Search Results being Hijacked

My blog has very low activity, so if you’re reading this post; it means you’ve searched for a solution for your problem, but haven’t yet found one.

About 3 weeks ago I was hit by the ‘System Check’ malware. A script on a website (can’t recall off by head which, but it was one of the WordPress sites), likely through a poisoned carrot on the theme files or some upload. My anti-virus (ESET) picked it up, a few times at that. I was curious, and looked into my temp folder to see what was up. A few moments later I had forgotten about the intrusion (I have bad memory), and I turned off ESET Firewall to open a port range (don’t ask why). Then bang!!! I was hit by the malware.

So this is what basically happened (I think):

  • An intruder plants a malicious script in a WordPress site (or comments field)
  • User goes to site
  • Script runs with the rest of the blog
  •  Script downloads executable file to the internet temp folder
  • File runs silently, connecting to wherever to install ‘System Check’ malware, and do other things like hide folders and the sort.
  • Your DNS cache is poisoned and your computer hijacked
  • You lose hope

I won’t go into the details of how to uninstall/remove the thing. There’s plenty of tutorials out there. The most interesting thing for me is what is left after you clean your system.

For example, I have a redirect issue whenever I go to Google. At first it was random, but now it happens every time. Whenever I click on a search result I am taken to something like http://***.com/?c=eaa2e3099b054bf5ecb0888b2a3428e1&uid=***.

The page appears and disappears as fast as your interent connection, sometimes I’m directed to the page I was looking for, but on other instances I’m sent to http://yellw.info/* .Now that was what was concerning me, because I can’t find anything on a ‘yellw.info’ malware or the sort, so I effectively can’t clean the thing.

Wondering how the process works, I decided to catch the MITM thing, and here’s the script that’s executed during the whole process, it’s a form submission that might seem harmless, but we won’t know:

I don’t know if the data in the form variables means anything specific, I tried running the MD5 hash on the net, but didn’t find anything definite. I didn’t try to catch other urls to see whether they’re consistent with the one I posted here. One thing I noticed was that when I just go to the page with blank parameters, I end up at yellw.info with missing GET parameters.

I know I’m not offering a solution to the problem, I have no time to find out what’s wrong, but I’ve tried many things;

  1. Malwarebytes
  2. TSSDKiller
  3. HijackThis
  4. ComboFix

Each contributed valuably, but didn’t solve the problem. I even checked my registry for changes to DNS details (where router data is stored), but I haven’t tried flushing that bit yet). ComboFix found a copy of the original files that installed when I went to that dodge website, but nothing’s changed. As far as I have checked, all the domains are registered by DirectNIC. Refer to pic below

A few things I would suggest however are to:

  •  block yellw.info with your firewall
  • try to exhaustively block the domains that you keep redirecting to (obviously I mean IP addresses, assuming this thing is hosted on a private server somewhere)
  • remain alert, there might be more tricks as your PC is essentially a bot

I’m quite curious as to how the bot manages to be resilient to whatever I try, I’ll definitely post another article if I find the solution to the problem.

Stay safe 🙂