Home page replaced with superbsuperior.info site.

Discussion in 'malware problems & news' started by Close_Hauled, Jan 16, 2007.

Thread Status:
Not open for further replies.
  1. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    I am working on a customers computer whose IE6 home page has been hijacked. The page has been replaced with a page on the superbsuperior.info domain. When that page opens, it redirects to a page on dcurtis.com. The site randomly displays porn or a message that you have syware on your system. This customer has McAfee 8.0i on it and it cannot find a problem.

    I have been doing some searches, but I cannot find much information on what is puting superbsuperior.info in the home page. The only article that I have found so far is this one:

    http://www3.ca.com/securityadvisor/blogs/default.aspx?date=2006/9&id=90744

    Does anyone have any ideas on what hicjack this is?
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    More than likely it looked something similar to the below pic from dcurtis.com/2/popup/2.php?ref=john_p and probably offered Spywarewizard. In any case....that machine needs to be checked by those individuals versed in this sort of browser highjack. Since Wilders no longer offers system cleaning services or processesing of hijackthis logs....which is what that machine needs....I suggest you or your customer visit one of the below malware cleaning forums.

    CastleCops, TomCoyote Forums, Bleeping Computer, or SWI Forums

    Bubba
     

    Attached Files:

  3. DVD+R

    DVD+R Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    1,979
    Location:
    The Antipodes
    Webroot Spy Sweeper will remove this problem,and the page will be reset to what it was before :cool:

    1.Name CWS_secure32.html hijack
    Unique Code 9S4OPLO1
    Type Hijack
    Severity High
    Description CWS_secure32.html hijack may hijack any of the following: Web searches, home page, and other Internet Explorer settings.

    Characteristics CWS_secure32.html hijack may redirect your Web searches through its own search engine and change your default home page. This hijacker may also change your other Internet Explorer settings.

    Method of Infection Hijackers generally propagate through the use of seemingly-innocent dialog boxes, various social engineering methods, or through scripting errors. Usually hijackers are bundled with various free software programs.

    Consequences If this hijacker changes your Internet Explorer browser settings, you may be unable to change back to your preferred settings.
     
  4. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    Bubba,

    You are absolutely correct, this is the screen that he gets. I should have Google'd SpwareWizard. I tried the two domains, but came up blank.

    Cleaning this will be relatively easy. I reloaded the OS on this system a few months ago because this user got the same malware. I can have him up and running in 15 minutes.

    The problem is that I need to track down how he got it so that he does not do it again.
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Good luck CH....but unless the customer can recall each and every step taken prior to the highjack....you are hunting a needle in a hay stack.

    A simple search for an item that's not even XXX by the customer could be all it takes especially if they do not have his\her browser configured properly. If I had to guees....I'd say social engineering is the number one cause of infections.

    Let's take for instance this superbsuperior site you speak of and do a simple search on MSN.com. What follows is not far fetched and is just one of thousands of ways for a user to be infected.

    1) Search for top rated stories at search.msn.com

    2) Select one of the links....ohhh....let's select the third one in line which wouldn't be to far fetched....superbsuperior.info/navigation/webpage53.html

    3) The user is taken to the below superbsuperior page and if their browser is set improperly they don't even get the choice for the Home page change and who's to say they don't select Enter and make the wrong choice after that.

     

    Attached Files:

  6. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    The above was what one would see for IE 7. Let's take a look at the same search site result for IE 6 which is what your customer has.

    1) Search for top rated stories at search.msn.com

    2) Select one of the links....let's select the third one in line which wouldn't be too far fetched....superbsuperior.info/navigation/webpage53.html

    3) The user is re-directed to the below systemsecure.org page if their browser is not secure and when they select Click here to enter website....they recieve the Home page selection. However....no matter how many times one selects No....it will not proceed until Yes is selected. Now....how many users do you feel would finally say screw it when their browser locks up and just select Yes so they can proceed. IMHO....the vast majority.

    So while this may be more than what you asked for....this task you have taken upon for yourself will more than likely have you scratching all your hair off :blink:
     

    Attached Files:

  7. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    so you need to eiether secure there browser better aka IE or get them to use a better browser like opera or firefox.
    or get some realtime antispyware so block that rubbish.
    or some HIPS but easy to use HIPS like prevx or online armor
    lodore
     
  8. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    Bubba, once again, as I have stated before, you are the greatest. This actually helps.

    I am replacing the users computer with a new one. I am going to bring his old one into my shop. I will pry it open and figure out how he got hijacked.

    Because this is part of an very large corporate network, I cannot install software unless it is licensed and approved. So installing spyware removal software is out of the question. Unless of course I bring it into my shop and I am evaluating software.

    I have been a network engineer for over 20 years and I still don't know how users get infected so easily. The last time I got a virus was the first time, and that was 1989. Since then, my own wits and instincts have been my best protection. What seems common sense to me seems to escape the average user.
     
  9. EASTER.2010

    EASTER.2010 Guest

    If you're running System Safety Monitor with "BLOCK" rules for Home/Start Page changes you can see SSM's "Modules Alert" window jump up with the attempted change in RED , i subsequently clicked YES and ended up on one of those boring and dreary looking Search Pages hastily throwed together for that weak exploit
    Type your search query on the top of the window

    That's about it, like Bubba said already, if the users browser is not configured properly, and my suggestion would be to secure it additionally with a good HIPS or other Home Page monitor/Lock program, IE is easily lured into an easy trap.
     
  10. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I just went to the site mentioned to have a look at it:

    http://img149.imageshack.us/img149/4720/clipboard024dr.jpg

    Man, the way it looks instantly tells you its nothing good.
     

    Attached Files:

    Last edited by a moderator: Feb 1, 2007
Loading...
Thread Status:
Not open for further replies.