Tag Archives: black hat

On a recent trip home to my parents house I was asked to do what most tech savvy guys are asked.  “Please fix my computer.”  This time around I found my parents computer had been infected with something that left both google and yahoo search results being diverted to parked advertising sites.  It was pretty frustrating, and made using the internet almost impossible.  Do a search for almost anything and the results would look fine but the click would go somewhere other than the intended site.  Mom wanted to toss the computer out the window several times over the last few months dealing with this problem.

Numerous anti-virus applications had been downloaded and installed in an effort to fix the problem but nothing was working.  Whatever was making this happen wasn’t still on the system.  So I checked the Internet Explorer add-ons for anything suspicious. Nothing.  Then I decided to install Google Chrome but when I went to the download page everything was in Dutch.  Hmmm.  I know google does some IP geo location to determine a default language for their site so something must be rerouting the traffic through Holland.

Running traceroute on the command line revealed the problem.  google.com was resolving to an IP address of a hosting company in the Netherlands.  It seems that some malware had gotten on the computer and modified the hosts file to redirect search traffic to a proxy service.  It’s a scary thought.  Everything going to and from google.com or yahoo.com was potentially being sniffed and injected with any number of malicious attacks.

I tried to edit the hosts file, but it was hidden and locked up.  Grr.  A quick search though and I was able to locate a Microsoft support fix-it script that could revert the hosts file.  Everything was fixed.

But that got me thinking about how much money whoever had this proxy server running was making.  With even just simply redirecting the search results from any infected computer they would easily be getting massive amounts of traffic.  They could have stolen massive numbers of gmail account passwords, and injected their own links for any google adsense ads.

If this had been deployed across some of the larger bot nets then the number of infected computers could be in the 100,000+ range.  With 1 click per infected computer per day that’s a lot of traffic and with some smart affiliate links it would be making tens of thousands of dollars in profit (minimum) per day.  A stunning amount of money being made from a simple script, and a proxy server.

If the proxy server had been just a little more discrete with the redirections it may never have even been noticed…