{"id":77,"date":"2008-09-14T16:19:28","date_gmt":"2008-09-14T08:19:28","guid":{"rendered":"http:\/\/play.datalude.com\/blog\/?p=77"},"modified":"2008-09-14T17:04:29","modified_gmt":"2008-09-14T09:04:29","slug":"strange-smartbro-url-hijacking","status":"publish","type":"post","link":"https:\/\/play.datalude.com\/blog\/2008\/09\/strange-smartbro-url-hijacking\/","title":{"rendered":"Strange SmartBro URL hijacking"},"content":{"rendered":"

\"\"<\/a>I'm at a loss to explain this unless SmartBro's DNS or proxy servers have been taken over. Here's the deal. I'm surfing normally, and then suddenly I try to go to a normal site (economist.com, yahoo.com, facebook.com, google. com, iptools.com etc) and instead of getting the correct page, I get a weird spammy advertising page, even though the URL in the Address bar looks correct<\/em>.<\/p>\n

The image to the right is an example. Click on the image to get a full sized view. I have more examples saved if anyone is interested.And here is the code which goes with the economist screenshot:<\/p>\n

<!DOCTYPE html PUBLIC \"-\/\/W3C\/\/DTD XHTML 1.0 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/xhtml1\/DTD\/xhtml1-transitional.dtd\">\r\n<html>\r\n\t<head>\r\n\t\t<title>Books\/displaystory.cfm<\/title>\r\n\t\t<base href=\"www.economist.com\" \/>\r\n\t\t<meta name=\"description\" content=\"Relevancy Searcher\" \/>\r\n\t\t<meta name=\"revisit-after\" content=\"1 days\" \/>\r\n\t\t<meta name=\"robots\" content=\"follow,index\" \/>\r\n\t\t<meta http-equiv=\"Content-Type\" content=\"text\/html; charset=ISO-8859-1\" \/>\r\n\t\t<!--\r\n\t\t<link rel=\"stylesheet\" type=\"text\/css\" href=\"style.css\" \/>\r\n\t\t-->\r\n\t\t<link rel=\"stylesheet\" type=\"text\/css\" href=\"style2.css\" \/>\r\n\t\t<script type=\"text\/javascript\">\r\n\t\twindow.onload = function() {\r\n\t\t\tvar q = document.getElementById(\"q\");\r\n\t\t\tq.focus();\r\n\t\t}\r\n\t\tclk = function(q,u) {\r\n\t\t\timg = document.createElement(\"IMG\");\r\n\t\t\timg.src = \"http:\/\/www.economist.com\/?query_id=\" + q + \"&url_id=\" + u;\r\n\t\t\treturn true;\r\n\t\t}\r\n\t\trndr = function(t, d, u, us, qid, uid) {\r\n\t\t\tdocument.write(\"<h4><a href=\\\"\" + u + \"\\\" onclick=\\\"clk(\" + qid + \",\" + uid + \")\\\">\"  + t + \"<\/a><\/h4>\");\r\n\t\t\tdocument.write(\"<p class=\\\"description\\\">\" + d + \"<\/p>\");\r\n\t\t\tdocument.write(\"<p class=\\\"url\\\">\" + us + \"<\/p>\");\r\n\t\t}\r\n\r\n\t\tgetXMLHTTP = function() {\r\n\t\t\tvar xmlhttp = false;\r\n\t\t\tif (window.XMLHttpRequest) {\r\n\t\t\t\txmlhttp = new XMLHttpRequest();\r\n\t\t\t}\r\n\t\t\telse if (window.ActiveXObject) {\r\n\t\t\t\ttry {\r\n\t\t\t\t\txmlhttp = new ActiveXObject(\"Msxml2.XMLHTTP\");\r\n\t\t\t\t}\r\n\t\t\t\tcatch (e) {\r\n\t\t\t\t\ttry {\r\n\t\t\t\t\t\txmlhttp = new ActiveXObject(\"Microsoft.XMLHTTP\");\r\n\t\t\t\t\t}\r\n\t\t\t\t\tcatch (E) {\r\n\t\t\t\t\t\txmlhttp = false;\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\treturn xmlhttp;\r\n\t\t}\r\n\r\n\t\t<\/script>\r\n\t<\/head>\r\n\t<body>\r\n\t\t<div class=\"content\">\r\n\t\t\t<span class=\"title\"><a href=\"http:\/\/www.economist.com\">Economist.com<\/a><\/span>\r\n\r\n<form action=\"index.php\" method=\"get\">\r\n\t<div class=\"searchform\">\r\n\t\t<label for=\"q\">Find it quickly!<\/label><br \/>\r\n\t\t<input type=\"text\" name=\"q\" value=\"books\/displaystory.cfm\" id=\"q\" \/>\r\n\t\t<input type=\"submit\" value=\"Search!\" id=\"search\" \/>\r\n\t<\/div>\r\n<\/form>\r\n<div class=\"box\">\r\n\t<div class=\"title\">\r\n\t\t<h3>Related searches: books\/displaystory.cfm<\/h3>\r\n\t<\/div>\r\n\t<div class=\"text related\">\r\n\t<script>\r\n\t\/\/ Unsupported modification in the code might be changed without warning\r\n\t\/\/ To activate a parameter, just uncomment the line that contain <script> and that correspond\r\n\t\/\/ to the parameters that you want to activate. Ads-click won't be responsible for potential \/\/ errors that could happen if the parameters are wrongly defined.\r\n\t\/\/ *** Speed at which the keyword move to and in the clouds ***\r\n\t\/\/ 0 is the fastest (instant) 1 is the slowest (other values are with two decimal eg. 0.10).\r\n\tdocument['tc-adsclick-speedkeyword']=0.80;\r\n\t\/\/ *** Speed at which the keywords wink ***\r\n\t\/\/ 0 will never wink. 1 will be the fastest (other values are with two decimal eg. 0.10)\r\n\tdocument['tc-adsclick-hide']=0.02;\r\n\t\/\/ *** Probability of a keyword to be relocated ***\r\n\t\/\/ 0 will never relocate. 1 will be the fastest (other values are with two decimal eg. 0.1)\r\n\tdocument['tc-adsclick-relocate']=0.05;\r\n\t\/\/ Set a background image\r\n\t\/\/ URL of the image displayed in background of the Tagcloud\r\n\tdocument['tc-adsclick-background-image']='';\r\n\t\/\/ Minimum and maximum size of keywords.\r\n\tdocument['tc-adsclick-keyword-minsize']=10;\r\n\tdocument['tc-adsclick-keyword-maxsize']=34;\r\n\t\/\/ Show these colors\r\n\t\/\/ document['tc-adsclick-keyword-colors']= new Array('#FF0000','#00FF00','#0000FF');\r\n\t<\/script> <script src=\"http:\/\/acnetwork.flux.acsyndication.com?id=974_1390&oe=utf8\"><\/script>\r\n\t\t<!-- google_ad_section_start(weight=ignore) -->\r\n\t\t\t\t\t<a href=\"\"><\/a> &nbsp;\r\n\r\n\t\t<!-- google_ad_section_end -->\r\n\t<\/div>\r\n<\/div>\r\n<br \/><\/pre>\n
I can't really explain this. It happens on both my computer and my girlfriend's, but only while connected to my home network: from other networks it seems OK. It happens randomly — perhaps one page every 100 or so, and then is gone when you reload the page. We're both running Linux so I can't verify if it is OS specific, but that would make a viral \/ malware attack unlikely. However there seem to be other complaints around the internet, also from the Philippines here<\/a> and here<\/a>, from users of Mac and Windows PCs, who use different browsers.<\/p>\n
My guess is that there's something infiltrating the DNS system at SmartBro or maybe one of their proxy servers. Leave a comment if you're similarly affected and lets see if we can piece this together. The HTML code points to an advertising network. They have a Google Analytics ID … hmmm<\/p>\n
Update 5pm, Sunday<\/h2>\n
A user in the macafee forum suggested it might be the DNSchanger trojan, which resets the DNS entries on your router if you leave them with a default password. My reply to that was that it was unlikely:<\/p>\n
Thanks for the suggestion melboy. I'm not entirely convinced that this can be the culprit, as<\/p>\n