A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #7507  by ConanTheLibrarian
 Fri Jul 22, 2011 1:26 pm
Sorry for the topic title, that can be changed once we figure out what it is.

Earlier this week Google announced that is it detecting proxy redirects when clicking on search engine results with a big banner telling the user that they may be infected. However, I am still seeing redirecting going on when you click on search results on some machines. Some call this the Shopica virus though you can get redirected to many other sites besides shopica.com. There doesn't appear to be any scheduled task or service or rundll32 running that could account for this. There is also no proxy turned on or any other IE registry setting that is causing this.

What is strange to me about this virus is that the redirects are going to what appear to be legitimate sites, not criminal (exploits, droppers) infections. Could this be the work of some business that redirects users to their partners in order to solicit?

I would appreciate any insight and maybe a name and/or dropper for this frustrating redirector if anyone else has any. Thanks!
 #7508  by EP_X0FF
 Fri Jul 22, 2011 1:56 pm
Any example?
 #7511  by r2nwcnydc
 Fri Jul 22, 2011 2:29 pm
From my understanding of the Google announcement, Google is displaying the banner when they detect your IP as one of the known bad proxies. This was done, because they noticed that a particular virus was proxying user traffic, allowing the malware authors to monitor and modify an infected systems network traffic.

It is also possible to be infected on your machine with something that does not proxy your network traffic, but rather redirects to other sites by modifying the DNS requests on your local machine. It is also possible for the author to change your DNS settings to use his DNS server, at which point he can map the domain names to any IP he wants. In these cases, Google would not know about the infection and would not display the banner.

There are many malicious applications that will do this and other similar techniques, and it is hard to determine which infection you have without knowing more.

http://googleblog.blogspot.com/2011/07/ ... -from.html


The funny thing about the goolge post, is they claim it is a side effect of "Fake AV" applications. Most of the Fake AV applications I've played with make it so that you cannot open any programs after you have been infected. Which is why I find it hard to believe that google "successfully warn[ed] hundreds of thousands of users that their computer [were] infected. These are people who otherwise may never have known."
 #7513  by ConanTheLibrarian
 Fri Jul 22, 2011 3:00 pm
Thank you for your insight. I'm sorry for the vagueness of the topic and description, but that was all I was able to gather from what I know. I will check on the DNS settings and see if there is anything else I can gather from this the next time I see it.