Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:6220067599
HistoryMar 04, 2006 - 12:00 a.m.

Assistant rebel-browser hijacking-vulnerability warning-the black bar safety net

2006-03-0400:00:00
佚名
www.myhack58.com
9
JSON

A. Who misled the browser

Today is the big year, Mr. Wang’s home to many guests, the usual countersunk in the work of Mr. Wang got a rush, since the guests brought a couple of young kids yelling to go out the Internet, Mr. Wang had to put the bedroom where the computer to which a group of children to play, with great difficulty in the evening, guests cleared, Mr. Wang think before the break to browse the Internet about the news, but when he opens IE, but found that it automatically connected to one somehow the website went, and favorites are also some strange web site, Mr. Wang worried about is that the system is infected with a virus, and quickly enter an online antivirus tool web site, the results of IE open but that’s another don’t the so-called website. Look at the IE address bar is accurate antivirus tool URL and below that it simply pull not on the relationship between the content, Mr. Wang really confused…

I believe that many users also experienced similar strange things, exactly is who, The we browser received a strange place?

In recent years, for the browser’s attack means endless, on Browser of penetration attacks gradually become the intruder compromised the user layers of Defense’s primary target In“Fishing”the Publishing crisis has not been lifted, another attack also at the same time, this is the“browser hijacker”–deliberately misleading browser route planner.

“Browser hijacking”of Browser Hijack is a different from the common Trojan virus infection route of the network attack means, it is the permeation pathway of many, currently the most common way by BHO, DLL plug-in, Hook technology, Winsock LSP and other carriers to achieve the user’s browser for tampering purposes. These carriers may be directly parasitic to the browser module, become part of the browser, and then directly manipulate the browser’s behavior, the light takes the user to the house portal, the serious will be in the user’s computer to collect sensitive information, compromise the user’s privacy.“ Browser hijacking”the consequences are very serious, the user is only subject to seizure if found abnormal situation, but this time it was too late. Currently, the browser hijacking has become the Internet user’s biggest threat.

II. BHO, you are the Assistant or foe?

Why is“browser hijacking”can be so rampant? Looking at the numerous forums for help posted, from time to time we can see such as“my IE is the home page is changed, I use the antivirus tool to scan it again didn’t find a virus, I put the home page to change back to your own address, but a reboot it is back again!”,“the My system is to boot out an ad, I use the latest version of antivirus!” Such as on the IE exception issue The for help, 8 0% of the questioner expressed wonder that they have already installed antivirus software, but IE is still“black”, which in turn is why?

In fact these are the typical“browser hijack”phenomenon, but the victim is not already installed antivirus? Why the browser still can’t hide from the Black hand? Many users of this area are the presence of a myth psyche: browser hijacked? I have the latest antivirus, I not afraid!

Thus, when they encounter a“browser hijacker”when surprised.

You know, the virus itself is just an auxiliary tool, it is impossible to completely protect the safety of the system, not to mention, the antivirus software, the user must know a fact:“browser hijacker”means of attack is by recognized by the system The“legal way”to be! Antivirus only by“feature Code”of the form to determine whether the program is legitimate, but it is built on the artificially defined later, and the implementation of a“browser hijack”the program can a lot, hard to detect.

Why do you say“browser hijacking”can be said to be legitimate? Because most of the browser hijackers by the originator, is through a is referred to as“BHO,”a Browser Helper Object, Browser Helper object, the technical means of the implant system.

BHO is Microsoft as early as 1 9 9 9 years launched as a browser for third-party programmers to open the interaction interface to the industry standard, it is a technology that allows programmers to use simple code into the browser field“interactive interface”in INTERACTIVED Interface to. Through the BHO interface, third-party programmers can write their own code to get a browser of some behavior, Action and event notification the Event, such as“back”,“forward”,“current page”, etc., can even get the browser’s various components information, like menus, toolbars, coordinates, etc. Due to BHO’s interactive features, the programmer can also use the code to control browser behavior, such as common modifications replace the browser toolbar, in the browser interface to add your own application buttons and other operations, and these operations are considered“legitimate”, which is everything evil roots start.

BHO appears to help the programmer to better personalize the browser or your own program to achieve a simple and easy interactive function, it can be said, if not the BHO interface was born, today we would not use some tool to personalize the IE function. From a certain one point of view, BHO is indeed a variety of fun and interactive online features behind-the-scenes hero, but everything is has two sides, this constant ancient invariable truth, the same for BHO effective, so you have today and let safe the world the headache of“browser hijacking”means of attack born.

See earlier I mentioned the BHO interface features, what did you expect? BHO can be informed and achieve the browser most of the events and function, that is, it can use a small amount of code to control browser behavior. The programmer can design a BHO button to achieve the user clicks the notification when the browser jumps to a page to complete the interactive function, of course, we can further write out the control of the browser to jump to his want to let the user go to the page, this is the first of the“browser hijacking”of Genesis: the BHO hijack.

In the description of the BHO hijacking before, we first to the BHO interface to start to do a simple introduction: meet the BHO interface standard of the program code is written as a DLL Dynamic Link Library form in the registry in the registry as a COM object, but also in the BHO interface of the registry at the entrance for component registration, each subsequent IE launch time will be described here for registration information call the load the DLL file and this DLL file will therefore become the IE of a module, the BHO component, with IE share a run cycle until the IE is closed.

IE starts, it will load any BHO component, these components directly into the IE domain, IE it becomes their parent process and the carrier, from the IE of each event will be through the IUnknown interface is passed to the BHO to provide interaction of the IObjectWithSite interface, which is a BHO to achieve with IE the interaction of the entry function.

BHO received the IE interface is passed to the parameter after the start of the judgment IE what is being done, in theory, BHO can get IE most of the events, and then according to the programmers write the code, BHO holds for a particular event to respond to the decision, for example, one can achieve the“Chinese web site”BHO, is through the GetSite method to get to the IE current to open the site URL or through the IURLSearchHook interface to know if BHO is found to get to the URL and the built-in to determine the conditions match, the BHO will enable the SetSite method to force IE to jump to the programmer to set the page to go to, this process is the use of about:blank tamper with the homepage“browser hijack”method, and its realization of the principle is actually quite simple, a programmer to write a malicious BHO Assembly, when it gets to the IE window of the current site is“about:blank”when it forces IE the internal jump to a specific ad page, then went out shortly before the hubbub of the“IE blank page hijacked events.”

Know about the similar prank of the modus operandi, to solve it is easy, just find and delete that hidden on the system of the BHO program.

In addition to such“ad software”the nature of the BHO, there is a use of the IURLSearchHook interface to achieve another type of more subtle BHO, that BHO in some ways probably not BHO, because it is not in response to IUnknown, but wait for the IE to create the IURLSearchHook to start. IURLSearchHook is the browser used to convert an unknown URL Protocol address, when the browser attempts to open an unknown Protocol URL address, the browser first attempts from this address to get the current Protocol, and if unsuccessful, the browser will look for system in all registered for the“URL Search Hook”in the resource search hooks, USH object and this IE does not understand the address sent in the past, if a USH object to“know”this address, it returns an identifier to tell IE it knows how to open this address, then IE on the basis of the agreed method to call it, the final open this address. Actually USH the object is not New, we have some lazy user is often in order to save without entering“http://”, but IE eventually be able to recognize and open a address, is to USH the credit, but this has been a malicious programmer to fetch the hone, by creating your own USH object, a malicious programmer can command IE in the find some sites automatically when you jump to advance settings of the site, if this site is Poison or hung it, the user on the end.

Such BHO solution method as before, only it is more covert, unless the user frequently be lazy, otherwise it may be until the system crashes it will not know that they have infected with this stuff. You might say, as long as the user’s input will never let the IE does not recognize, such penetration is not in vain? But the fact is not optimistic, we can’t know BHO, the authors will not by other methods of interception IE, maybe every once in a while make IE pop up an ad?

It says so much BHO and IE cooperation in the sabotage case, may give the reader cause a“BHO must be in IE to pass data to the action”of the misunderstanding, however that is not the case, the browser itself is a standard executable program, and the BHO just to borrow the application process starts the DLL, it is not the API that you use it just let you come over here, busy, busy over on one foot to kick the slave form of a DLL, as mentioned above, BHO is a browser loaded with the start of the routine, it is equivalent to a self-running logic is not too clear sub-processes, which are the IE incident response and operation of the code, This feature creates a BHO DLL and API DLL is the essence of the difference, the BHO does not need all events must rely on the big guy, it can have its own decision right, as long as the appropriate modifications, you can use the BHO to achieve similar DLL Trojan of the function, of course, this is not to say that we will be able to in IE eyelids under blatant wantonly Mowgli shells dry a bad thing, since the BHO itself is as the IE sub-process starts, it must be subject to some restrictions, for example, the programmer can not on the inside themselves to create a network connection, this will cause the IE error crash and for you to write the DLL, the fear of BHO to become another Backdoor to the user can breathe easier, to be in the BHO in the realization of Winsock probably only in IE rest when it can, but there will be a which the user open an open an empty IE anything not to do?

But this is not to say that BHO will certainly be harmless, although it can not do remote control, but don’t forget that BHO can see the IE of all things, but also can be arbitrary access to the user files and the registry, in the conditions established under the premise, the intruder can write code to find the user privacy, and then at the appropriate time through the SetSite submitted out–who to call now Webmail is so popular? This is why many manufacturers release such as“Chinese website”and“network search”,“IE”and“IE monitor”these features of the BHO at the same time to ensure“do not collect user privacy”reasons, as long as you want, BHO will be able to get everything.

Some people might think that since BHO is a Microsoft browser to the right, that I don’t use IE, I use Opera, Firefox? For this point is certainly understandable, but you use Windows? Use sharing software? If you’re using Windows, then you may still be in the BHO into contact with the world, because Windows itself is andIE is tightly bound, which put the“IE process”the scope to expand, the attentive user will probably find that IE can directly access the“My Computer”,“My Computer”window can quickly turn into IE, because their substance is dependent on the IE core, because of this reason, the BHO can you open a folder when followed secretly start. At the same time, now the network is in a“shared software bundled strategies”widespread implementation of era, you then carefully also cannot avoid some shared software fixed bundled BHO’s behavior, after the installation you will find a folder on another what“assistant”,“search”. You want to completely flee BHO siege, probably only to give up using Windows.

III. Hook, you hook the browser.

“Life finds its way.”-- “Jurassic Park”

As the Jurassic in this sentence is the same, intruders are constantly looking for their new way out, although I say so much BHO in the negative cases, but the real crisis is not only BHO, in some use the the BHO doesn’t work in the case, the invaders start throwing their hooks.

What is the hook for? Let’s take a look at its official definition:

Hooks is a Windows message handling mechanism of a platform,the application can set subroutines to monitor the specified window to a certain message, and the monitor window can be other processes created. When a message arrives in the target window handler before processing it. Hook mechanism allows applications to intercept processing window messages or specific events.

The hook is actually a process the message of the program segment through the system call, put it into the system. Whenever a particular message is sent, in the absence of reach the purpose of the front of the window, the hook program will first capture the message, i.e. the hook function to get control. In this case the hook function can be in machining processing to change the message, it can not be processed and to pass the message, you can also force the end of the message transfer.

May above the official definition of the part of the reader understanding a little difficult, in fact, the hook is like all the programs of“the Prophet”, an implementation of the hook procedure itself, though it is also common procedure, but it is always in another program to get the data before you already know everything, why is this? The Windows System have a certain understanding of the readers should know that Windows System are a by the“information processing mechanisms”in the functioning of the system, in this system The transfer of data through the“message”is a Message of the form sent, and individual messages are follow the official conventions, otherwise it can not allow the system to produce a response. Moreover, this transfer step is reversed, for example, we closed a program, we might think that is the program itself after closing the notification system, in fact, when the user clicks the Close button, Windows will put a called the WM_CLOSE message is passed to this program, the program receiving the message after performing the uninstall itself in the routine operation. Understand this point, you can know the hooks of principles, the so-called hook procedures, is the use of the system provides Hook API, make yourself better than every program in advance of receiving the system message, and then make a deal, If one hook to intercept a system to a program the WM_CLOSE message, then this app will not receive the close message and unable to close itself. In addition to the message outside, the hook can intercept the API, like the one we are all familiar with the screen translation of the software is to Hook up some of the text output functions, such as TextOutA and achieve its purpose.

Hook technology so programmers can easy access to other programs some of the useful data or transfer related data, as is now common in some game plug-in, which is the use of Hook technology hooked to a game form, and then you can identify inside the game’s behavior and the simulation of the Send button of the mouse message, and ultimately the computer play the game by yourself features. To bring this technology to the browser above, it becomes another way to control browser behavior.

The hooks have two kinds, local hook(Local Hook and global hook Global Hook, a local hook is only in the present process plays a role, it does not belong to the scope of the discussion; the global hook code must be in DLL form prepared so that the hook effect is the other process of the load call, so we see most of the Hook program are DLL form.

Actually mentioned before BHO can also be seen as a for IE a hook, which hook is IE event, which is IE with BHO interaction of the starting point, but for more complex point of operation, for example, determine the IE download is GIF or JPEG images, BHO powerless, because it is only know that IE’s event DownloadBegin and DownloadComplete, for the specific content that the IE itself is not going to tell it, otherwise the IE is not to busy to die? At least I haven’t seen which leaders also need to the Secretary to report back at noon to eat a chicken or duck meat to the right, BHO is not IE a wife, or that IE is not bronchitis.

So, in order to get IE the more data, the programmer started to hook IE. And BHO is different, the hook does not need to passively wait for the IE events, it is directly and IE form a boss to subordinate relationship, this turn of IE to do anything much after it is approved. Hook the form of a control does not need the DLL files must be with the IE registry entry generated the relationship between the components, it can be a separate DLL via Rundll32. exe or comes with the Loader EXE to start, and because it belongs to a Hook form, the hook effective the case will be automatically inserted into the other program’s process, isn’t that a bit like DLL Trojans?

IE hooks program loading process will be informed of all the message types, APIS, and content, once find a certain to meet the requirements of the message, such as IE implementation of an event, or a user input of a specific content, the hook processing code began to work, it is the first interception system is sent to the IE message, and then analyze the content of the message, depending on the message content to make changes and then to IE, it completed an Hook tampering with the process. With famous 3 7 2 1 real name search for example, some people will think it is using a BHO or IURLSearchHook complete Chinese domain name to identify a jump, in fact it is possible to first get a Windows message Hook technology, so that you can avoid other competitors pre-empt the resolution of a domain name: 3 7 2 1 The main program is a Hook DLL, which monitors the IE address bar, the message, once the user input is a Chinese, it will be in the other BHO class plug-in work prior to intercept this message, and calls itself the code complete Chinese domain name to the English URL of the conversion work, and then return, also possible with your own BHO DLL with a let IE jump to the English URL in the message, the completion of the domain of the translation task.

IE hooks can help programmers with a small amount of code to complete more IE interactive work, but once this hook is used in a crime, the consequences are also serious, a malicious programmer can write one interceptor IE the input of the keyboard hook, to achieve password-stealing role, so whether you are using HTTP plaintext Protocol or SecurityHTTP encryption Protocol can not escape the password is stolen what happened, because it caught you in the IE’s input, the latter data transmission is not important.

** * * Four. Winsock LSP**

The full name is“Windows Socket Layered Service Provider”as a layered service provider, Winsock 2.0 only features, it needs Winsock Support Provider Interface Service Provider Interface, SPI, can achieve, the SPI is an independent work of art, it depends on the System Provider already exists in the basic Protocol provider, such as TCP/IP Protocol, etc., in these agreements on faction points out the sub-Protocol is the“layered Protocol”, such as SSL, etc., they must pass through a certain interface function call, the LSP is these Protocol interfaces.

Through the LSP, we can score analysis of the basic Protocol and more simple to get our desired data content, such as direct to get the system running on the browser of the current ongoing transmission of address and content, regardless of whether the browser is IE or Opera or Firefox, because the LSP is directly from the Winsock to access information, even without Microsoft produced cars, at least you this car has been in the Microsoft construction of the road on the run.

The LSP used in the path may be convenient for programmers to write monitoring system network communications the case of the Sniffer, but now common LSP are used for browser hijacking, use the user and more of a nightmare.

Five. To remedy the situation, or be prepared for?

Perhaps most home users are in experienced a virus or poisoning incident only after know the safety precautions of the importance of the, to remedy the situation is certainly good, but if their requirements increase, so a rainy day wouldn’t it be better? We are always dependent on someone else’s technology, depending on the mode of the kill. period, but those are always someone else’s something, control can not grasp in their own hands, this is not a good thing, perhaps, that is temporarily give up the game hanging level, collect stars movie, a good study about the Security aspects and system theory books of the time, otherwise in the insecure network, we may lose yourself.

Some may think, small and in the hair feeling. Maybe Yes, because the removal of“browser hijackers”are generally required to carried out manually, although there is now a plurality of detecting browser hijacking tools such as HijackThis And Browser Hijack Recover and other software available, but if you hold and previous use of antivirus tools as“open scan is peace of mind”thoughts, you will find yourself really lost, since the BHO Special of Don’t forget that it is legal, these tools will only put the system in the process, the BHO items, startup items, LSP, etc. need to have some technical Foundation to understand the things shown to you, then by your own decision IE tomorrow, if you have never been valued over the safety techniques, then you will think of these tools as another kind of torture you of the virus.

Learn, or not learn? This is a must to consider…

JSON