Earlier this week I noticed that Google searches on my Windows XP box were coming up with bizarre results. I'd type something in to Google and my search results would come up with headings and descriptions that looked correct but linked to bogus sites. At first I thought that this was some kind of search engine optimization gone awry. Two things changed my mind:

1. I noticed my web browser accessing a bogus URL: http://1.2.3.0
2. I checked my other machines (all running Linux) and they all worked correctly.

I viewed the source of the Google results, and I noticed an HTML script tag that had been injected into the search results page. I installed the NoScript Firefox extension which was successfully able to disable this foreign script and fix my Google results. Now I could work on actually eliminating this malware.

I opened up a Cygwin bash prompt and tried to ping 1.2.3.0, thinking that perhaps this was redirecting elsewhere - nothing turned up. On the other hand, if I launched Firefox and typed in that URL, it would connect to a server and retrieve some JavaScript. At this point I was convinced that this redirection was localized to my Firefox process.

I decided that whatever was causing this could have a varying degree of sophistication. Going for the low-hanging fruit seemed to be the most obvious course of action. I fired up Process Monitor from Sysinternals and logged everything that happened in the system as I entered "http://1.2.3.0" in the Firefox address bar. Here's what I found:



Notice the TCP transmissions to 94.247.2.58 port 80 (HTTP). Something is definitely phoning home. A quick run of the ping command with reverse DNS lookup gave me a successful hit of hs.2-58.zlkon.lv.

Rather than continuing with a fine-grained investigation, it was time to let my fingers do the walking. I had already disabled (though not yet eradicated) this malware, and at this point I had something to search on. Google promptly returned these juicy nuggets:

Beware of sysaudio.sys!

Fake sysaudio.sys causes search engine hijack

It looks like whatever put this on my machine was using some kind of unpatched browser exploit. Anyway, those blog posts point out that c:\windows\system32\sysaudio.sys is the likely culprit. Sure enough, I found it on my machine.

I decided to take a look to see if I could obtain some more information from this binary without doing any disassembly. I ran the strings command and got some interesting results. I won't include them all here, but I will note that they were all reversed in the binary. For example, one line in the strings output was:

:tnegA-resU

Look familiar? Reverse the string and think HTTP. ;)

Among other things, there are HTML script tags embedded in the binary, as well as parts of a URL that look like they are eventually spliced together. There's also a line containing the string "ntnet.drv", so that looks like another file that might be involved.

Here's the MD5 checksum for sysaudio.sys: db8c035980bf8cd18953e3f3f0abfe7e

By quarantining the files and fixing the registry key as mentioned in those blog references, it appears that this piece of malware has been eliminated. Despite the fact that I was happy (and intrigued) to track this issue down, I am kicking myself in the ass for allowing this to happen in the first place. On Windows I tend to run as an Administrator because of so many shitbox apps out there that can't handle a low-privileged user. I usually use Michael Howard's DropMyRights utility to ensure that stuff like this can't happen. I don't know why I wasn't using it on Firefox... perhaps my modified shortcut got overwritten during an upgrade?

UPDATE January 9, 2009: I submitted this malware sample to a number of anti-virus vendors, and some of them needed to add it to their databases. It appears that a slightly different version has been floating around as of late, this time under the guise of c:\windows\system32\wdmaud.sys and accessing http://7.7.7.0 instead of http://1.2.3.0.

I laughed when Dion's broadcast was aired (in Western Canada CTV was able to air it in its entirety during the 6:00 news). Who are the amateurs that were taping him? The bookshelf behind him was in focus, not Dion himself!

I laughed even harder when I noticed the book that was in clear focus at the top left corner of the screen: Hot Air by Jeffrey Simpson et al. It's a global warming book, but its title lent a certain tinge of irony.

He sure spoke a long time. I stopped paying attention once I noticed that he was rambling.

More to come...

Today the Federal, Alberta, and BC privacy commissioners jointly issued guidelines concerning driver's licenses. While certainly not as detailed as PIPEDA or PIPA legislation (or related investigations), it does provide a concise, easy to comprehend guide for retailers who might not be aware of their rights and responsibilities. I think that it's also useful to the consumer and worth reading if you care about identity theft.