This evening (well, this morning) I started up my computer from cold after a reboot to install some updates, and booted into Ubuntu 12.04 testing.
I opened Firefox as usual, and noticed something odd about the Google homepage: it was using the old top bar design, made no reference to Google+, and appeared to show me as signed out. Trying to go to any other Google search page (images, videos, YouTube, reader, etc.) returned me straight back to the suspicious-looking Google homepage. Clicking the “Sign In” button took me to the old Google sign-in page. Instant wasn’t available when searching, and
Something was very fishy, so I didn’t enter my details, dug my phone out, and began sniffing.
The first thing I noticed was that only traffic to Google’s servers seemed to be being intercepted. Trying to go to YouTube would either return me to the fake google.com, or throw up a
404 Not Found error generated by ngnix. This confirmed my suspicions that my traffic was being hijacked: I know for a fact that Google doesn’t use ngnix.
Interestingly, the BBC’s homepage was working fine, as was Twitter (thankfully over SSL, so it’s very unlikely my Twitter account has been compromised.) So, someone was hijacking my traffic for Google and redirecting it to a fake Google search page.
iptraf is a useful tool that can be installed from the Ubuntu repositories to help identify the origin and destination of network traffic. Using it, I detected a lot of packets heading to and from the address 126.96.36.199. I also tried a few “odd” pages in Firefox, which all redirected to the 404 page at a server called asdvd.info.
At this point, three alarming questions were running through my head:
Who are asdvd.info / 188.8.131.52‽
Why are they trying to hijack my Google searches and probably illicitly obtain my account information‽
Does the problem lie with the network in my halls of residence, or has my machine been compromised in some way?
whois reveals that asdvd.info is registered through GoDaddy and via a domain proxy service. This probably indicates that the owner of the fake Google page (which we now know resided at asdvd.info) is probably a generic internet miscreant, who, had I entered my account details, would probably have turned my GMail address of seven years into a spam factory.
So, the question is, how? How, on my machine running Ubuntu, did I begin receiving these weird redirections? It was at least at the system level, because the fake Google homepage was showing up in Midori too, and attempts to ping Google resulted in this:
However, when connecting to the internet via my phone using tethering, pings were returned and the correct Google home page reached. Similarly, when I connected my phone and my laptop back to the
eduroam wireless network, normal service was resumed as if nothing had happened.
So, this is mysterious. We also know that asdvd.info didn’t want you researching them: a query put through their fake Google front-end
asdvd.info linux became, simply,
My conclusion is that it’s safe to assume that asdvd.info is nefarious. Do not go there on an unsecured machine. You may end up downloading all sorts of malware nasties and you won’t even know.
I’m still unsure how, though. An intrusion into my machine? Possible—it could be a zero-day Flash vulnerability. An intrusion into the JANET/eduroam systems? Again, possible. If you have any ideas about what might have caused this, or you’ve also experienced this hijacking, please get in touch: this is disturbing enough that I feel compelled, almost duty-bound, to follow it up. My mail address is at the bottom of this article.
For now, though, I am in the alarming position where I must consider it nominally safer to do my online banking in Windows than under Linux.