Sandwich Power

The internet's been a bit fussy lately in terms of "malware". Here are my two most recent episodes:

Episode 1 - Google's Lobotomy

(or, How I spent Saturday morning)

Julie: My Google's messed up!
Charlie: Reboot.
Julie: I don't need to reboot, the links are all screwy.
Charlie: Reboot.
Julie: *eyes roll* *reboots*
Charlie: *having fixed the problem, returns to playing world of warcraft*
Julie: It's still messed up. It gives the right results, but the links are all wrong.

[ed. for example, you'd search for "Andrew Jackson" and the first result would be the wikipedia page for Andrew Jackson, but instead of linking to wikipedia it was a link to monstermarketplace.com]

Charlie: Use Chrome instead of IE, Chrome is cool.
Julie: That doesn't fix anything!

[ed. she installed chrome and it worked just fine - not a bad diagnostic, eh?]

Julie: But I want to fix IE.
Charlie: Uh, run a thingy - like adaware. *returns to playing video games*
Julie: *runs 3 adware detectors and trendmicro's housecall virus scanner* It's still messed up.
Charlie: *without looking up* Have you rebooted?
Julie: *glares*

[ed. At this point we discussed my tendency to help other people with their computer problems and why wouldn't I help my loving wife!?!? ]

Charlie: Bring me a sandwich.
Julie: *leaves for Subway*

[ed. When she actually went to go get me a sandwich, I realized she was serious. I may actually have to fix this thing.]

I'm not sure if it was a virus, but it was very crafty. As described before, the search results were legitimate, but the links were being replaced with web trash vendors. Probably part of a pay-per-click scam (ploy?). I knew it was specific to IE since chrome worked. I'd also disabled all of IE's add-ons, all my extra startup processes, and everything in HKLM/.../Run - it even happened in Safe Mode (with networking). So, with a heavy heart, and a sandwich in hand, I prepared to do some packet sniffing. Here's what I found:



You're looking at the network traffic resulting from two google searches. The packets in the upper-left are from chrome. Chrome is unaffected by the problem. The packets in the foreground are from IE. The left hand side of the window is the zoomed out view of the transaction, and the right hand side are the individual packets. In situations where chrome talked to an IP that IE neglected, I wasn't worried - that's just chrome being my big brother, but any IP IE talked to that chrome didn't was a potential bad guy.

The highlighted server IP (78.157.142.58) is the villain (i.e. it's brain). Two things stand out that helped me get to the bottom of things. I hadn't had much luck looking up information about this thing because I didn't have any good search terms, but now I saw FunWebProducts in my user agent. IE should not claim to be "fun". The other was a few lines down which was a javascript regular expression that replaced all the search result links with links to places like monstermarketplace.com.

Now that I had enough to search with, I was able to find this blog post that showed me how to clean it off. Problem solved - sandwich eaten.

Episode 2: Why Does Google Think I'm Evil?

This one's still a problem. If you use chrome and you want to come read my blog, you'll be greeted by this calm warning:



My blog links to one of my other pages (www.figmenttech.com). Now on that page I hosted my old blog. It was a wordpress blog and everybody thinks its fun to try to find security holes in wordpress since it's so popular. Now, here at blogspot, google does the hosting and all of the maintenance. For my wordpress blog, I was responsible for updates, etc. I fell behind on updates and somebody found out and dumped a whole bunch of malware-giving web pages on my site. I eventually found out and cleared them off, but my honor had been besmirched.

That was the second time I'd gotten into that sort of trouble with wordpress, so I also wiped out wordpress - including some nice vacation blog content :(

I think google forgives people every 90 days, so I guess I just have to wait. But it's sad. The real bummer is that it actually was my fault. Some hacker did the interesting part, but I was hosting this stuff on my site. *sigh*

Comments

julie said…
Ahem, that first conversation never took place! And I did reboot. I think you were too busy with your game! :p

...but thank you for fixing it! I think it put up an excellent fight.

I hope you liked your sandwich. :)
The sandwich was well worth the effort. I've been getting healthy sandwiches lately, but Julie got me a Spicy Italian like I used to get right after high school. AND she knew all the best toppings and stuff. Ah...sandwich.
4 Is More said…
I got that same warning for the figmenttech one from IE - bummer. :-(

We had that same thing happen on our desktop computer over a year ago. It sucked. The method of dealing with it was to not use the computer for a year. Well, and Will eventually found some mention of the problem online, and downloaded a free trial of some Windows Live Care thingy-bobber.