sureseeker.com

[Nate W <security () WHATEVER NET>]

If anyone can think of a better place to report this, other than
incidents () securityfocus com and cert () cert org, do let me know.

Looks like somewhere out there is a web server that cracks into web
clients and does a little bit of reconfiguring without the users's
knowledge or consent.

The main objective of the malicious code is to set the user's start page
to a cheesy "portal" web site, www.sureseeker.com.  The sureseeker web
site consists largely of 'affiliate clickthrough' links, for example news
headlines from isyndicate.com, web searches from goto.com and
searchtraffic.com, and so on.

The method appears to begin with the installation of an 'html application'
called runme.hta in the StartUp directory.  runme.hta appears to re-set
the start pages for Internet Explorer and Netscap, and also re-set the
seach URLs used by IE in various places.  I say "appears to" because I
don't actually have a copy of the file - a second file, called
removeit.hta, is placed in the c:\ directory and executed via a link from
the StartUp folder.  removeit.hta deletes runme.hta in an attempt to cover
their tracks.  Removeit.hta doesn't get deleted though, and a set of .reg
files named 'backup1.reg' and 'backup2.hta' and 'homereg111.reg' also
remain on the victim's hard drive.

The malicous code also puts 'sureseeker.com' in the HTTP-User-Agent
string, so that victims are left running about advertising their
misfortune to every web server they visit.  Furthermore, sureseeker's tag
appears in the articles they post to newsgroups using IE and deja.com, as
in this case:

http://www.deja.com/getdoc.xp?AN=680049493&fmt=text

I have notified sureseeker's internet service providers (ni.net,
primenetworks.net, and verio.net just in case either of those is in
cahoots with the sureseeker people).

I'm not sure what steps to take next, but if anyone has ideas I'm all
ears.

Thanks,


Nate Waddoups
Redmond WA USA