Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 04, 2016, 12:08:26 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: 7.7.7.0 Browser Hijack Virus  (Read 18639 times)

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 2,888
    • View Profile
    • Donate to Member
7.7.7.0 Browser Hijack Virus
« on: January 14, 2009, 04:21:05 PM »
OK, apparently this started around the middle of last month, and it's still happening. It's happened twice to my co-worker and I wonder if there's a definite fix as the AV companies apparently haven't nailed it down yet.
Here's what's happening...

All Google and Yahoo searches through IE and Firefox are being redirected through the address 7.7.7.0
When using Firefox, you'll notice "7.7.7.0" instead of "connecting to Google" in the status bar.
The subsequent search terms show relevant results in the text and all, but the associated links are horribly wrong.
When this happens, you will also find a file named wdmaud.sys and/or sysaudio.sys in C:\windows\system32.
Also there will be an associated registry entry at HKLM\Software\Microsoft\Windows NT\Current Version\drivers32
It will be a key named "aux" with a value of "wdmaud.sys"
The general consensus of opinions is that the attack vector is a tainted PDF that gets payloaded from a banner ad or hidden iframe, and it may also be a rootkit.

Have you come across this?
If so, did you get rid of it?
How?
Where did you find the most helpful advice?

Temporary fixes include turning off javascript, redirecting 7.7.7.0 to Google via a HOSTS file, all kinds of things.
The reality is that this is a new threat that needs to be dealt with quickly.

Read up:
http://www.google.co...h?q=7.7.7.0+redirect


Edit: Changed title of topic so folks know this about a virus, not just a personal annoyance.
« Last Edit: January 15, 2009, 11:18:05 AM by Edvard »

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 2,888
    • View Profile
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #1 on: January 14, 2009, 05:27:07 PM »
Here's a tool that may help:
http://www.techish.n...rector-malware-tool/

In the meanwhile, to prevent infections, there are a few things you can do.
Firefox: Use the NoScript extension.
Internet Explorer: Crank down your javascript permissions or disable it altogether in the "Internet Options" dialog
Adobe Reader: Turn off Adobe Javascript.
To do that, open Adobe Reader, and hit Edit > Preferences.
Then go to the Javascript entry and tick off the "Enable Acrobat Javascript"

Any other pointers?

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,666
    • View Profile
    • App's Apps
    • Read more about this member.
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #2 on: January 14, 2009, 05:29:36 PM »
Foxit Reader:

Go to Edit>Preferences>Javascript

uncheck the box

PhilB66

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,522
    • View Profile
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #3 on: January 14, 2009, 05:33:44 PM »
Thanks Edvard for the heads up. There's a good discussion @ Browser Redirect to 7.7.7.0 - interesting - dslreports.com.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #4 on: January 15, 2009, 12:26:50 AM »
This sounds nasty - good thing I don't have adobe pdf reader installed (I wonder if foxit et al are vulnerable, even with javascript support enabled).

NoScript + AdBlockPlus = :-*
- carpe noctem

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: -5
  • Posts: 3,395
    • View Profile
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #5 on: January 15, 2009, 04:26:44 AM »
Or perhaps just admuncher + ......Nothing =  :-*

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #6 on: January 15, 2009, 04:38:19 AM »
Whatever floats your boat - I'm personally not a fan of admuncher (probably works fine, but I only want adblocking in my browser, I don't like the idea of global winsock hooking). Besides, AM only blocks ads, right? You could get exploit-triggering outside of advertisement frames...
- carpe noctem

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 2,888
    • View Profile
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #7 on: January 15, 2009, 10:18:35 AM »
Apparently, javascript delivered via PDF is the prime suspect in this case. So that means if your pdf reader supports embedded js, it is a vulnerability.
App's post reveals that Foxit does indeed support javascript, so make sure you've got that turned off.

lol from a poster on WoW forums:
"Send it securely to every anti-virus company. The one that sends you a fix the fastest is your new anti-virus."

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #8 on: January 15, 2009, 10:23:25 AM »
Apparently, javascript delivered via PDF is the prime suspect in this case. So that means if your pdf reader supports embedded js, it is a vulnerability.
App's post reveals that Foxit does indeed support javascript, so make sure you've got that turned off.
There's javascript and there's javascript - you don't necessarily need to expose filesystem writing capabilities to the scripting engine.

That said, I don't know how much functionality Foxit Reader exposes, so it could be that it's vulnerable, and it might as well be that it isn't.
- carpe noctem

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,666
    • View Profile
    • App's Apps
    • Read more about this member.
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #9 on: January 15, 2009, 10:24:53 AM »
That said, I don't know how much functionality Foxit Reader exposes, so it could be that it's vulnerable, and it might as well be that it isn't.

But why take a chance? Can you see any reason NOT to turn it off?

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 2,888
    • View Profile
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #10 on: January 15, 2009, 10:25:41 AM »
I have also seen a handful of reports that it interferes with anti-virus and anti-malware programs via the TDSSserv trojan.
See here: http://forums.cnet.c...rums06;posts#2926532

@f0dder: That's beyond what I can tell you. I'd be all for writing the author(s) of Foxit and ask the question just for your own peace of mind.
« Last Edit: January 15, 2009, 10:27:53 AM by Edvard »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #11 on: January 15, 2009, 10:31:28 AM »
That said, I don't know how much functionality Foxit Reader exposes, so it could be that it's vulnerable, and it might as well be that it isn't.
But why take a chance? Can you see any reason NOT to turn it off?
Indeed - I don't have a use for JS in PDFs, so I might as well do that... except JS can't be turned off in foxit :). Mailing them might be a good idea.

I don't use in-browser PDF anyway, so the exploit would have to be able to download+launch an external file - and it would have to be able to do that in spite of noscript+adblockplus.
- carpe noctem

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 2,888
    • View Profile
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #12 on: January 15, 2009, 10:32:36 AM »
Also, read the responses on the DSLReports link: http://www.dslreport...interesting~start=40

Some folks have tracked down individual sites that are either infected and spreading this, or are the culprits themselves.
Also finding out exactly how the infection happens. Interesting read.

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,666
    • View Profile
    • App's Apps
    • Read more about this member.
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #13 on: January 15, 2009, 10:35:34 AM »
Indeed - I don't have a use for JS in PDFs, so I might as well do that... except JS can't be turned off in foxit :). Mailing them might be a good idea.

I don't use in-browser PDF anyway, so the exploit would have to be able to download+launch an external file - and it would have to be able to do that in spite of noscript+adblockplus.

What do you mean it can't be turned off? I told you how:

Foxit Reader:

Go to Edit>Preferences>Javascript

uncheck the box

SNAG-00044.png7.7.7.0 Browser Hijack Virus

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #14 on: January 15, 2009, 10:37:55 AM »
It's not present in the 2.2 version I use - perhaps it's time to upgrade :-[
- carpe noctem

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 2,888
    • View Profile
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #15 on: January 15, 2009, 10:42:15 AM »
@f0dder: I just downloaded Foxit version 3 and confirmed app's fix.
If version 2.2 isn't bugging you and for all you know it doesn't do the javascript, you may be safe with it.
Also installed SumatraPDF to test for js capability and it has no way to set preferences, so who knows?

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,666
    • View Profile
    • App's Apps
    • Read more about this member.
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #16 on: January 15, 2009, 10:45:26 AM »
Also installed SumatraPDF to test for js capability and it has no way to set preferences, so who knows?

Sumatra is pretty no-frills, so it's probably not likely that it even supports js.

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 2,888
    • View Profile
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #17 on: January 15, 2009, 10:46:05 AM »
If you do install Foxit 3, use the custom installation. In there, you can tell it whether to install the Firefox plugin.
If you use Firefox, it would probably be smart to say 'no' to that one...

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #18 on: January 15, 2009, 10:49:29 AM »
Edvard: 2.2 has Javascript, but no option to turn it off. I like Sumatra because it doesn't have the insanely-slow-rendering-on-x64 that FoxIt (at least 2.2) has... but it's been too unstable for me, unfortunately. And yeah, definitely no browser plugins for me, I hate having various document types render in-browser.
- carpe noctem

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,666
    • View Profile
    • App's Apps
    • Read more about this member.
    • Donate to Member
Re: 7.7.7.0 Browser Hijack - WTF?
« Reply #19 on: January 15, 2009, 11:00:35 AM »
This might be a good idea for anyone, whether they have plugins in their browser to view PDF files in-browser or not. One of my favorite browser plugins.

PDF Download

Available for both IE & Firefox, whenever you come across a pdf file, it asks you what to do with it.

options are:
1. view in browser
2. convert and view as html (much better than google's view as html option)
3. download

(it also turns web pages into pdf files, if you want, preserving links quite well)

Nod5

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 858
    • View Profile
    • Donate to Member
Re: 7.7.7.0 Browser Hijack Virus
« Reply #20 on: January 15, 2009, 01:03:14 PM »
@app: I didn't know that Foxit had JS activated by default. Deactivated now. Thanks!

edit:
Edvards first post states that a symptom of the problem is if sysaudio.sys or wdmaud.sys exists in C:\WINDOWS\system32\

It is then best to add that files with those names exist in the C:\WINDOWS\system32\drivers\ , at least on my (supposedly clean) Win Xp Pro system. The files with the MD5 values below passed the test at http://virusscan.jotti.org/ a minute ago:

C:\WINDOWS\system32\drivers\sysaudio.sys
8b83f3ed0f1688b4958f77cd6d2bf290

C:\WINDOWS\system32\drivers\wdmaud.sys
6768acf64b18196494413695f0c3a00f

I also have a registry entry very similar to the one Edvard talks about at HKLM\Software\Microsoft\Windows NT\Current Version\drivers32
But the difference is that my (again supposedly clean) computer has a "aux" key with the value: "wdmaud.drv" (NOT "wdmaud.sys")

I guess it is yet an example of the common practice for malware to have deceptively similar names and locations as legit Windows files. A good way to counter that is to post and check file hashes.
« Last Edit: January 15, 2009, 01:25:59 PM by Nod5 »

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 2,888
    • View Profile
    • Donate to Member
Re: 7.7.7.0 Browser Hijack Virus
« Reply #21 on: January 15, 2009, 01:39:08 PM »
The ones in C:\WINDOWS\system32\drivers\ are fine. It's always if they are found in the c:\WINDOWS or system32.
If your registry says wdmaud.drv it should be fine as well.

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 2,888
    • View Profile
    • Donate to Member
Re: 7.7.7.0 Browser Hijack Virus
« Reply #22 on: January 15, 2009, 07:33:33 PM »
OK, some instructions for removing this thing have been posted at http://www.myantispy...e-trojan-dnschanger/

The best thing is to NOT get infected in the first place, but if you do, there's some sound advice.

I've also seen a lot of reports that it prevents Malwarebytes' Anti-Malware program from running. I'd say that's as good as an advertisement of MBAM's effectiveness in removing malware.
Apparently it is freeware as a scanning tool but a paid registration gives you "Realtime Protection".
Has anybody had any experience with this tool?

@Nod5: Here is the MD5 for the "bad" wdmaud.sys.
63453ec7d65a333a0a645cc50195990a

Also, the bad one is only about 17K where the real one is 74 or 82k
« Last Edit: January 15, 2009, 07:38:30 PM by Edvard »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,294
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
Re: 7.7.7.0 Browser Hijack Virus
« Reply #23 on: January 17, 2009, 02:11:29 PM »
Malwarebytes' Anti-Malware = Yes

When dealing with end user/client machines 90% of the time Spybot Search and Destroy works for me, the other 10% requires Malwarebytes.

...Okay, 5% of the time I just flatten the box... But Malwarebytes is an excellent utility which is also (highly) MS MVP recommended.

Zedar

  • Participant
  • Joined in 2009
  • *
  • Posts: 1
    • View Profile
    • Donate to Member
Re: 7.7.7.0 Browser Hijack Virus
« Reply #24 on: February 08, 2009, 10:24:13 AM »
Just a quick note I'll add to the discussion after dealing with this today.  I run Win XP 64 bit edition - and the wdmaud.sys file can be found in the C:\windows\syswow64 folder. 

After doing a search for the file, the infected version has a description of "Meikiemos Rules" in the tooltip description.