05 February 2006
The people who
installed Google's Toolbar by exploiting a security hole
worked hard with their Google imitation: Figuring out how take advantage of a security hole,
downloading the toolbar, changing
settings that redirected requests from Google to their
own server. Luckily, their exploit did not stay live very long, probably due to Google putting some pressure on the owner of the server that hosted the exploit code.
In October 2005 some other guys were trying hard too, namely
the owners of nowfind.net, who set up
a page that was almost identical to Google's front page.
A random search at nowfind.net
redirected you to nowfind.biz.
The rip-off has been
online at least since May 2005.
magicsearch.us was also dressing up like Google
by
configuring magicsearch's name server to
point to one of Google's IP addresses. In addition, magicsearch.us frequently appears in Hijackthis logs.
I would not be surprised
if the following settings have been changed by exploiting security holes in Internet Explorer:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.us/browser/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.us/browser/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.us/browser/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.us/browser/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://magicsearch.us/browser/
Who are these guys? I don't know really. The whois data is probably faked. They have previously been kicked
from the CoolWebSearch affiliate program.
Anyway, Google was notified and the two sites have dropped their Google imitation.
More recently I ran into 4-counter.com who also have pointed their name server to one of Google's
servers. 4-counter.com has a bad reputation because of frequent hijacks - going back to 2004 - of Internet Explorer's
home page and search settings. The hijacker goes under names such as
StartPage-CV and
Troj/StartPa-BF.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=megad
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=megad
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2&b=megad
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://4-counter.com/?b=megad
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2&b=megad
Domains pointing to Google's servers
magicsearch.us and 4-counter.com are not the only domains that have
pointed their name servers to one of Google's servers. In fact, there are almost 300 of them.
The following lists domains that resolve to Google's
servers. Please notice that Google's domain names also appear in the list:
- 025ma.com
- 0512lp.com
- 123vcd.net
- 21150.com
- 34533.com
- 3576.net
- 4-counter.com
- 4235.com
- 466453.com
- 5811.com
- 5899.com
- 5999.com
- 94top.com
- 95539.com
- 991sex.com
- activj.org
- adsbygoogle.com
- akwan.com
- alexandru.com
- alexiswalker.com
- allevil.org
- alloutbigbash.com
- alloutbigbash.net
- amidim.info
- anfang365.com
- anlaiwuyou.com
- anquan365.com
- ao2web.com
- appliedsemantics.com
- appsem.com
- apsem.com
- asif.net
- baachus.com
- baachus.net
- baachus.org
- banking-concern.com
- bell4285.com
- benefitsharmony.com
- bgpd.info
- bgpd.net
- bharatha.com
- blinknull.com
- bolkazanc.com
- bursesexpress.com
- cadeus.com
- careyca.com
- chalice.com
- chenzhenhua.com
- chillout-uk.com
- choulex.com
- choulex.net
- choulex.org
- cobrasearch.com
- colothis.com
- consistencyinaction.com
- contemporarydesignplastics.com
- crotales.com
- crwz.info
- cyber-lolita.com
- cybersayen.com
- damworld.com
- dancrone.com
- davemarcotte.com
- davenorman.net
- dchassociates.com
- deepbiz.com
- deja.com
- dejanews.com
- delraycol.com
- derdude.org
- dfwisp.net
- dietgary.com
- divesfl.com
- djtronic.com
- djtronic.net
- djtronic.org
- djxxl.net
- dnsfs.com
- dnsnet.org
- dnsserv01.com
- dnsserv02.com
- doloto.com
- each-link.net
- econet-cyber.com
- effimero.net
- eibchina.com
- emeraldtech.net
- euroestuche.com
- feoogle.com
- firehunt.com
- floral-memorial.com
- floralartbyamy.com
- foofle.com
- freakshells.info
- frewgle.com
- friendsbychance.com
- friigle.com
- froogle.com
- froogle.info
- froogle.org
- frooglegear.com
- frooglegoogle.com
- frooglestore.com
- frooglewml.com
- frooglr.com
- ftoogle.com
- gallier.org
- gaoyaguo.com
- genuwineleather.com
- getdataback.info
- gewgle.com
- gewgol.com
- ggoogle.com
- gmail.com
- gogle.com
- gogole.com
- googel.com
- googil.com
- google-desktop.com
- google.biz
- google.com
- google.info
- google.net
- google.org
- googleanalytics.com
- googlearth.com
- googlebase.com
- googlebot.com
- googlecache.com
- googlecom.com
- googledesktop.com
- googlee.com
- googleearth.com
- googlegear.com
- googlegear.net
- googlegear.org
- googlegroups.com
- googleimageads.com
- googlemaps.com
- googleprint.com
- googleproxy.com
- googlescholar.com
- googlesyndication.com
- googlie.com
- googlr.com
- goolge.com
- gooogle.com
- gouribao.com
- gppgle.com
- gppglr.com
- guugle.org
- guyindia.com
- hackjob.com
- hn24.info
- hotyouth.com
- huycomp.com
- hypercubictransmission.com
- hztrain10.com
- hztrain8.com
- hztrain9.com
- icanfindit.net
- icedoutwheels.com
- igoogle.com
- imakoso.net
- in2tech.net
- integratedcomputingservices.com
- intosz.net
- intrepid-corporation.org
- irania.org
- isaveonline.com
- jasmineprice.com
- jcase.com
- jimpaquette.com
- jinjihu.com
- jinjihu.net
- jinjilake.net
- joymix.com
- jxoxo.com
- klekton.com
- knsys.org
- komcio.info
- laiwu365.com
- ldvgroup.net
- lihuadao.com
- liveswitch.com
- liveswitch.net
- llai.net
- loonkar.com
- m00re.com
- marrysingles.com
- melodyofrain.net
- mhptech.com
- mkwan.com
- mp3wma.info
- musicexpresslimousine.com
- musichina.com
- my-deja.com
- my-dejanews.com
- mydejanews.com
- namingsolutions.com
- netriquein.com
- networq.com
- newtoswinging.com
- nncc.info
- nosorry.com
- nsbdb.com
- ntlhelp.net
- officeborg.com
- ogogle.com
- oingo.com
- oncalladmins.com
- pageadgooglesyndication.com
- passmelt.org
- pcatania.com
- pillhall.com
- posisystems.com
- qq001.net
- quarkhq.com
- rbmax.com
- retailresourcesnj.com
- rhynost.com
- roperweb.com
- s24pdc1.com
- savemtpleasantjobs.com
- seanmai.com
- seeabc.com
- seedandsaplings.com
- sextgp.com
- shebin.com
- shehome.net
- shmake.com
- shopb2c.com
- siege.net
- signacon.net
- skrillz.biz
- smartokokus.com
- smartozavr.com
- smartprogrammer.com
- smartprogrammer.net
- space-trip.org
- spacegutter.com
- sparton-alliances.com
- speedyj.net
- spywaredetect.net
- stfukthxcu.net
- sticknobills.com
- sticknobillz.com
- subside.org
- sumitbudhiraja.com
- surfhotspot.com
- swingingcentral.com
- the-mpaa.biz
- the-mpaa.com
- the-mpaa.info
- the-mpaa.net
- tianjinren.com
- tienermoeder.info
- tiffanyschmid.com
- tmttmentors.com
- tonyarocks.com
- tookoo.com
- tops100.net
- toughworld.com
- trulydoulber.com
- ufdah.com
- uluvatar.net
- upgrademywife.com
- victoriacrimmins.com
- videoxpress-bo.com
- vlandyao.com
- waptank.net
- warcraftdeliverance.com
- webservicehost.com
- webseven.com
- wellu.org
- weshou.com
- win-wynn.com
- win-wynn.net
- winwynn.com
- winwynn.net
- wuxiren.com
- wwwgoogle.com
- wwwgooglesyndication.com
- wynn-win.com
- wynn-win.net
- wynnwin.com
- wynnwin.net
- xf01.net
- xianshiqi.com
- xxxdisc.net
- yahpro.net
- yellowvcd.net
- yjmy.org
- z99.org
- zivoog.com
- zugha.com
- zumper.com
joel carter sr. writes