Strange SmartBro URL hijacking

I’m at a loss to explain this unless SmartBro’s DNS or proxy servers have been taken over. Here’s the deal. I’m surfing normally, and then suddenly I try to go to a normal site (economist.com, yahoo.com, facebook.com, google. com, iptools.com etc) and instead of getting the correct page, I get a weird spammy advertising page, even though the URL in the Address bar looks correct.

The image to the right is an example. Click on the image to get a full sized view. I have more examples saved if anyone is interested.And here is the code which goes with the economist screenshot:



	
		Books/displaystory.cfm
		
		
		
		
		
		
		
		
	
	
		
Economist.com

Related searches: books/displaystory.cfm


I can’t really explain this. It happens on both my computer and my girlfriend’s, but only while connected to my home network: from other networks it seems OK. It happens randomly — perhaps one page every 100 or so, and then is gone when you reload the page. We’re both running Linux so I can’t verify if it is OS specific, but that would make a viral / malware attack unlikely. However there seem to be other complaints around the internet, also from the Philippines here and here, from users of Mac and Windows PCs, who use different browsers.

My guess is that there’s something infiltrating the DNS system at SmartBro or maybe one of their proxy servers. Leave a comment if you’re similarly affected and lets see if we can piece this together. The HTML code points to an advertising network. They have a Google Analytics ID … hmmm

Update 5pm, Sunday

A user in the macafee forum suggested it might be the DNSchanger trojan, which resets the DNS entries on your router if you leave them with a default password. My reply to that was that it was unlikely:

Thanks for the suggestion melboy. I’m not entirely convinced that this can be the culprit, as

  • My router runs a non-standard firmware
  • I have set the password on it.
  • I recently upgraded it, and in the process reset all existing settings
  • The dns servers it is given by the smartbro DHCP are the three valid smartbro dns servers, namely 121.1.3.199, 121.1.3.208, and 203.84.191.216. These check out on www.robtex.com

So unless the main smartbro DNS servers have been affected, I don’t think this is likely. As a sidenote, I recently tested the Smartbro DNS servers for the DNS poisoning vulnerability released at Blackhat this year, and they passed, with properly randomised ports.

So … still puzzled. I may try using OpenDNS servers for a while to see if that helps. Then at least that would tell me if it was SmartBro DNS.

Hmmmmm.

Leave a Comment