A growing problem has started cropping up on the internet over the last
month. It started early in November when internet help forums started receiving reports about what initially appeared to be a
browser hijack of some sort: "My browser is constantly going to this "Med Network" home
page. Doesn't matter what web page I try. It's an online pharmacy page." When standard removal methods for a browser hijack failed, however,
people began to look closer at the problem. What they found has left many industry experts fearing the worst - the potential for this exploit to
cripple the internet as a whole.
An early sign of the problem surfaced when some websurfers noticed
an unusual
graphic appearing in place of the image that should be there. An affected user might see, for example, the "prescription medication" image
appear on their own website in place of the graphic they'd placed there despite having made no changes to the page.
Further reports began coming in of common websites such as Amazon.com or Google.com being redirected to the
Med Network website (screen capture image of site). While fewer people noticed the initial
image takeover, the redirection to a new website was patently obvious.
This isn't limited to one type of computer, operating system, or internet browser. The problem has been reported on people using Windows, Mac OS,
Unix, and other operating systems. It happens on internet browsers including Internet Explorer, Netscape, Firefox, and Opera.
There are several programs on the market, termed adware and/or spyware removers, which take care of a standard browser hijack. Users who found
themselves victim to the Med Network redirect were advised by security professionals to utilize these tools, but it was quickly determined that none
of them worked.
"... I downloaded and ran CWShredder, Spy Subtract, and a few other free downloads - all to no avail. I can't get rid of the "Med
Network."
As the problem spread, system administrators and other industry professionals found themselves faced with entire corporate networks being affected by
the Med Network exploit. Armed with more knowledge than an average web user, they attempted more extreme correction methods.
all tests negative. No trojans or exploits found ... suspecting this is some new virus or spyware, i went for full partition format. full c:
format with fresh sp2 installation. this time installed kaspersky and zone alarm pro. Again updated all using [my account], then logged into [ISP].
5 mins later (that means for 5 mins it worked normally. All the right pages opening based on correct url's) i get the same ... [Med Network]
page."
In layman's terms, this individual encountered the exploit and used some advanced programs to try and isolate the problem. When he was unable to do
so, he completely erased everything from his computer (including all traces of Windows) and reinstalled the programs. Ideally, this should remove any
malicious software, such as a virus. Within 5 minutes of signing back online, he encountered the exact same redirection to the Med Network
homepage.
This is one of the early clues that we are not looking at a virus or a piece of spyware -- at least, not like any the internet's ever encountered
before.
The first issue to consider is regarding the redirection to the Med Network
website (screen
capture image of site).
As of yet it is unknown exactly how this redirection is happening. There is apparently no malicious software involved, so the hijack may be happening
on the
DNS level rather than on an individual user's computer. DNS, simply put, is how the
internet connects your computer to the website you choose to view. If you want to view abovetopsecret.com, for example, a DNS server translates
"abovetopsecret.com" into the unique numerical 'address' assigned to this website. It is similar to translating the tones when a phone number is
dialed and causing the person you're calling's telephone to ring. By altering that translation process on the internet, the web address you type in
your browser can instead send a user to any website a hacker chooses.
Significant issues exist in forced redirects like this. A hacker can create code and place it on the website which can steal a user's personal
information. In some cases, this can include passwords and credit card information.
The second, and more potentially damaging, issue to consider is regarding the
image takeover.
By some unknown means, a third party has found a way to redirect this image from a remote web server. When a computer user who is affected by this
exploit views a website, this image appears in place of one that should be there. To a non-affected user, the original image appears normally.
If this image is being forcibly inserted, then other types of files or code can be inserted just as easily. A small piece of program code can be
served to an affected user; if enough users are affected and if the code is destructive enough, there exists the very real possibility that such an
"army" of infected computers could bring the internet as a whole to its knees.
This exploit isn't delivered by any of the normal means of virus transmission. It isn't sent in an email, nor is it hidden in a program someone can
download. At this point, it appears that it is randomly "forced" onto a computer and/or network, and that's not something that can yet be
prevented by firewalls or antivirus software.
In addition, if initial fears are correct that this is a vulnerability in the very backbone of the internet, there may not be a program that can
protect a computer from becoming infected.
As of this writing, a
temporary solution to the problem has been discovered. It is important to note that the solution is only temporary and
in no way alleviates the greater issues at play. It can, however, reder an affected user's computer able to browse the internet normally for a
time.
If you find your internet browser sending you to the Med Network site, you will need to flush your local DNS cache (for Windows 200x & Windows XP):
1. Close your browser
2. Click on your start menu, then click on "Run"
3. Type
cmd in the box that appears
4. A new command prompt window will open. Type
ipconfig /flushdns
5. Hit the enter key
6. Close the command prompt window.
7. **IMPORTANT** Return to the website you were visiting or attempting to visit when the redirection occurred,
change your passwords, and
remove any personal information (such as credit card numbers) you have on file at that website.
Sources:
CNET.com
majorgeeks.com
tech-arena.com
tek-tips.com
computercorps.biz
[edit on 14-12-2004 by Banshee]