man in the middle

Adware the series, part 2

In this post, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the occasional Trojan or rootkit, especially for the types that are more difficult to detect and remove.

Flowchart adware

Reroute and intercept

We will discuss a few methods to reroute, intercept, and change your internet traffic. They are:
  • LSP hijacks, inserting a third party file into the winsock.
  • DNS hijacks, connecting to another site by altering the Domain Name System results.
  • this week

    Proxies

    If a system-wide proxy on a Windows computer is set, you will almost always find it in the Microsoft browser. In Internet Explorer, you can find it under Menu (gear icon) > Internet Options > on the Connections tab click the LAN settings button:”>

    LAN proxy settings

    Remove the tick under Proxy server to remediate the problem.

    In Edge, in the Menu (three dots) select Settings > View Advanced Settings > Open proxy settings > Turn Use a proxy server to Off to disable the proxy.

    Browser specific proxies are rare, but I wanted to list the options to change the proxy in your favorite browser anyway.

    For Chrome:

    • Click the menu icon
    • Choose Settings (alternatively paste chrome://settings/ into your address bar)
    • Click on Show advanced settings…
    • In the “Network” Section, click Change Proxy Settings. This will open the Internet Properties window, where you can access the LAN Settings as shown above.

    For Firefox:

    • Click the menu icon
    • Choose Options
    • Select the Advanced tab (alternatively paste about:preferences#advanced into your address bar)
    • Select the Network tab
    • Under Connection click on Settings and you will see the proxy configuration options
    Firefox proxy settings

    For Opera:

    • Open the menu
    • Choose Settings
    • Open the Browser tab
    • Under Network click the Change proxy settings… button
    • This will open the Internet Properties window, where you can access the LAN Settings as shown earlier.

    If you notice that the proxy is running through a port on your localhost (127.0.0.1), there is a way to find out which process is responsible. Using the command netstat –ab in a command prompt (elevated as an Administrator) will reveal which process is listening on the port (8003 in our example below).

    netstat Betterads

    BetterAds adware having control over port 8003“>

    LSP hijackers

    A Layered Service Provider (LSP) is a file (usually a DLL) using the Winsock API to insert itself into the TCP/IP stack. There it can intercept, filter, and modify all the traffic between the internet and a system’s applications. LSPs are stacked parts of the Windows Sockets API (Winsock 2). The layering order of all providers is kept in the Winsock Catalog. As a consequence, LSPs have to be uninstalled. Just ripping out the file that acts as the LSP could result in a broken internet connection. If Malwarebytes removes an LSP hijacker from your system it will require a reboot to prevent this disconnection from happening.

    DNS hijacks

    Domain Name Service (DNS) hijacks can be performed at many levels, but in the scope of this series, we will only deal with the ones that act on the system itself.

    (a) DNS cache poisoning

    By feeding your DNS resolving process false data (in such a case, the wrong IP for a certain domain), the system will at some point no longer query the DNS server for the IP but use the wrong data it has in his cache.

    Remediation: To clear the Windows DNS cache use the command ipconfig /flushdns in an elevated command prompt.

    (b) Hosts file hijacks

    The hosts file is a special file located in %windir%System32driversetc that can be used to store IP addresses that you want to associate with certain domains. This can be used to block advertisements and malicious sites or to map out a local intranet. Adware sometimes uses hosts file of their own making to replace the one on the victim’s system to hijack traffic.

    Remediation: You can edit the hosts file in notepad (elevated). Even though it has no extension it is a text file.

    (c) DNS server settings

    The DNS server settings are normally stored under the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters in the NameServer value which should hold two comma-separated IP addresses that represent the DNS servers for the internet connection that is currently in use.

    Remediation: Change the DNS servers for the active internet connection by looking at the properties of the connection in the “Network and Sharing Center”.

    DNS servers

    For most ISPs this is the recommended setting. If yours are different you may find the necessary information on the provider’s site.“>

    Index

    Part 1:

    • Identify the process
    • Clear browser caches
    • Remove browser extensions

    Part 2

    • Proxies
    • Winsock hijackers
    • DNS hijackers

    Up next, part 3

    • Type of software
    • Uninstall
    • Remove file
    • Replace file

    Pieter Arntz

    ABOUT THE AUTHOR

    Pieter Arntz

    Malware Intelligence Researcher

    Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.