Mysterious case of the broken browser

A friend of mine asked me to take a look as to why Google and Bing were inaccessible using Firefox. I dove in and realized that they were also unreachable using Internet Explorer, Chrome, and even command line ping. It became apparent that the hosts file had been hijacked. In fact, these entries were the only ones present:

I swiftly removed them from the hosts file and both websites loaded fine. But what had put them there? With a working browser, a quick search revealed that those addresses were not legitimate and something had clearly hijacked the machine.

Knowing my friend to be an avid Malwarebytes Anti-Malware user, I checked the quarantine and found several objects. The main files appeared to be dplayx.dll and dplaysvr.exe and had several registry entries allowing them to start with the computer. I sent the files to Adam Kujawa, a Malware Intelligence Analyst working with me at Malwarebytes. Adam confirmed that this malware was responsible for the hosts file redirection.

However, a further analysis revealed a more cynical side. Adam continued by saying that “all binaries analyzed were heavily packed with custom obfuscation methods and employed anti-debugging tricks which made them a pain to get through” and that “the use of the filenames dplayx.dll and dplaysvr.exe is important because the names belong to legitimate applications and are integral parts of Direct X.”

While not new, the use of these particular filenames shows that malware authors are still trying to hide their executables behind legitimate names.


Malwarebytes brand exploited through search

It’s not often that I search for the term Malwarebytes on Google. I know how to get to my own company’s website by typing it into the address bar. However, when a friend or family member asks me how to get to our website, I almost always instruct them to search.

Unfortunately, there exists a market where bad people benefit by preying on our users. They create websites which advertise that they distribute Malwarebytes and instead, download a product of their own onto our user’s machine. They advertise on Google and turn up in search results. I’d equate this to a cereal company packaging their generic, less delicious brand into a Cheerios box and putting it on shelves.

If you see a page like this, it is fraudulent and you should go directly to instead.

It makes me sick, and I refuse to let it go on. Today, I instructed our legal team to pursue all of these cheaters in hopes that we can wipe them from the face of the Internet.

But that’s not all. How far is too far? Should advertisers on Google be allowed to use company names as keywords? If I search for Cheerios, should the first advertisement be for the generic brand? It’s allowed, a common practice, and in my opinion completely unethical.