Adware the series, part 2

In this post, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the occasional Trojan or rootkit, especially for the types that are more difficult to detect and remove.

Reroute and intercept

We will discuss a few methods to reroute, intercept, and change your internet traffic. They are:

Proxies

If a system-wide proxy on a Windows computer is set, you will almost always find it in the Microsoft browser. In Internet Explorer, you can find it under Menu (gear icon) > Internet Options > on the Connections tab click the LAN settings button:

Remove the tick under Proxy server to remediate the problem.

In Edge, in the Menu (three dots) select Settings > View Advanced Settings > Open proxy settings > Turn Use a proxy server to Off to disable the proxy.

Browser specific proxies are rare, but I wanted to list the options to change the proxy in your favorite browser anyway.

For Chrome:

For Firefox:

For Opera:

If you notice that the proxy is running through a port on your localhost (127.0.0.1), there is a way to find out which process is responsible. Using the command netstat –ab in a command prompt (elevated as an Administrator) will reveal which process is listening on the port (8003 in our example below).

BetterAds adware having control over port 8003

LSP hijackers

A Layered Service Provider (LSP) is a file (usually a DLL) using the Winsock API to insert itself into the TCP/IP stack. There it can intercept, filter, and modify all the traffic between the internet and a system’s applications. LSPs are stacked parts of the Windows Sockets API (Winsock 2). The layering order of all providers is kept in the Winsock Catalog. As a consequence, LSPs have to be uninstalled. Just ripping out the file that acts as the LSP could result in a broken internet connection. If Malwarebytes removes an LSP hijacker from your system it will require a reboot to prevent this disconnection from happening.

DNS hijacks

Domain Name Service (DNS) hijacks can be performed at many levels, but in the scope of this series, we will only deal with the ones that act on the system itself.

(a) DNS cache poisoning

By feeding your DNS resolving process false data (in such a case, the wrong IP for a certain domain), the system will at some point no longer query the DNS server for the IP but use the wrong data it has in his cache.

Remediation: To clear the Windows DNS cache use the command ipconfig /flushdns in an elevated command prompt.

(b) Hosts file hijacks

The hosts file is a special file located in %windir%\System32\drivers\etc that can be used to store IP addresses that you want to associate with certain domains. This can be used to block advertisements and malicious sites or to map out a local intranet. Adware sometimes uses hosts file of their own making to replace the one on the victim’s system to hijack traffic.

Remediation: You can edit the hosts file in notepad (elevated). Even though it has no extension it is a text file.

(c) DNS server settings

The DNS server settings are normally stored under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters in the NameServer value which should hold two comma-separated IP addresses that represent the DNS servers for the internet connection that is currently in use.

Remediation: Change the DNS servers for the active internet connection by looking at the properties of the connection in the “Network and Sharing Center”.

For most ISPs this is the recommended setting. If yours are different you may find the necessary information on the provider’s site.

Index

Part 1:

Part 2

Up next, part 3

 

Pieter Arntz

COMMENTS