Best of the ISP-Lists

General

The Search Engine Trojan

Members of the ISP-Tech list fight a Trojan, frequently delivered through P2P networks, that redirects browser traffic to a certain website.

[February 26, 2004]

On the ISP-Tech list in February, AE asked:

I have a bit of a problem it would appear. I am currently working on a customer's machine. Anytime she tries to access a secure site, Incredifind keeps coming up on her computer. She is able to surf any other web pages. She has children that try to update their profile via hotmail, but it too is a secure site for changing personal information. I have ran SpyBot S&D and Adaware 6.0. Removed 189 spyware pieces. Still no luck with it. I have deleted her cache and her Temporary Internet Files folder. Still no luck. Any suggestions would be great.

One respondent, LB, had the answer, possibly from google.

In fact, any time you're faced with a problem like this, go to google. In this case, the word "incredifind" is unique and therefore provides good search results.

Note that the google search results reveal dozens of cases where the victim was blamed for failing to patch their system or for not running anti-adware software even though most adware had not yet been updated with a fix for the incredifind hijack. In several cases, the Trojan appears to have been delivered through a P2P network such as Kazaa. In many cases, no solution was found.

The hijacker exploits a browser flaw to redirect traffic to its search engine, incredifind.com. We visited www.incredifind.com to learn more and clicked on the company's privacy policy.

This loaded a page from a website called www.flowgo.com, which serves a variety of content that the viewer is encouraged to e-mail to a friend—after providing contact information for themselves and the friend. (We were served popunder ads by both incredifind and flowgo.)

The privacy policy says that unless a user opts out, the network of websites called eUniverse will share the information both within the network and outside it (see this description of eUniverse from PestPatrol).

If the user makes a purchase, the website will remember the viewer's credit card number "to facilitate future purchases" but if the credit card number is stored in a cookie, it is extremely vulnerable.

Of course, for a website that is committing a computer crime to obtain page views, we were surprised to find any privacy policy at all, even one as inadequate as what we did find.

As phishing scams and other scams proliferate, 2004 is turning out to be the year of the Internet scam. ISPs cannot protect users from everything that's out there, but every ISP employee should do their best to learn about malicious software, malicious websites, and malicious e-mails.

Even though there's more nasty stuff out there than any individual could ever know about, knowing about some invasive innovations should be useful. When you do not recognize the latest incarnation of Internet evil, at least you'll recognize its category, and know what kind of solution to look for.

—End