Posted by: Brian de Alwis | May 12, 2011

Being a good neighbour by curing strange Google popups

[I haven’t come across any other reports of similar problems, so I thought I’d write this up quickly for anybody else encountering this same issue.]

I normally do my utmost to avoid doing computer support, but my neighbours had been suffering from ad popups for several months now and were at their wits’ end. As the issues seemed to have disappeared after having had a laptop re-installed, I figured it was malware and recommended they do some scans and repair. Since they hadn’t mentioned it since, I figured the problem was solved. But they were instead suffering in silence. They had tried everything — even contacting their ISP’s tech support.

The symptoms were that clicking on Google search results caused the link target to popup in a new tab. I find this kind of behaviour pretty handy (it’s generally how I do search), and I was prepared to write it off as some browser bar feature from their provider, Rogers. But my warning bells were triggered when clicking on Google search result would occasionally spawn a popup ad (many of which were broken) or redirect to “search312.com”. Hooking up tcpdump showed that a number of machines were being connected to, including http://www.find-quick-results.com, 20614.172.hit.tadasearch.com, ltdomains.com, 21677.172.filter.blendernetworks.com, rev.ineting.net.

After some digging, I finally discovered that their router DNS settings had been changed to some Russian-based redirection servers (213.109.69.40, 213.109.69.43). These servers redirect Google and other sites to a server that rewrites links to be opened in new tabs. If the miscreants had been more subtle in their ad popups, my neighbours would likely never have complained. Imagine the data that these miscreants have been harvesting!

Unfortunately in this case the breach was introduced by the neighbours. They had a popup claiming that Mozilla Firefox had detected unusual network activity and asked that they change some settings to check whether it was a malfunctioning computer. This warning happened at the time that they started to notice these issues.

If you stumble upon this page as you’re having similar symptoms, check that your DNS settings are valid. If you’re uncertain, do a reverse-lookup of the DNS addresses and ensure that they match an organization you trust (e.g., your ISP). If you’re at all worried, then I’d highly recommend using Google’s Public DNS (8.8.8.8 and 8.8.4.4). And then do a round of malware and virus checking, and I’d also suggest change your banking passwords too.

[How are ordinary people supposed to figure this out?]

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories