Skip to content
05 February 2006

Who wants to walk, talk and quack like Google?

The people who installed Google's Toolbar by exploiting a security hole worked hard with their Google imitation: Figuring out how take advantage of a security hole, downloading the toolbar, changing settings that redirected requests from Google to their own server. Luckily, their exploit did not stay live very long, probably due to Google putting some pressure on the owner of the server that hosted the exploit code.

In October 2005 some other guys were trying hard too, namely the owners of nowfind.net, who set up a page that was almost identical to Google's front page. A random search at nowfind.net redirected you to nowfind.biz. The rip-off has been online at least since May 2005.

magicsearch.us was also dressing up like Google by configuring magicsearch's name server to point to one of Google's IP addresses. In addition, magicsearch.us frequently appears in Hijackthis logs. I would not be surprised if the following settings have been changed by exploiting security holes in Internet Explorer:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.us/browser/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.us/browser/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.us/browser/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.us/browser/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://magicsearch.us/browser/

Who are these guys? I don't know really. The whois data is probably faked. They have previously been kicked from the CoolWebSearch affiliate program. Anyway, Google was notified and the two sites have dropped their Google imitation.

More recently I ran into 4-counter.com who also have pointed their name server to one of Google's servers. 4-counter.com has a bad reputation because of frequent hijacks - going back to 2004 - of Internet Explorer's home page and search settings. The hijacker goes under names such as StartPage-CV and Troj/StartPa-BF.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=megad
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=megad
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2&b=megad
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://4-counter.com/?b=megad
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2&b=megad

Domains pointing to Google's servers

magicsearch.us and 4-counter.com are not the only domains that have pointed their name servers to one of Google's servers. In fact, there are almost 300 of them. The following lists domains that resolve to Google's servers. Please notice that Google's domain names also appear in the list:

Comments

joel carter sr. writes

i think this is a very good blog

# 2006-04-30 00:00:00

Login and comment