Wednesday, February 16, 2005
Here is how Adware does site spoofing
an Adware or advertising-supported software is any software application in which advertisements are displayed while the program is running.Some of the worst Adware programs do something more drastic. They alter your PC's settings, so that whenever you try to go to site A, you will always end up in site B. Here is how this happens:
When you enter a URL in the browser, a local name resolution happens, followed by a DNS name resolution. Name resolution is a process through which the actual IP address of a system (or a website) is determined. This IP address is then used to connect that site/host. The local name resolution is done via a hosts file. The hosts file on most of the Unix installations is located in /etc/hosts and on the Windows installations in the C:/windows/system32/drivers/etc/hosts (or wherever windows is installed).
Lets say your hosts file contains a spoofed entry like the one shown below:
Now, whenever you type 'www.amazon.com' in your browser, it would alwats go to Google. Eventhough, your browser still shows www.amazon.com as the URL.
Some of the Adware that gets loaded via ActiveX exploits this weakness and alters the hosts file, so that when you try some popular site (like Google, Amazon, CNN etc) you would always end up on some other advertisement loaded site.
Recently a friend of mine was telling me how he always landed up on 'www.weightwatchers.com' site, even when he tried to go to 'www.cnn.com'.
As a precaution do check your hosts file for suspicious entries. On a typical home PC, it should only contain a single entry - 127.0.0.1 localhost. There are a couple of excellent programs - Ad-Aware and Spybot-S&D that do an excellent job of busting any Adware or Spyware tricks that have made through on your PC.
Copyright Anand Jain 2004, 2005. All rights