Random popus, spam messages forcing you to download and install malicious software, no matter which computer you’re on or what browser you use. Sounds familiar? You’ve come to the right place.
I have been wanting to write this for a while now. Nothing better than a blue moon Wednesday to get this done!
A few months ago while browsing the web for seemingly harmless information I received a popup ad asking me to update my browser. Upon clicking the ‘OK’ button a download was initiated called ‘Player.exe’. Knowing better, I immediately deleted the file and moved on. To my surprise, it didn’t end there. It took me a while to realize that random spam was not random at all. The symptom was pathological across all computers in my home, including my tablets and mobile phones! Below are some of the more recent snapshots. The ads DO change over time.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Notice what’s happening? Someone just made a penny! Probably sounds meagle but imagine if that page is visited by tens of thousands or millions of computer! In fact, if you zoom in on the adfoc.us snapshot you can actually get the ID of the person originating this URL; 2293531; probably can contact adfoc.us to file complaint but, well, they don’t really give a damn.
This thread (link) is a fairly good description of my symptoms although the solution proposed would never work because it doesn’t address the fundamental source of the problem: your router.
————————————————————————–
Little did I know that that was just the beginning of what seemed an epic battle with the evil minds of the WWW (Shame on you, yes you, if one of you is reading this) It turns out that my PC was full of malware an adware, plus my browser started to default to a weird homepage that refuses to be changed even from browser settings. They would go away for a while and return in a few days. I ran multiples of anti-virus scans and uninstalled all recently installed software to no effect. BUT, I’m happy to say that the headache is no more and my experience shed a light into the dark, weathered, and broken internet advertising system.
Symptoms
You get a popup ad when you visit your favorite website or when you click on a blank space on your trusted website.
You notice a bunch of software installed on your computer but don’t remember anything about it.
You get all of the above not just on your own PC but also other PCs connected to your router.
How are you getting the popus?
The way you access internet is through a massive calling center also termed DNS (domain name server) in the geek world. There are literally hundreds of thousands of these ‘call-centers’ around the globe that you, as a client, makes request each time you access an URL (or not, but that discussion is left to a different occasion). The server takes your URL and transforms it into IP (internet-protocol) addresses that most of us are familiar with when we first set up our brand new, cellophane covered, plastic smelling, and oh so reflective wireless router. To this I refer to 192.168.1.1 and need not say more. That is an IP address, albeit a local one that the outside world doesn’t and wouldn’t need to know about. Your internet service provider assigns an unique IP address to your modem for the outside world. Yes! The Whole Wide Wold! D-uh! It’s basically your digital address and you wouldn’t want anyone to know about. But the truth is hackers around the world are scanning these addresses every second and chances are someone is knocking on the door of your virtual address right this moment.
So, back to the calling centers.
Chances are that your ISP (internet service provider) has a DNS dedicated to its clients through which all your traffic runs. Technically speaking the DNS knows all the sites that you access but laws forbid them to use any of this information without your consent. Pfewww! This is exactly how the internet crooks are taking advantage of you, by rerouting all of your traffic through their own server that probably is in his or her basement. The how will be discussed below but essentially they now can see all of your traffic. No, that’s most definitely not a good thing.
The popups or spam come when they see you’re doing something on the internet. The best time to send advertisement is when we’re sitting in from of the computer. That’s when they start ‘pushing’ these ads to your browser and other nasties such as commands to change browser settings. Worse, they can even install back-doors to hack your laptop and all other computer on the same network because everyone is going through the same router which is going through the same DNS!!!
How did they change your DNS?
There’s a nice feature on many routers that allows remote management of its settings wherever you are. The default forwarding port, which is essentially an isolated portal in your virtual home that allows access to an isolated part of your home, is 8080. If your unique IP is 1.4.2.1, for example, then your router will be accessible via 1.4.2.1:8080 (that’s how it would appear in your browser). Recall that hackers constantly scan IPs and some specifically scan for the 8080 port. Some routers have built-in security issues such that a hacker can use a loophole to gain access to your router even if it’s password protected. Mine is a Linksys E1550 but other Linksys modems have also been reported vulnerable. What the hacker then does is to change your DNS, pats him/herself on the shoulder, and call it a day!
What gains does s/he have?
Advertising is two parts, first part is that you looked at it and second part is that you bought it. The internet ad agencies have used and continuously bank on the notion that if more people look at your product them more will actually buy. That’s the reason many internet ad agencies are actually paid by click. Remember that whole make $1000 from your living room deal? This is exactly it! Like many systems, some (clever) people figure a to break it. “You want clicks? I’ll give you clicks!”, they said. This phenomena peaked in the early 2000s but didn’t last very long. Still there are companies that encourage this kind of behavior, and hackers love it! They love it because they can now make money by simply pushing these ads into unsuspecting households.
How do you get rid of it?
Aha! First, give yourself a pat on the back for having read thus far. To solve this is quite simple: 1) Disallow remote management, or, if you absolutely need it, to change your password and change the port to something completely random like 4829 (don’t use it, it’s mine!!! Mine I tell you!), 2) check and change your DNS to a trusted server such as google’s 8.8.8.8/8.8.4.4 (you’ll need two) or Comcast’s 75.75.75.75/75.75.76.76, and 3) reset your browser settings to make sure your home page, cookie, and extensions weren’t tempered with (best to use the RESET TO DEFAULT option; run a google search on how to access that option in your favorite browser). I would also run an adware removal software such as adwcleaner (used it myself) or those prescribed elsewhere (link) to get rid of any traces of that unwanted, gooey, and no-so-fun stuff.
Snapshots from my router settings. The culprit DNS were
162.243.207.106 (IP LOOKUP points to NYC)
64.251.13.6 (IP LOOKUP points to Miami)
Image may be NSFW.
Clik here to view.
After changing my DNS to the trusted values (for Comcast)
75.75.75.75 and 75.75.76.76
Image may be NSFW.
Clik here to view.
After changing these settings run your anti-virus, anti-malware and other suggestions made elsewhere (link) to make sure you’re starting from a clean slate.
Summary:
1) Correct router DNS
2) Cleanup computer and browser settings
There you go. Problem solved, at least for me.
Didn’t work for you? Write your troubles below and I will do my best to help.
Further reading: you might also find this thread useful.