Search Engine Sabotage?

Search Engine Sabotage?
Home / Musings Home

Update 05 September 2003: The person whose computer was affected found this URL (http://vil.nai.com/vil/content/v_100719.htm) and clued me in. Evidently it was a recently discovered exploit which is why I couldn't find the IP address 207.44.220.30 anywhere. Well, so much for that big mystery ;).

So earlier today I was asked to help (via IM) a friend of a friend whose computer "can't get to any search engines anymore." Of course fixing peoples' computers by giving them instructions over IM is not usually the easiest way to go about it, but at least this particular person types quickly, so that helped.

Anyway, it quickly became evident that her system was resolving hostnames such as google.com, search.yahoo.com, etc... to the IP address 207.44.220.30, which is definitely not the IP address of Google or Yahoo. In fact, that IP address does not seem to be reachable at all, at least not through Comcast or Michnet.

The problem started on October 1, and her virus scanner (Norton 2003) had updated its virus definitions on October 3rd. She ran a full scan but no viruses were found. I thought that maybe some sort of "Alternate DNS" (i.e. New.net) or other adware installed with her music sharing programs might be acting up to cause the problem, so I had her run Ad-Aware and remove everything that it found on its default scan. This too did not fix the problem.

I was running out of ideas, and I was pretty sure that this wouldn't have anything to do with it, but as sort of a last resort longshot, I had her open the c:\windows\hosts (she was running Windows ME; in newer versions of Windows, this file is located at %windows_directory%\system32\drivers\etc\hosts) file in Notepad. Lo and behold, there were tons of entries in the file for the hostnames of various search engines, indicating the IP address 207.44.220.30 for all of them. Naturally, removing these entries fixed the problem.

Obviously she had not set up these hosts entries, and I kind of wonder how it happened. Although it is, I suppose, a "good idea" (from an attacker's point of view), I have never heard of any malware that goes around changing people hosts files to divert traffic like this. And, if it were an actual virus/worm doing it, why wasn't it picked up by her antivirus software? I suppose that the most likely possibility is that she went to a website that used one of the various "This vulnerability allows websites to execute arbitrary code on your machine" Internet Explorer exploits to modify her hosts file. Even this seems a little bit unlikely though, because she has Windows Automatic Updates turned on... Perhaps someone just got lucky and she was affected before the update was released or installed.

At any rate, I didn't find any web pages mentioning the IP address "207.44.220.30" when I was trying to figure out what it was, so I thought I would post this in case it helps anyone else in the future who is affected by this. I also wonder what the point of this attack was. As of right now, the IP address 207.44.220.30 seems to be pretty much unreachable (traceroutes from the University of Michigan stop after the first Michnet router), but it seems a little bit pointless to redirect people to a nonexistant IP. Perhaps it was originally someone's banner or spy page that got discovered and blocked by various ISPs and backbones...