Strange SmartBro URL hijacking

I'm at a loss to explain this unless SmartBro's DNS or proxy servers have been taken over. Here's the deal. I'm surfing normally, and then suddenly I try to go to a normal site (,,, google. com, etc) and instead of getting the correct page, I get a weird spammy advertising page, even though the URL in the Address bar looks correct.

The image to the right is an example. Click on the image to get a full sized view. I have more examples saved if anyone is interested.And here is the code which goes with the economist screenshot:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">
		<base href="" />
		<meta name="description" content="Relevancy Searcher" />
		<meta name="revisit-after" content="1 days" />
		<meta name="robots" content="follow,index" />
		<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
		<link rel="stylesheet" type="text/css" href="style.css" />
		<link rel="stylesheet" type="text/css" href="style2.css" />
		<script type="text/javascript">
		window.onload = function() {
			var q = document.getElementById("q");
		clk = function(q,u) {
			img = document.createElement("IMG");
			img.src = "" + q + "&url_id=" + u;
			return true;
		rndr = function(t, d, u, us, qid, uid) {
			document.write("<h4><a href=\"" + u + "\" onclick=\"clk(" + qid + "," + uid + ")\">"  + t + "</a></h4>");
			document.write("<p class=\"description\">" + d + "</p>");
			document.write("<p class=\"url\">" + us + "</p>");

		getXMLHTTP = function() {
			var xmlhttp = false;
			if (window.XMLHttpRequest) {
				xmlhttp = new XMLHttpRequest();
			else if (window.ActiveXObject) {
				try {
					xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
				catch (e) {
					try {
						xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
					catch (E) {
						xmlhttp = false;
			return xmlhttp;

		<div class="content">
			<span class="title"><a href=""></a></span>

<form action="index.php" method="get">
	<div class="searchform">
		<label for="q">Find it quickly!</label><br />
		<input type="text" name="q" value="books/displaystory.cfm" id="q" />
		<input type="submit" value="Search!" id="search" />
<div class="box">
	<div class="title">
		<h3>Related searches: books/displaystory.cfm</h3>
	<div class="text related">
	// Unsupported modification in the code might be changed without warning
	// To activate a parameter, just uncomment the line that contain <script> and that correspond
	// to the parameters that you want to activate. Ads-click won't be responsible for potential // errors that could happen if the parameters are wrongly defined.
	// *** Speed at which the keyword move to and in the clouds ***
	// 0 is the fastest (instant) 1 is the slowest (other values are with two decimal eg. 0.10).
	// *** Speed at which the keywords wink ***
	// 0 will never wink. 1 will be the fastest (other values are with two decimal eg. 0.10)
	// *** Probability of a keyword to be relocated ***
	// 0 will never relocate. 1 will be the fastest (other values are with two decimal eg. 0.1)
	// Set a background image
	// URL of the image displayed in background of the Tagcloud
	// Minimum and maximum size of keywords.
	// Show these colors
	// document['tc-adsclick-keyword-colors']= new Array('#FF0000','#00FF00','#0000FF');
	</script> <script src=""></script>
		<!-- google_ad_section_start(weight=ignore) -->
					<a href=""></a> &nbsp;

		<!-- google_ad_section_end -->
<br />

I can't really explain this. It happens on both my computer and my girlfriend's, but only while connected to my home network: from other networks it seems OK. It happens randomly — perhaps one page every 100 or so, and then is gone when you reload the page. We're both running Linux so I can't verify if it is OS specific, but that would make a viral / malware attack unlikely. However there seem to be other complaints around the internet, also from the Philippines here and here, from users of Mac and Windows PCs, who use different browsers.

My guess is that there's something infiltrating the DNS system at SmartBro or maybe one of their proxy servers. Leave a comment if you're similarly affected and lets see if we can piece this together. The HTML code points to an advertising network. They have a Google Analytics ID … hmmm

Update 5pm, Sunday

A user in the macafee forum suggested it might be the DNSchanger trojan, which resets the DNS entries on your router if you leave them with a default password. My reply to that was that it was unlikely:

Thanks for the suggestion melboy. I'm not entirely convinced that this can be the culprit, as

  • My router runs a non-standard firmware
  • I have set the password on it.
  • I recently upgraded it, and in the process reset all existing settings
  • The dns servers it is given by the smartbro DHCP are the three valid smartbro dns servers, namely,, and These check out on

So unless the main smartbro DNS servers have been affected, I don't think this is likely. As a sidenote, I recently tested the Smartbro DNS servers for the DNS poisoning vulnerability released at Blackhat this year, and they passed, with properly randomised ports.

So … still puzzled. I may try using OpenDNS servers for a while to see if that helps. Then at least that would tell me if it was SmartBro DNS.


Leave a Comment