{"id":7516,"date":"2017-05-03T08:11:01","date_gmt":"2017-05-03T16:11:01","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/03\/news-1301\/"},"modified":"2017-05-03T08:11:01","modified_gmt":"2017-05-03T16:11:01","slug":"news-1301","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/05\/03\/news-1301\/","title":{"rendered":"Adware the series, part 2"},"content":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Wed, 03 May 2017 15:00:12 +0000<\/strong><\/p>\n<p>In this post, we will be using the flowchart below to follow the process of determining which\u00a0<a href=\"https:\/\/blog.malwarebytes.com\/glossary\/adware\/\" target=\"_blank\">adware<\/a>\u00a0we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are\u00a0classified as\u00a0<a href=\"https:\/\/blog.malwarebytes.com\/glossary\/pup\/\" target=\"_blank\">PUPs<\/a>, you will also see the occasional\u00a0<a href=\"https:\/\/blog.malwarebytes.com\/glossary\/trojan\/\" target=\"_blank\">Trojan<\/a>\u00a0or\u00a0<a href=\"https:\/\/blog.malwarebytes.com\/glossary\/rootkit\/\" target=\"_blank\">rootkit<\/a>, especially for the types\u00a0that are more difficult\u00a0to detect and remove.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-17796 size-full\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/flowchart.png\" alt=\"Flowchart adware\" width=\"609\" height=\"686\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/flowchart.png 609w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/flowchart-266x300.png 266w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/flowchart-533x600.png 533w\" sizes=\"auto, (max-width: 609px) 100vw, 609px\" \/><\/p>\n<h3>Reroute and intercept<\/h3>\n<p>We will discuss a few methods to reroute, intercept, and change your internet traffic. They are:<\/p>\n<ul>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2013\/04\/surfing-by-proxy\/\" target=\"_blank\">Proxies<\/a>, using a third party server between the machine and the internet.<\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2014\/10\/changes-in-the-lsp-stack\/\" target=\"_blank\">LSP hijacks<\/a>, inserting a third party file into the winsock.<\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/threats\/dns-hijacker\/\" target=\"_blank\">DNS hijacks<\/a>, connecting to another site by altering the Domain Name System results.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-17795 size-full\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/part2.png\" alt=\"this week\" width=\"141\" height=\"152\" \/><\/p>\n<h3>Proxies<\/h3>\n<p>If a system-wide proxy on a Windows computer is set, you will almost always find it in the Microsoft browser. In Internet Explorer, you can find it under Menu (gear icon) &gt; Internet Options &gt; on the Connections tab click the LAN settings button:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-17794 size-full\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/IEproxy.png\" alt=\"LAN proxy settings\" width=\"459\" height=\"425\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/IEproxy.png 459w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/IEproxy-300x278.png 300w\" sizes=\"auto, (max-width: 459px) 100vw, 459px\" \/><\/p>\n<p>Remove the tick\u00a0under Proxy server to remediate the problem.<\/p>\n<p>In Edge, in the Menu (three dots) select Settings &gt; View Advanced Settings &gt; Open proxy settings &gt; Turn Use a proxy server to Off to disable the proxy.<\/p>\n<p>Browser specific proxies are rare, but I wanted to list the options to change the proxy in your favorite browser anyway.<\/p>\n<h4>For Chrome:<\/h4>\n<ul>\n<li>Click the menu icon<\/li>\n<li>Choose Settings (alternatively paste <strong>chrome:\/\/settings\/<\/strong> into your address bar)<\/li>\n<li>Click on Show advanced settings&#8230;<\/li>\n<li>In the \u201cNetwork\u201d Section, click Change Proxy Settings. This will open the Internet Properties window, where you can access the LAN Settings as shown above.<\/li>\n<\/ul>\n<h4>For Firefox:<\/h4>\n<ul>\n<li>Click the menu icon<\/li>\n<li>Choose Options<\/li>\n<li>Select the Advanced tab (alternatively paste <strong>about:preferences#advanced<\/strong> into your address bar)<\/li>\n<li>Select the Network tab<\/li>\n<li>Under Connection click on Settings and you will see the proxy configuration options<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-17793\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/FFproxy.png\" alt=\"Firefox proxy settings\" width=\"910\" height=\"704\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/FFproxy.png 910w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/FFproxy-300x232.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/FFproxy-600x464.png 600w\" sizes=\"auto, (max-width: 910px) 100vw, 910px\" \/><\/p>\n<h4>For Opera:<\/h4>\n<ul>\n<li>Open the menu<\/li>\n<li>Choose Settings<\/li>\n<li>Open the Browser tab<\/li>\n<li>Under Network click the Change proxy settings&#8230; button<\/li>\n<li>This will open the Internet Properties window, where you can access the LAN Settings as shown earlier.<\/li>\n<\/ul>\n<p>If you notice that the proxy is running through a port on your localhost (127.0.0.1), there is a way to find out which process is responsible. Using the command <strong>netstat \u2013ab <\/strong>in a command prompt (elevated as an Administrator) will reveal which process is listening on the port (8003 in our example below).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-17790 size-full\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/BetteradsProxy.png\" alt=\"netstat Betterads\" width=\"677\" height=\"306\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/BetteradsProxy.png 677w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/BetteradsProxy-300x136.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/BetteradsProxy-600x271.png 600w\" sizes=\"auto, (max-width: 677px) 100vw, 677px\" \/><\/p>\n<p style=\"text-align: center\"><em>BetterAds adware having control over port 8003<\/em><\/p>\n<h3>LSP hijackers<\/h3>\n<p>A Layered Service Provider (LSP) is a file (usually a DLL) using the Winsock API to insert itself into the TCP\/IP stack. There it can intercept, filter, and modify all the traffic between the internet and a system\u2019s applications. LSPs are stacked parts of the Windows Sockets API (Winsock 2). The layering order of all providers is kept in the Winsock Catalog. As a consequence, LSPs have to be uninstalled. Just ripping out the file that acts as the LSP could result in a broken internet connection. If Malwarebytes removes an LSP hijacker from your system it will require a reboot to prevent this disconnection from happening.<\/p>\n<h3>DNS hijacks<\/h3>\n<p>Domain Name Service (<a href=\"https:\/\/blog.malwarebytes.com\/glossary\/dns\/\" target=\"_blank\">DNS<\/a>) hijacks can be performed at <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2015\/09\/dns-hijacks-what-to-look-for\/\" target=\"_blank\">many levels<\/a>, but in the scope of this series, we will only deal with the ones that act on the system itself.<\/p>\n<h4>(a) DNS cache poisoning<\/h4>\n<p>By feeding your DNS resolving process false data (in such a case, the wrong IP for a certain domain), the system will at some point no longer query the DNS server for the IP but use the wrong\u00a0data\u00a0it has in his cache.<\/p>\n<p><strong>Remediation<\/strong>: To clear the Windows DNS cache use the command <strong>ipconfig \/flushdns <\/strong>in an elevated command prompt.<\/p>\n<h4>(b) Hosts file hijacks<\/h4>\n<p>The hosts file is a special file located in <em><a href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/01\/explained-environmental-variables\/\" target=\"_blank\">%windir%<\/a>System32driversetc<\/em> that can be used to store IP addresses that you want to associate with certain domains. This can be used to block advertisements and malicious sites or to map out a local intranet. Adware <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2016\/09\/hosts-file-hijacks\/\" target=\"_blank\">sometimes uses hosts file of their own making<\/a> to replace the one on the victim\u2019s system to hijack traffic.<\/p>\n<p><strong>Remediation<\/strong>: You can edit the hosts file in notepad (elevated). Even though it has no extension it is a text file.<\/p>\n<h4>(c) DNS server settings<\/h4>\n<p>The DNS server settings are normally stored under the registry key <em>HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters<\/em>\u00a0in the NameServer value which should hold <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2016\/01\/trojan-dnschanger-circumvents-powershell-restrictions\/\" target=\"_blank\">two comma-separated IP addresses<\/a> that represent the DNS servers for the internet connection that is currently in use.<\/p>\n<p><strong>Remediation<\/strong>: Change the DNS servers for the active internet connection by looking at the properties of the connection in the \u201cNetwork and Sharing Center\u201d.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"align wp-image-17791 size-full aligncenter\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/DNSServers.png\" alt=\"DNS servers\" width=\"481\" height=\"564\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/DNSServers.png 481w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/DNSServers-256x300.png 256w\" sizes=\"auto, (max-width: 481px) 100vw, 481px\" \/><\/p>\n<p style=\"text-align: center\"><em>For most ISPs this is the recommended setting. If yours are different you may find the necessary information on the provider\u2019s site.<\/em><\/p>\n<h3><strong>Index<\/strong><\/h3>\n<h4><a href=\"https:\/\/blog.malwarebytes.com\/puppum\/2017\/04\/adware-the-series-part-1\/\" target=\"_blank\">Part 1<\/a>:<\/h4>\n<ul>\n<li>Identify the process<\/li>\n<li>Clear browser caches<\/li>\n<li>Remove browser extensions<\/li>\n<\/ul>\n<h4>Part 2<\/h4>\n<ul>\n<li>Proxies<\/li>\n<li>Winsock hijackers<\/li>\n<li>DNS hijackers<\/li>\n<\/ul>\n<h4>Up next, part 3<\/h4>\n<ul>\n<li>Type of software<\/li>\n<li>Uninstall<\/li>\n<li>Remove file<\/li>\n<li>Replace file<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><em>Pieter Arntz<\/em><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/puppum\/2017\/05\/adware-the-series-part-2\/\">Adware the series, part 2<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/puppum\/2017\/05\/adware-the-series-part-2\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Wed, 03 May 2017 15:00:12 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/puppum\/2017\/05\/adware-the-series-part-2\/' title='Adware the series, part 2'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/shutterstock_510172012.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>In part 2 of our adware series, we focus on a few methods to reroute, intercept, and change your internet traffic.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/puppum\/\" rel=\"category tag\">PUP<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/adware\/\" rel=\"tag\">adware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/dns\/\" rel=\"tag\">dns<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/dns-hijacker\/\" rel=\"tag\">dns hijacker<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/lsp-hijacker\/\" rel=\"tag\">LSP hijacker<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/proxy\/\" rel=\"tag\">proxy<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/proxy-hijacker\/\" rel=\"tag\">proxy hijacker<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/pup\/\" rel=\"tag\">PUP<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/pups\/\" rel=\"tag\">PUPs<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/rootkit\/\" rel=\"tag\">rootkit<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/trojan\/\" rel=\"tag\">trojan<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/puppum\/2017\/05\/adware-the-series-part-2\/' title='Adware the series, part 2'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/puppum\/2017\/05\/adware-the-series-part-2\/\">Adware the series, part 2<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10468,11882,12139,12140,12141,12142,10566,2130,11002,10833],"class_list":["post-7516","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-adware","tag-dns","tag-dns-hijacker","tag-lsp-hijacker","tag-proxy","tag-proxy-hijacker","tag-pup","tag-pups","tag-rootkit","tag-trojan"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7516","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7516"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7516\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7516"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7516"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7516"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}