Mysterious Case of the Broken Browser

A friend of mine asked me to take a look as to why Google and Bing were inaccessible using Firefox. I dove in and realized that they were also unreachable using Internet Explorer, Chrome, and even command line ping. It became apparent that the hosts file had been hijacked. In fact, these entries were the only ones present:

87.229.126.50 www.google.com
87.229.126.51 www.bing.com

I swiftly removed them from the hosts file and both websites loaded fine. But what had put them there? With a working browser, a quick search revealed that those addresses were not legitimate and something had clearly hijacked the machine.

Knowing my friend to be an avid Malwarebytes Anti-Malware user, I checked the quarantine and found several objects. The main files appeared to be dplayx.dll and dplaysvr.exe and had several registry entries allowing them to start with the computer. I sent the files to Adam Kujawa, a Malware Intelligence Analyst working with me at Malwarebytes. Adam confirmed that this malware was responsible for the hosts file redirection.

However, a further analysis revealed a more cynical side. Adam continued by saying that “all binaries analyzed were heavily packed with custom obfuscation methods and employed anti-debugging tricks which made them a pain to get through” and that “the use of the filenames dplayx.dll and dplaysvr.exe is important because the names belong to legitimate applications and are integral parts of Direct X.”

While not new, the use of these particular filenames shows that malware authors are still trying to hide their executables behind legitimate names.

7 thoughts on “Mysterious Case of the Broken Browser

  1. I am glad to see that the folks at Malwarebytes are always working on research and finding all the creepy crawlers that infect computers. Keep up the good work!

  2. I have been in touch with Microsoft about how my computer has been running and asked if they would help me for i thought i had a virus, even though Microsoft essentials & Anti Malwarebytes did not pick up anything, there has been times in the recent past where they have helped and they found virus issues regardless of my virus software, when i run a scan with anti malwarebytes it shows scan enabled then it unable’s it’s self , now Microsoft will not help me without trying to charge me & I don’t think they finished what they started, I do know that something is wrong yet i cannot put my finger on it, Microsoft tries to get me to take your software off my computer though i trust your software more then theirs, your help would be most grateful, please get back to me soon as you can, Thank You Jonathan

  3. è il più potente monitor amtimalware senza falsi positivi ha una rilevazione intorno al 98% .riesce a pulire il sistema con il solo riavvio. un consiglio da un amante della sicurezza antivirus da circa 7 anni l accopiata vincente nod32 v.5+malwarebytes pro+firewall windows 7 e dopo potete scaricare di tutto anche i virus perchè non entrano vi metto la mano sul fuoco. un saluto poi se volete chicche di sicurezza la mia email è veleno1973@live.it io mi chiamo Mariano.

  4. I’ve had one of these come across my desk before. Thankfully I talked my boss into getting a corporate subscription 🙂 Malwarebytes caught the infection, but I had to manually edit the host file… In my case it change the host file to hidden and read only as well.

  5. Thanks for the info Maurice. I ended up using command prompt to make it so I could remove the rogue entries. Was easy enough, but this tool will help when someone else needs to do it when I’m not in the office (still in college).

Leave a Reply