Search Engine Redirection Malware – How it works (and how to fix it)

Search engine redirection is usually one of the side effects of malicious software. This problem remains even after Trojans or fake antivirus are removed from the infected system. No matter what site they search for, users experience a redirection of search results and web pages to affiliated websites. 

In the infected system shown below, all the results from Google searches redirect to one of these domains:

  • “00ee.r.google.com”
  • “cbdd.r.google.com”
  • “cab7.r.google.com”
  • “99db.r.google.com”

Note that the redirection also affects other search engines such as Yahoo, Bing and others.

Users who notice the Google link will probably assume that this is some form of legitimate Google redirect. In addition most URL filtering solutions will allow access to any URL that is part of the Google domain. The links lead to sites hosting malware or spam.

How does this work?

The remnants of the Trojan infections found in the computer are the following registry entries:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfaces
  • NameServer = 93.188.163.130,93.188.160.80
  • DhcpNameServer = 93.188.163.130,93.188.160.80

Effectively all domains are resolved into IP addresses by the rogue DNS server defined in the registry entries above. The DNS server IP address above belongs to Promnet Ltd. in the Ukraine. We recommend blocking DNS traffic to: 93.188.163.0 – 93.188.164.255 and 93.188.160.0 – 93.188.160.255.

The search redirection process happens like this:

  1. User does a search at Google.com
  2. The “rogue DNS” causes the search request to go to “bad server”
  3. “Bad server” does a real Google search on behalf of the original requesting PC
  4. “Bad server” sends back the real Google results page but switches the real URLs with fake destination URLs like 00ee.r.google.com
  5. User clicks on link and goes to 00ee.r.google.com (resolved by “rogue DNS”). On this page there is malware or spam

The URLs listed above such as 00ee.r.google.com do not really exist and will not be resolved by genuine DNSs.

Querying the Google public DNS shows no result:

  • ;; QUESTION SECTION:
  • ;00ee.r.google.com. IN A
  • ;; Got answer:
  • ;; ->>HEADER<
  • ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

But, querying the rogue DNS (93.188.163.130) does provide a result:

  • ;; QUESTION SECTION:
  • ;00ee.r.google.com. IN A
  • ;; Got answer:
  • ;; ->>HEADER<
  • ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
  • ;; ANSWER SECTION:
  • 00ee.r.google.com. 600 IN A 67.210.15.54

In other words the rogue DNS entry results in:

  • “Damaged” search results with fake URLs
  • Resolution of those fake URLs to send users to sites with malware or spam

Restoring the DNS setting is the solution to the problem:

1. Go to the “Network Connections” window

For Windows 7

  • Go to Start > Control Panel > Network and Internet > Network and Sharing Center.
  • In the left-hand column, click Change adapter settings.
  • A new screen will open with a list of network connections.

For Windows Vista

  • Go to Start > Control Panel > Network and Internet > Network and Sharing Center.
  • In the left-hand column, click Manage network connections.
  • A new screen will open with a list of network connections.

For Windows XP

  • Go to Start > Control Panel > Network Connections.

2. Right-click Local Area Connection or Wireless Network Connection and select “Properties”.

3. Select Internet Protocol (TCP/IP), and then click Properties.

4. If you want to obtain DNS server addresses from a DHCP server, click “Obtain DNS server address

automatically”.

5. If you want to manually configure DNS server addresses, click “Use the following DNS server

addresses”, and then type the preferred DNS server and alternate DNS server IP addresses in the

Preferred DNS server” and “Alternate DNS server” boxes.