EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-07-2005, 06:35
chad1111
 
Posts: n/a
looking for adware info and homepage hijacker info

hello all

i'am looking for info on the tricks on how they "hide" adware and homepage hijacker on a computer.and looking for any I.E tricks on how they do this...

thanks
Reply With Quote
  #2  
Old 01-07-2005, 06:45
LouCypher LouCypher is offline
Friend
 
Join Date: Aug 2004
Posts: 41
Rept. Given: 5
Rept. Rcvd 9 Times in 9 Posts
Thanks Given: 0
Thanks Rcvd at 2 Times in 2 Posts
LouCypher Reputation: 9
Use FileMon and RegMon and log access by HijackThis.exe while it does a scan.
http://www.sysinternals.com/ntw2k/source/filemon.shtml
http://www.sysinternals.com/ntw2k/source/regmon.shtml
http://www.spywareinfo.com/~merijn/
Reply With Quote
  #3  
Old 01-07-2005, 09:50
chad1111
 
Posts: n/a
ok thanks

any web site on programming tips? i want to learn how they make it..and what tricks they uses like how some of the homepage hijacker. embeded them self into I.E...and info on ALL the I.E registry setting....


thanks
Reply With Quote
  #4  
Old 01-09-2005, 13:08
willcodeforfood
 
Posts: n/a
Talking

All of the important IE reg settings are under
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\

Some of the most popular keys are in
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLS

These control the behavior when a site is not found, the blank page, offline pages. The best list of what you can do to IE is actually in Microsoft's new beta AntiSpyWare program (ex-giant software). If you go to their 'Restore Hijacked Interenet Explorer Browser Settings' page, you can see all the hot points. By searching for the current setting (or modifying and searching) you can find all the equivilent registery settings.

Good luck, WCFF
Reply With Quote
  #5  
Old 01-09-2005, 13:58
tbone
 
Posts: n/a
I certainly hope you aren't planning on writing more malware, but...
Most browser hijackers are implemented as browser helper objects (BHOs). A general run-down on what they are and how to write one can be found at:
hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/bho.asp
I'm sure there are lots of other ways to hook your code into IE, but that's the most common way.
Now, as far as getting it installed on a user's computer, that's just a matter of finding a software exploit somewhere. Probably the best real-world example was the Java bytcode verifier bug in Microsoft's Java VM. That particular exploit was, well...gang raped by spyware authors. MS finally patched their VM, but it's a far better thing to remove it entirely and use Sun's instead. MS is no longer allowed to distribute a Java VM anyway due to eariler lawsuits by Sun.
But I digress. Probably the biggest, most persistant method of getting spyware installed is through exploiting security zones. In most browsers, you have a system of zones that you classify web content by. For example, IE uses: Internet, Local Intranet, Trusted Sites, and Restricted Sites. Each one has different "permissions" for code execution. Nearly all browsers implement something similar to this - I believe it was Netscape that actually started this madness. It looks good on paper, but it gave birth to a whole class of exploits called "cross-zone scripting exploits". I haven't done enough reading to cite specific examples or how-tos, but the general idea is this: by using various tricks with HTML, vbscript, javascript, etc., you can sometimes convince the browser that a particular web page, or portions of it, belong in a different (and more permissive) zone.
Cross-zone scripting exploits have been especially bad in IE because in addition to the four zones shown on the security tab of your internet settings, there's a 5th zone, the "local machine" zone, which is basically invisble to users, and which has virtually unrestrained access to the machine. By crossing into the local machine zone, you could get the browser to execute just about anything you wanted to. For years, Microsoft has been discreetly warning people that the zone exists, and that they need to lock it down tighter, but they haven't exactly advertised the problem to end users. Finally, they have at least tried to fix the problem as of XPSP2:
hxxp://msdn.microsoft.com/security/productinfo/xpsp2/securebrowsing/locallockdown.aspx
However there are already some known exploits that manage to circumvent the new security:
hxxp://secunia.com/advisories/12889/
Anyway, this should give you a few leads for google. I'm sure there are lots of other methods employed, but AFAIK, those are the big ones.
Edit: Ok, I'm not sure why, but all of a sudden Exetools isn't honoring line breaks for me. Sorry. It works in preview, but then it strips the blank lines out of the post

Last edited by tbone; 01-09-2005 at 14:01.
Reply With Quote
  #6  
Old 01-10-2005, 02:45
JMI JMI is offline
Leader
 
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
I have the same result here. Maybe Aaron changed something to try to save room in the database. Not sure at this point, but the line breaks do seem to disappear when the post is saved. Or at least they did yesterday.

Regards,
__________________
JMI
Reply With Quote
  #7  
Old 01-10-2005, 03:35
chad1111
 
Posts: n/a
cool - thanks all for the info....this is what i needed to know


thanks again
Reply With Quote
  #8  
Old 01-10-2005, 21:02
etherlord
 
Posts: n/a
This page is also interesting, the part on how you can prevent the
furtive installation of BHO by modifying the security on a unique
key can interest some people I think....

CIACTech02-002: Microsoft Browser Helper Objects (BHO) Could Hide Malicious Code
hxxp://www.ciac.org/ciac/techbull/CIACTech02-002.shtml

etherlord
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
TIB/PEB Info for X64 mesagio x64 OS 2 08-13-2011 17:39
Need some info. hobgoblin General Discussion 3 06-29-2004 05:14
need info tryin2learn General Discussion 4 07-08-2003 15:12


All times are GMT +8. The time now is 07:47.


ICP05004977
vBulletin Security provided by vBSecurity v2.2.0 (Lite) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX