Radsoft
 About | Buy | News | Products | Rants | Search | Security
Home » News

Alternate Search Engines?

November 1, 2001 12:24 AM UTC
People have seen 'porn popups' lash out at them and been clueless where they come from. Here's the answer.

For some time Windows users have seen weird things happening to their desktops - weirder than usual that is. Suddenly, as if out of nowhere at all, porn popups appear. Click-through screens generated to give someone an added income. And they have been insidious, and almost impossible to stop, and they have not been generated by the pages people visited either.

News groups have been riddled with reports of these porn popups, and no one has been able to adequately root out their cause. Some contributors have looked to their Registry for the answer, others have looked to their disks.

Those in this latter group were closer to their target. The answer lies in what Microsoft again, for the umpteenth time, would prefer to call an 'enhancement' to their browser Internet Explorer. Starting with version 5.0 and continuing with the next version 6.0, IE redirects to an MSN site when a URL cannot be found. That this hardly helps anyone but Microsoft is almost beyond the point. What makes it critical however is - you guessed it - that this both can and has been exploited by the 'porn sites'.

The most active of these porn sites is a web ring based at BASTUN.NET and comprising domains such as Horny Demon, Ancient Media, and YOURSEARCH.ORG. By implementing an incredibly simple script, these sites and their subsidiaries are able to redirect IE to their own web, where a stealth window can thereafter be opened. And once the stealth window is opened, these porn masters more or less own the user's desktop. Working on delays and refreshes, the sites begin popping up click-through windows to their porn sites and other 'attractions'.

The key to stopping this fraudulent exploitation is both to close down IE properly - that is, disallow most of its so-called enhancements with Java and scripting in general - and to closely guard the system HOSTS file.

The system HOSTS file is located in the Windows directory on 9x boxes and in the system32/drivers/etc directory on NT boxes. The porn script will add a line to this file (or create it if it does not exist) with the following or equivalent text.

xxx.xxx.xxx.xxx auto.search.msn.com

Where xxx.xxx.xxx.xxx is the IP they want to redirect you to. This IP can vary but most often will lead to either a vanity domain at the Ancient Media site or to yoursearch.org directly. The effect is the same. Once you have accessed one of these sites, the stealth window is loaded and the user desktop is 'toast'.

There are ways of guarding against this attack of course. First of all, keep your eyes open. If you hit a URL that doesn't exist and you don't end up at MSN, then check your hosts file immediately, close down all instances of IE, check your process list for lingering (stealth) instances and 'kill' them, then reboot your machine. Use a Registry cleaner such as E3 to make sure there is nothing remaining of the insidious URL there either.

If you are running CIP then check regularly by reloading your hosts file and looking for extraneous entries. And a CIP validation run will automatically clear out any references to the MSN search URL as Microsoft uses dynamic IP resolution for this site.

radsoft.net will also have a free tool available soon which will automatically alert Windows users to corruption of their hosts cache, so stay tuned.

Note: This exploit - yes you've heard it before - only befalls Windows users simultaneously using IE 5.0 or later.

See Also
Hosts Alert!
For All His Billions
Anthology MS: Greatest Hits

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.