Go Back   EXETOOLS FORUM > General > General Discussion


Thread Tools Display Modes
Old 01-07-2005, 06:35
Posts: n/a
looking for adware info and homepage hijacker info

hello all

i'am looking for info on the tricks on how they "hide" adware and homepage hijacker on a computer.and looking for any I.E tricks on how they do this...

Reply With Quote
Old 01-07-2005, 06:45
LouCypher LouCypher is offline
Join Date: Aug 2004
Posts: 41
Rept. Given: 5
Rept. Rcvd 9 Times in 9 Posts
Thanks Given: 0
Thanks Rcvd at 2 Times in 2 Posts
LouCypher Reputation: 9
Use FileMon and RegMon and log access by HijackThis.exe while it does a scan.
Reply With Quote
Old 01-07-2005, 09:50
Posts: n/a
ok thanks

any web site on programming tips? i want to learn how they make it..and what tricks they uses like how some of the homepage hijacker. embeded them self into I.E...and info on ALL the I.E registry setting....

Reply With Quote
Old 01-09-2005, 13:08
Posts: n/a

All of the important IE reg settings are under
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\

Some of the most popular keys are in
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLS

These control the behavior when a site is not found, the blank page, offline pages. The best list of what you can do to IE is actually in Microsoft's new beta AntiSpyWare program (ex-giant software). If you go to their 'Restore Hijacked Interenet Explorer Browser Settings' page, you can see all the hot points. By searching for the current setting (or modifying and searching) you can find all the equivilent registery settings.

Good luck, WCFF
Reply With Quote
Old 01-09-2005, 13:58
Posts: n/a
I certainly hope you aren't planning on writing more malware, but...
Most browser hijackers are implemented as browser helper objects (BHOs). A general run-down on what they are and how to write one can be found at:
I'm sure there are lots of other ways to hook your code into IE, but that's the most common way.
Now, as far as getting it installed on a user's computer, that's just a matter of finding a software exploit somewhere. Probably the best real-world example was the Java bytcode verifier bug in Microsoft's Java VM. That particular exploit was, well...gang raped by spyware authors. MS finally patched their VM, but it's a far better thing to remove it entirely and use Sun's instead. MS is no longer allowed to distribute a Java VM anyway due to eariler lawsuits by Sun.
But I digress. Probably the biggest, most persistant method of getting spyware installed is through exploiting security zones. In most browsers, you have a system of zones that you classify web content by. For example, IE uses: Internet, Local Intranet, Trusted Sites, and Restricted Sites. Each one has different "permissions" for code execution. Nearly all browsers implement something similar to this - I believe it was Netscape that actually started this madness. It looks good on paper, but it gave birth to a whole class of exploits called "cross-zone scripting exploits". I haven't done enough reading to cite specific examples or how-tos, but the general idea is this: by using various tricks with HTML, vbscript, javascript, etc., you can sometimes convince the browser that a particular web page, or portions of it, belong in a different (and more permissive) zone.
Cross-zone scripting exploits have been especially bad in IE because in addition to the four zones shown on the security tab of your internet settings, there's a 5th zone, the "local machine" zone, which is basically invisble to users, and which has virtually unrestrained access to the machine. By crossing into the local machine zone, you could get the browser to execute just about anything you wanted to. For years, Microsoft has been discreetly warning people that the zone exists, and that they need to lock it down tighter, but they haven't exactly advertised the problem to end users. Finally, they have at least tried to fix the problem as of XPSP2:
However there are already some known exploits that manage to circumvent the new security:
Anyway, this should give you a few leads for google. I'm sure there are lots of other methods employed, but AFAIK, those are the big ones.
Edit: Ok, I'm not sure why, but all of a sudden Exetools isn't honoring line breaks for me. Sorry. It works in preview, but then it strips the blank lines out of the post

Last edited by tbone; 01-09-2005 at 14:01.
Reply With Quote
Old 01-10-2005, 02:45
JMI JMI is offline
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
I have the same result here. Maybe Aaron changed something to try to save room in the database. Not sure at this point, but the line breaks do seem to disappear when the post is saved. Or at least they did yesterday.

Reply With Quote
Old 01-10-2005, 03:35
Posts: n/a
cool - thanks all for the info....this is what i needed to know

thanks again
Reply With Quote
Old 01-10-2005, 21:02
Posts: n/a
This page is also interesting, the part on how you can prevent the
furtive installation of BHO by modifying the security on a unique
key can interest some people I think....

CIACTech02-002: Microsoft Browser Helper Objects (BHO) Could Hide Malicious Code

Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
TIB/PEB Info for X64 mesagio x64 OS 2 08-13-2011 17:39
Need some info. hobgoblin General Discussion 3 06-29-2004 05:14
need info tryin2learn General Discussion 4 07-08-2003 15:12

All times are GMT +8. The time now is 20:17.

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX