 07:50:23 GMT, jasen <> exclaimed:

    >On 2006-12-02, Fred Dagg <> wrote:
    >> I've just come across some nasty new malware infecting several
    >> independent machines.
    >>
    >> It redirects websites (google, etc) to advertising sites. Whilst not
    >> particularly new or exciting, the interesting thing is that it happens
    >> on any browser.
    >>
    >> HOSTS and DNS are fine, and NSLOOKUP returns the correct IP address.
    >> Just visiting the site redirects it.
    >>
    >> None of the usual tools knew anything about it.
    >>
    >> We managed to clean them all by clearing out lots of suspicious
    >> things, but the techie who worked on them didn't keep good records,
    >> and hence we're none the wiser on what it was or which specific
    >> processes/temp files etc were causing it.
    >>
    >> Anyone come across this before?

    >
    >not I,
    >
    >Could be it intercepted outbound HTTP connects and gave fake
    >redirect responses to specific requests.


    That seems to be the case. Everything seemed to check out, though.

    Very odd.
    Fred Dagg, Dec 2, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Echuca

    Malware

    Echuca, Oct 15, 2004, in forum: Firefox
    Replies:
    1
    Views:
    606
    Moz Champion
    Oct 26, 2004
  2. EDWARD DOYLE

    anti malware software

    EDWARD DOYLE, Apr 15, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    5,298
    ┬░Mike┬░
    Apr 15, 2004
  3. Jaypie

    Malware

    Jaypie, Apr 16, 2004, in forum: Computer Support
    Replies:
    5
    Views:
    690
    Jaypie
    Apr 17, 2004
  4. MacSecurityNews
    Replies:
    2
    Views:
    510
    Elijah Baley
    May 5, 2006
  5. Max Wachtel

    ASUS ships malware with new PCs

    Max Wachtel, Oct 14, 2008, in forum: Computer Support
    Replies:
    3
    Views:
    414
Loading...

Share This Page