0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0 [Defacing The Art Of Hijacking ,Spamming And EMail Viruses] 0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0 [HIJACKERS ART] [Internet Phenomenon] RXLabs::Digital Intelligence http://www.RxLabs.MetaEye.Org (C) CopyRight ZeroKnock@MetaEye.org Aditya@Securitywonks.org Knowledge Engine Undertaken As:- Part A ====== [0x01] Abstract. [0x02] The Methodology Of Hijackers And Virus Writers. [0x02.1] Example:-SurfbarA [0x03] Unveiling Hijacking:- [0x03.1] Techniques. [0x03.1.1] URL Hijacking. [0x03.1.2] Redirect Hijacking. [0x03.1.3] Meta Refreshing Hijacking. [0x03.1.4] Server Side 302 Redirect in .htaccess [0x03.1.5] No Follow Hit. [0x03.1.6] Frame Capturing. [0x03.1.7] Business Name And URL Hits. [0x03.1.8] Bad Links Set Up:Domain Splitting [0x03.2] Modem Hijacking. [0x03.3] Active X Phishing Hijacking. [0x03.4] Web Page Hijacking. [0x03.4.1] Example:-Javascript By:-ZeroKnock [0x03.5] 302 Redirect Stuffing Hit-Traffic Stealing. [0x04] How Hijackers Infect The MailBox[Outlook Express] Part B ====== [0x01] Undertaking HTML Security Tests. [0x01.1] HTML Security Test Code Snippet. [0x02] Checking For The Hijacking Of Websites. [0x02.1] Site Stuffing. [0x02.2] URL Stuffing. [0x02.3] Link Stuffing. [0x02.4] Site Meter Stuffing. [0x03] Conclusion. [0x01] Abstract: Hijacking Is very common phenomenon now a days.Hijacking deeply relates to Browser Manipulation.I have gone through the stuff quiet many times and found the way this art sucks the normal functioning of Net Browser hitting mainly INTERNET EXPLORER. Internet Explorer is now a days undertaken for many vulnerabilities.Microsoft manages to remove this but it has very unpleasant effect on the working in the technology world. [0x02] The Methodology Of Hijackers And Virus Writers:- ======================================================= Step(A) Email Spamming:- --------------- It relates to the art of manipulating Emails with wrong information sent with it whether cards,porn links , exe ,trojans etc. Step(B) Exe Hitting:- ------------- It means Copying Exe Files To The Target System in any System folder may be[System /System32] Win Platforms. Step(C) Planting Trojans:- ------------------ It relates To setting Trojan Servers on The Target System for the remote execution of the Flying Commands. Step(D) Vulnerability Hit:- ------------------- It Relates To The Exploitaton Of The Dethroned Vulnerabilty Of The Browser. Step(E) Registry Hit:- -------------- It Relates To Manipulation In The Registry Keys With refrence to program designed for execution. Step(F) At Last SYSTEM Gets SUCKED! =========================== Example:- Presenting You an Example Of SURfbarA:- ================================================= Surfbar.A is drops the DRG.EXE file onto C: drive and runs it. The DRG.EXE file attempts to download a file called SURFERBAR.DLL from Internet and puts it to 'C:\Program Files\' folder with WIN32.DLL name. Then this file is registered to Windows with the RegSrv32.exe utlility. The WIN32.DLL file is an Internet Explorer plugin. It provides customized search capabilities and can be also classified as an adware. This adware drops the file called WINSRV32.EXE to 'C:\Program Files\' folder. The WINSRV32.EXE file stays in memory and every 10 seconds does the following: 1. Refreshes ITBarLayout value in the following Registry key: [HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] 2. Changes the startup page of IE to: 'www.surferbar.com' website 3. Constantly creates the following Registry key: [HKCU\Software\Microsoft\Windows\CurrentVersion\runonce] "win32" = "c:\\program files\\winsrv32.exe" These actions make it hard to remove the installed adware from a system, that is why the WINSRV32.EXE file is classified as a trojan. [0x03] Unveiling Web Page Hijacking:- =================================== This relates to browser hacking.It actually means the hacker manipulates the system registry settings or browser settings which after due course of time starts malfunctioning i.e. wrong site opening , porn generation ,unhandled popups etc. I used to see many unwanted stuff of this kind and from my side i have done browser hijacking a lot.The Main otive behind this is that you craft some dirty code which gets repulsive as soon as you download the attachment in mail ,it adheres to the system files and after sometime starts penetrating whether we call it a virus or manipulator or whatsoever. [0x03.1]Techniques:- ====================== [0x03.1.1] URL Hijacking:- ========================== URL Hijacking seems to very fruitful way of hijacking.In this a single URL is manipulated and redirected to some another URL which results in hijacking on the fly. Check The URL:- www.Hijacker'sDomainName.com/tracker2.php? url=http://www.YourOwnDomainName.comHere/YourOwnPageURLHere.html The tracker2.php? in the URL above is the culprit here. It is a click tracking script often used by affiliate sites to track clicks. If anyone clicks on that link it will first go to the offenders page and then quickly revert to your own page. However, this script often uses a 302 redirect which causes Google to think your page has been temporarily moved to the other site and it gives the PR to that site, thus increasing their rank and reducing yours. If it is your home page that was affected it is a very serious matter because the home page PR provides rank for the rest of your website (Google started removing the PHP tracker links in the site command in early 2005 so this is less of a problem than it was earlier). [0x03.1.2] Redirect Hijacking:- =============================== This is another way of hijacking just similar to URL one but little differnce In this the inout value of site is changed with the Hijackers choice and the result is linked to that site which hijacker wants to display as soon as link is opened. http://www./site.PHP?site=. http://www.kickass.net/site.PHP?site="http://www.Hijacked.net" As one can clearly look how the redirection is possible if domain is undertaken If you think of using any ID number its good because if you refreh the page it moves so fast that it wont display but that does not mean site wont be redirected. [0x03.1.3] Meta Refreshing:- ============================ This is yet another way of hijacking.In this Sometimes the URL will look innocent but will go to the dishonest site and there will be code on that site that will redirect to your site with a Meta Refresh Tag (automatically redirecting the browser to your site). The Meta Refresh is a favorite of spammers so search engines are starting to ban sites using them. To see if a site is using a Meta Refresh, view the code by clicking on view/source in your browser menu and see if there are any meta refresh tags in the code at the top of that page. Look for a meta redirect tag set for "0" seconds, that is redirecting to your site, similar to the following: meta http-equiv="refresh" content="0"; url=http://www. [0x03.1.4] Server Side 302 Redirect .htaccess:- =============================================== A hijacker may also use a Server Side 302 or 302 Redirect in an .htaccess file telling the server to redirect to your site. A 302 redirect tells the search engine their site,or page, has moved temporarily to your site and to credit the content of your site to their site and thus stealing your PR. Many directories use 302 redirects on the links in their directory to track clicks, however it results in the same problem, because Google is attributing those links to your site and stealing your PR. You can't tell this is a 302 redirect by just viewing the URL, you need to copy the link into a server header checker. If the results show this link is a 302 redirect then the directory may be stealing your page rank. If it shows a 200, then the page is probably OK (if this search produces an error make sure there are no breaks in the link). [0x03.1.5] No Follow Hit:- ============================ A dishonest site that has agreed to trade links with you that has a desire to lessen outgoing links on their site (to boost their own PR) will sometimes place a rel="nofollow" in the link itself. This prevents search engines from following that link. So while it appears that site has linked to your site the search engines won't benefit your site for the PR it could have gained so check all reciprocated links carefully for that little bit of code (run your mouse over the link and check it in the bottom of your browser window). [0x03.1.6] Frame Capturing:- ============================ Another method that dishonest webmasters use to benefit their own site and provide no benefit to your own site is to allow you to submit your site but then they install a code that draws your whole web page (including images and working links) into a frame so your whole web page is displayed on their site. This is dishonest because you think they are going to link to your site but what they are actually doing is using your design and content and displaying it as their own without your permission. This also steals traffic from your site because people often see what they wanted to see on the hijacker's site without even visiting your site. You also get no benefit of the PR from that link because the link is inside a frame on their site which most search engines can't read but for those search engines that can read what is inside frames your site may be penalized for duplicate content (this can result in "Supplemental Results" being tagged on the end of your listing in the search engines). HijackersWebSiteURLgoeshere/opensite.cfm?site= www.YourWebSiteURLGoesHere.comandYourIDnumbergoes hereID=____, etc. Check Out A Little Script. [0x03.1.7] Business Conventions And URLs:- ========================================== Often directories, now called Scraper Directories (that you may have submitted to yourself) will take your page (if it's ranking well in the search engines) and set up a separate page with your business name in the title and/or your URL and also your most important text on your page that brings keyword rank to your site. This is blatant content theft because it not only results in them competing with your site for your business. [0x03.1.8] Bad Links SetUP:- Domain Splitting ============================================= If you have submitted your site to search engines as www.YourDomain.com and somone links to your site with just YourDomain.com, i.e., without the WWW in front, Google will think you have two sites under the same domain and credit you with a duplicate content penalty (Supplemental Results). This is known as Splitting your Domain. [0x03.2] Modem Hijacking:- ========================== Modem hijacking, also referred to as dialer hijacking or Internet dumping, is a form of fraud that targets dial-up modem users. The scam itself isn't new, but many Internet users may not be aware of it or know how to avoid it. Internet users may run into a pop-up or Web page that offers access to a particular site or various files. Sometimes the Web site may call this a viewer indicating that you need to download it in order to "view" the content on the site. When the user clicks 'OK' or agrees to the terms on the pop-up to gain access, scammers can use ActiveX scripts to download a dialer to the computer with or without the user's knowledge. Once the dialer has been downloaded and installed onto the user's computer, it can drop the user from the dial-up session through his or her ISP and then proceed to dial a long distance telephone number without the user's knowledge. Other forms of the dialer may automatically connect to a long distance number while the user's computer is in an idle state. These are often international calls and can cost several dollars per minute. As a result, the user ends up with an unexpected, exorbitant charge on his or her long distance bill. [0x03.3] Active X Phishing Hijacking:- ====================================== This type of phishing scam uses a Trojan program which disguises itself as a legitimate program, but once executed, destroys or scrambles data. The Trojan arrives in HTML email or can be run on a normal looking Web page. If you have enabled scripting on your computer (Internet Explorer and Microsoft's Outlook and Outlook Express email programs enable scripting by default) and you have ActiveX security settings configured too low (or you are running an out-of-date and/or unpatched version of Windows), the Trojan installs itself on your computer. The Trojan then makes changes to the hosts file, a component of Windows that your browser first looks to when it converts a domain name that you enter (such as "www.earthlink.net") into the IP address it needs to load a Web page. By entering an IP address of the phisher's choosing into your hosts file and associating it with the names of well known Web sites, the phisher can force your browser -- any browser, not just Internet Explorer -- to go to a fake Web site that may look like your favorite Web site, but isn't. When you log on, the Phisher will capture your username and password. Under normal circumstances, most people do not have any IP addresses listed in their hosts file, but the file exists just in case you might need to use it. Since most PC users are unfamiliar with the workings of the hosts file, unless you're running special software that monitors the hosts file for changes, you may never know it has been changed until it's too late. [0x03.4.1] Web Page Hijacking:- =============================== This Relates how a web page is hijacked.Since i have undergone lot of this.Here I am providing you with a script that is written by me which hijacks the browser and permanently sets the Page to BlackHat.com. Check:- # Script Written By Zeroknock ############################# Its so easy to write a code if you know the defined characteristics of the system. [0x03.5] 302 Redirect Stuffing : Traffic Stealing:- ==================================================== This is quiet different.The hijackers inject a 302 redirect web page to steal traffic from your website.what happens in this is that all the incoming traffic seems to be getting towards hijacker defined we page.The hijackesr undertake the defined benefit from your site i.e. the rank you have been endorsed on the search engine.in case you can be penalised for using 302 redirect web page.So this is considered to be a basic problem. Part B [0x01] Performing HTML Security Tests:- ========================================== In this i will going to explain the stuff regarding to HyPer Text MarkUP Language security text.This test relates to dethrone the bug if found in the language during coding of the web page. [0x01.1]The Code Scenario:- ============================ HTML Security Test::::.[*]ZeroKnock[*] This Is Basically Designed To Check The Effect OF ActiveX Controls.If Alert Occurs then System Is Under Security Treatment But At Same Time The [*]Sccrun.dll[*] Is Present showing Vulnerability In Engine. [0x02] Checking For The Hijacking Of Websites:- =============================================== This section is entirely relates to the cheking of once webpage wheteher it gets hijacked or not.This is been divided into four defined techniques which is used to check this. [0x02.1] Site Stuffing:- ======================== String: site:www.Domain.com in Google. This technique is undertaken to check the availability of once web page in the google search engine.This shows the web pages of once website.Google recently had disabled the occurence of 302 redirected webpages. [0x02.2] URL Stuffing:- ======================= String: allinurl:www.domain.com This serach shows the pages of your website and the links that are being provided in your pages .There can be possibility that redirected pages may contain links tracking codes on them which can or cannot be 302 redirects. [0x02.3] Link Stuffing:- ======================== String: link:www.Domain.com:- This brings up the all the links subjected to your site and necesaary or unnecesary 302 redirects. [0x02.4] Site Meter Stuffing:- ============================== This relates to a good site meter that provides referral links to your site.This is done to ensure flexiblity in web penetration testing. [0x03] Conclusion : No Patch For Ignorance.