Re: Microsoft is running a disreputable spyware outfit

From: Daniel Crichton (msnews_at_worldofspack.co.uk)
Date: 11/01/05 

Date: Tue, 1 Nov 2005 17:03:13 -0000

I've dug around a bit more, and noticed that rad.msn.com does have a DLL
with the same name. However, this is not downloaded to the browser - it's an
ISAPI DLL that runs on the rad.msn.com web server and spits out HTML
adverts. Perfectly safe.

What appears to have happened is that a virus/trojan/worm has taken
advantage of this (and has been doing for some years, there are posts going
back to at least mid 2003 about this) to modify hosts files to redirect
requests for rad.msn.com to another server where there is a DLL with the
same name located, that may be malicious.

There is a third possibility - one of the rad.msn.com servers is
misconfigured, or occassionally has a fit, and instead of executing the
ISAPI DLL ends up trying to send it to the browser (after all, the browser
requested the URL albeit due to a Hotmail advert). In this case the DLL
itself is harmless, but may trigger an alarm as it's a binary file being
sent rather than the expected HTML.

If you did not have a host entry already that pointed rad.msn.com to a
different IP than those shown in an nslookup, I'd suspect a prior infection
by something that does it's best to hide it's intentions by pretending to be
a MS advert server and attempts to install the DLL (this will however
normally require a lot more work than just downloading the DLL, there would
have to be something already on your machine watching for it to arrive in
the temporary internet files folder so it can do something with it).

If there was no hosts entry prior to you adding the loopback address, it
could well be a MS ad server hiccup, maybe exacerbated by FireFox rather
than IE. I've tested a number of URLS (eg. http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=IMSUKM?SC=HF?ID=0003bffd852fcb7f)
which do exactly what I'd expect - in both IE and FireFox return a bit of
Javascript and a banner advert, nothing more.

Dan

Relevant Pages

  • Re: Cant use web links from messages
    ... What registering a DLL does is add/update some entries in the registry. ... That's necessary if some other program deleted or modified the registry entries. ... > Choose 'Extract One File From Installation Disk'. ... >> How to Make Internet Explorer the Default Web Browser ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Microsoft is running a disreputable spyware outfit
    ... ISAPI DLL that runs on the rad.msn.com web server and spits out HTML ... ISAPI DLL ends up trying to send it to the browser (after all, ... requested the URL albeit due to a Hotmail advert). ...
    (microsoft.public.security)
  • Re: Creating a file that can be seen in the browser
    ... Microsoft Online Support ... Creating a file that can be seen in the browser ... to give it different permissions. ...
    (microsoft.public.dotnet.framework.aspnet)
  • QueryInterface for interface * failed. (Using COM Interop dll in web application)
    ... I wrote a COM dll in Visual C++ 6.0 and MFC that generates some report. ... // log general exception ... of the browser. ... I can use com obj only first time when I make request to instantiate ...
    (microsoft.public.dotnet.framework.interop)
  • Re: Advice please-browser hijacker..
    ... >As a temporary measure ive installed mozilla firefox as a web browser. ... This will list all dll which are also BHO. ... which are hostile & which are unknown. ... tend to create random names for the BHO dll. ...
    (alt.computer.security)
Quantcast