Windows XP SP2 SearchUrl hijack lock circumvention. Issue #1 Microsoft may monitor every search from within Internet Explorer location bar. Issue #2 Protection against search url modification can be circumvented.

Thierry Zoller - Luxembourg

History (Insiders may skip)
While Alpha testing our new Sniff'em™ version, I came across a rather odd phenomenon. Microsoft™ seems to have implented a new sort of protection against the "Browser Search Hijackers" a common practice amongst Spyware creators. Microsoft™ introduced a convenience feature in Internet Explorer which consist in the user simply entering a search term like "Widgets" into the URL location bar, once he presses enter Internet Explorer will try to resolve this address by DNS request and if it fails it will forward the search term to their MSN™ search engine which displays the search results for the term "Widgets" in the Browser.

Then paid search engine placement appeared and some search engine companies in need for visitors used the affiliate scheme to bring visitors to their individual sites. Now some aggressive affiliates tried changing the SearchURL location which Internet Explorer™ uses to search for keywords entered in the url location bar mentioned above. To do so they simply replaced a string in the registry and from there on they earn a small amount of money every time you search through the location bar and click on a result.

Details
This situation changed with Windows™ XP SP2, Microsoft™ has locked down the SearchURL modifications, they have done so by adding a PROVIDER key which identifies the Search engine provider. The Registry path where the key is saved is : \Software\Microsoft\Internet Explorer\SearchUrl

For instance the provider identification for Google™ is "gogl"

The provider keys I found by bruteforcing the pprovider parameter are: (gogl - Google, lyco - Lycos, yaho - Yahoo). There should be more but I stopped here rather then brute forcing through all characters.

Now instead of relying on Client side identification, Microsoft implanted it into the MSN search. Indeed when entering a search term in the URL location bar of Windows™ XP SP2 like "Widgets", Internet Explorer™ will first try to resolve the address "Widgets" and if it fails (it usually does except that there is a DNS entry for "Widget") it will forward the search term to MSN™ search with a parameter called "provider" and a parameter containing the search term itself. In case of "gogl", MSN™ search looks up the provider ID inside their allowed provider database and then redirects the HTTP call according to the destination URL saved in their database.

 

Functional scheme


Data captured using Sniff-em™

GET /response.asp?MT=SEARCHTERM&srch=3&prov=gogl&utf8 HTTP/1.1 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: auto.search.msn.com Connection: Keep-Alive Cookie: MC1=V=3&GUID=xxxxxxxxxxxxxxxxxxxxxxxxx; smc_vid=xxxxxxxx; HTTP/1.1 302 Moved Temporarily Server: Microsoft-IIS/5.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Location: http://www.google.com/search?q=test Content-Type: text/html; charset=utf-8 Content-Length: 152 Vary: Accept-Encoding Date: XXX, XX XX XXXX XX:XX:XX XXX Connection: keep-alive Cache-Control: private <html><head><title>Object moved</title></head><body> <h2>Object moved to <a href='http://www.google.com/search?q=SEARCHTERM'>here</a>.</h2> </body></html>

 

Issue #1 - Microsoft may monitor every search from within Internet Explorer™ location bar.
It is practically and theoretically possible for Microsoft™ to monitor and data mine search terms even when those are searched over Google or other Search enginesif these search terms were entered in the url location bar. This is possible because the MSN server which redirects to google or to any other search engine knows about the search terms.

Issue #2 - Protection against search url modification can be circumvented.
Since microsoft owns this virtual DNS server for Providers ID's, it should be impossible for Browser Search Hijackers to modify the URL since they do not have access to the MSN search database of providers and can't modify the URL by simply manipulating the registry. However Spyware, Adware or their affilates can practically overcome this limitation by adding an singly entry to the HOST file of the targeted computer. You can find the Hosts file in \systemroot \System32\Drivers\Etc.

 

A malicious example of a DNS entry in the HOST file.

 

In this case, Internet Explorer will instead of transmitting the data to auto.search.msn.com, transmit the data to the IP 66.150.196.177, the data is send to an ASP page in the form of "/response.asp?MT=test&srch=3&prov=gogl". We can now receive the data, either by writing an ASP script on our server and give it the name of response.asp or use Apache mod_rewrite to rewrite the URL to use a perl script. Either way we now have the data which we can forward to a pay-for-performance search engine using an Affiliate ID or choose to do otherwise.

Solution
The solution is easy and radical, Write-protect the host file, this is already done so by several Anti-Virus, Firewall and Anti-Spyware programs.