looking for adware info and homepage hijacker info

hello all

i'am looking for info on the tricks on how they "hide" adware and homepage hijacker on a computer.and looking for any I.E tricks on how they do this...

thanks

[LouCypher]

Use FileMon and RegMon and log access by HijackThis.exe while it does a scan.
http://www.sysinternals.com/ntw2k/source/filemon.shtml
http://www.sysinternals.com/ntw2k/source/regmon.shtml
http://www.spywareinfo.com/~merijn/

ok thanks

any web site on programming tips? i want to learn how they make it..and what tricks they uses like how some of the homepage hijacker. embeded them self into I.E...and info on ALL the I.E registry setting....


thanks

All of the important IE reg settings are under
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\

Some of the most popular keys are in
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLS

These control the behavior when a site is not found, the blank page, offline pages. The best list of what you can do to IE is actually in Microsoft's new beta AntiSpyWare program (ex-giant software). If you go to their 'Restore Hijacked Interenet Explorer Browser Settings' page, you can see all the hot points. By searching for the current setting (or modifying and searching) you can find all the equivilent registery settings.

Good luck, WCFF

I certainly hope you aren't planning on writing more malware, but...
Most browser hijackers are implemented as browser helper objects (BHOs). A general run-down on what they are and how to write one can be found at:
hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/bho.asp
I'm sure there are lots of other ways to hook your code into IE, but that's the most common way.
Now, as far as getting it installed on a user's computer, that's just a matter of finding a software exploit somewhere. Probably the best real-world example was the Java bytcode verifier bug in Microsoft's Java VM. That particular exploit was, well...gang raped by spyware authors. MS finally patched their VM, but it's a far better thing to remove it entirely and use Sun's instead. MS is no longer allowed to distribute a Java VM anyway due to eariler lawsuits by Sun.
But I digress. Probably the biggest, most persistant method of getting spyware installed is through exploiting security zones. In most browsers, you have a system of zones that you classify web content by. For example, IE uses: Internet, Local Intranet, Trusted Sites, and Restricted Sites. Each one has different "permissions" for code execution. Nearly all browsers implement something similar to this - I believe it was Netscape that actually started this madness. It looks good on paper, but it gave birth to a whole class of exploits called "cross-zone scripting exploits". I haven't done enough reading to cite specific examples or how-tos, but the general idea is this: by using various tricks with HTML, vbscript, javascript, etc., you can sometimes convince the browser that a particular web page, or portions of it, belong in a different (and more permissive) zone.
Cross-zone scripting exploits have been especially bad in IE because in addition to the four zones shown on the security tab of your internet settings, there's a 5th zone, the "local machine" zone, which is basically invisble to users, and which has virtually unrestrained access to the machine. By crossing into the local machine zone, you could get the browser to execute just about anything you wanted to. For years, Microsoft has been discreetly warning people that the zone exists, and that they need to lock it down tighter, but they haven't exactly advertised the problem to end users. Finally, they have at least tried to fix the problem as of XPSP2:
hxxp://msdn.microsoft.com/security/productinfo/xpsp2/securebrowsing/locallockdown.aspx
However there are already some known exploits that manage to circumvent the new security:
hxxp://secunia.com/advisories/12889/
Anyway, this should give you a few leads for google. I'm sure there are lots of other methods employed, but AFAIK, those are the big ones.
Edit: Ok, I'm not sure why, but all of a sudden Exetools isn't honoring line breaks for me. Sorry. It works in preview, but then it strips the blank lines out of the post

[JMI]

I have the same result here. Maybe Aaron changed something to try to save room in the database. Not sure at this point, but the line breaks do seem to disappear when the post is saved. Or at least they did yesterday.

Regards,

cool - thanks all for the info....this is what i needed to know


thanks again

This page is also interesting, the part on how you can prevent the
furtive installation of BHO by modifying the security on a unique
key can interest some people I think....

CIACTech02-002: Microsoft Browser Helper Objects (BHO) Could Hide Malicious Code
hxxp://www.ciac.org/ciac/techbull/CIACTech02-002.shtml

etherlord