Security Incidents mailing list archives
sureseeker.com
From: Nate W <security () WHATEVER NET>
Date: Mon, 30 Oct 2000 14:17:32 -0800
If anyone can think of a better place to report this, other than incidents () securityfocus com and cert () cert org, do let me know. Looks like somewhere out there is a web server that cracks into web clients and does a little bit of reconfiguring without the users's knowledge or consent. The main objective of the malicious code is to set the user's start page to a cheesy "portal" web site, www.sureseeker.com. The sureseeker web site consists largely of 'affiliate clickthrough' links, for example news headlines from isyndicate.com, web searches from goto.com and searchtraffic.com, and so on. The method appears to begin with the installation of an 'html application' called runme.hta in the StartUp directory. runme.hta appears to re-set the start pages for Internet Explorer and Netscap, and also re-set the seach URLs used by IE in various places. I say "appears to" because I don't actually have a copy of the file - a second file, called removeit.hta, is placed in the c:\ directory and executed via a link from the StartUp folder. removeit.hta deletes runme.hta in an attempt to cover their tracks. Removeit.hta doesn't get deleted though, and a set of .reg files named 'backup1.reg' and 'backup2.hta' and 'homereg111.reg' also remain on the victim's hard drive. The malicous code also puts 'sureseeker.com' in the HTTP-User-Agent string, so that victims are left running about advertising their misfortune to every web server they visit. Furthermore, sureseeker's tag appears in the articles they post to newsgroups using IE and deja.com, as in this case: http://www.deja.com/getdoc.xp?AN=680049493&fmt=text I have notified sureseeker's internet service providers (ni.net, primenetworks.net, and verio.net just in case either of those is in cahoots with the sureseeker people). I'm not sure what steps to take next, but if anyone has ideas I'm all ears. Thanks, Nate Waddoups Redmond WA USA
Current thread:
- Re: sureseeker.com Nate W (Nov 01)
- <Possible follow-ups>
- sureseeker.com Nate W (Nov 01)
- Re: sureseeker.com Melissa McPherson (Nov 02)
- Re: sureseeker.com Ken Grossman (Nov 07)
- Re: sureseeker.com Sloan, Scott (CIT) (Nov 08)
- Re: sureseeker.com Nate W (Nov 09)