Searching Google for specific websites returns the correct results, but when I click the link it goes to a completely different website (with a different address showing in the Firefox address bar). The computer is running Windows XP Professional with ZoneAlarm, BitDefender, and StopZilla. Additionally, I regularly use RegCure and SpeedUpMyPC to keep the system well tuned. The same issue occurs regardless of the web browser that is being used, as it also occurs in Internet Explorer. Can you provide any suggestions for the cause of this issue?

From the description of this problem it seems that spyware or adware (collectively known as malware) has been loaded on the computer. This is redirecting the websites which you are visiting to other websites, presumably to either do nasty things to your computer or display advertising. If you have downloaded anything from the redirected websites then it is unlikely anything harmful has been done to your computer, but we will check just in case. However, in the first instance we need to remove the redirection which is occurring so you can visit the websites that you desire. In theory, having antivirus and antispyware such as BitDefender and StopZilla should have assisted in detecting and preventing such threats from installing themselves on the computer, but no one solution is perfect so it is not surprising (nor cause for alarm) that occasionally a threat slips through the net and is not detected by the security software on the computer. Therefore, we need to use some additional software to help mitigate the threat. I suggest that you download and install Ad-Aware Free (www.lavasoft.de), Spybot Search & Destroy (www.safer-networking.org), and Windows Defender (www.microsoft.com/downloads). These three free utilities are very good at detecting malware on the computer and should hopefully be able to detect and remove any detected threats. As a guide on how to run these utilities, download and the install one of the programs. Then, scan the computer using that program. More than likely, some threats will be detected (even if it is relatively benign, such as a cookie from a website). Allow the utility to remove these threats. Once this has been done, restart the computer and then run the utility again. This is necessary as occasionally components of the threat may be removed on the first pass, but re-occur after a restart and need to be removed again. Keep repeating the scan, clean, restart and rescan procedure until no more threats are being detected by that utility, or there is some threat that keeps re-occurring and the utility cannot remove. At this point, install and run the next utility and repeat the procedure. This allows you to thoroughly scan the computer for any such threats and clean them from the computer.

Once you have finished scanning the computer with all the available utilities, check whether the problem is still present. If so, the next possibility is that one of the pieces of malware on the computer modified the HOSTS file. I covered the purpose of the HOSTS file in depth in last week’s column, but essentially this file tells your computer the location (IP address, such as 74.125.127.100) of the web server which hosts the website for the friend domain name (e.g. Google.com) which you wish to visit. If there is any entry in the HOSTS file for a specific website that will override everything else and the computer will treat that as authoritative. This is a common method that spyware and adware use to hijack your internet browsing, by directing common website addresses to malicious servers. It is also quite dangerous, as generally the end-user has great difficulty telling whether the website they are visiting is legitimate or a redirected fake (we will discuss this point later).

Therefore, as a first step we need to check the HOSTS file. Go to the “Start” menu > “Run” and type the following:
%SystemRoot%\system32\drivers\etc\
and click the OK button. Within the folder that opens you should see the HOSTS file. Right-click on the file and select “Open With”. In the Open With window that appears, select “WordPad” and click OK. The HOSTS file should open in WordPad. At the top of the file there will be quite a few comments, denoted by the hash # symbol at the beginning of the line. These can be ignored as they are simply comments which are not evaluated when the file is read. You will also notice some example entries relating to acme.com. On closer inspection you will notice that these entries are also comments (denoted with the hash symbol at the beginning of each line) so they can also be ignored. You are interested in the entries below the comments. There should be a few standard entries, such as those for localhost and 127.0.0.1. These are fine as they are default entries in the HOSTS file. However, you should check whether there are any entries relating to websites which you are trying to visit. If there are any such entries, highlight and delete the line (containing the domain name and the IP address). Once you are done, save the file and close. Restart the computer and check whether the problem continues.

You may ask why we need to manually check, and perhaps even modify the HOSTS file if we ran the anti-malware utilities previously to clean any such threats from the computer. The reasoning is that the anti-malware utilities which we previously ran should have cleared the actual threat from the computer, but the malware may have modified other files and already done its dirty work. The effects that you have discussed are indicative of a modified HOSTS file, so that necessitates the need to manually check this file.

Previously we discussed that a HOSTS file poisoning attack is a common tactic used by malware to redirect users to a malicious website. The danger is that a well-known secure website (such as a bank website) may be redirected to a malicious web server that contains a well-crafted fake bank website. As far as the user is concerned, it looks and feels like the real-deal so they enter their secure internet banking username and password. However, unknown to the user, they have just submitted these details to the malicious web server and they have been captured. The operator of that malicious website now has your details and can login to the real bank website and perhaps steal your money. This is all unknown to the innocent end user and making it even more difficult to detect that you have been swindled is that the fake bank website will often then redirect you back to the real website (after the fake website has captured your details) so it seems like you were always on the real website.

Before you start to panic thinking that this may have happened to you, there is an easy way to determine whether you are on the real website. Websites that require you to login, and take security seriously (which includes pretty much any bank or financial organisation website), should have a secure certificate. Amongst other things, secure certificates provide two services that are relevant in this situation: encryption and identity verification.

You have probably been told that whenever you submit credit card details over the internet you should make sure the site is secure. This is because the data between your web browser and the web server is encrypted, so an attacker who may be listening (known as sniffing) your network traffic cannot see your credit card details. In the context of a bank website, this also means that your username and password are encrypted and cannot be seen by anyone as your network traffic crosses the internet between your web browser and the bank server.

Encryption is a very important aspect of secure websites, but the other service that secure certificates offer is identity verification. This is how you can verify that the website you are visiting is the legitimate website and not a fake. When you visit a secure website the bar in your web browser should turn a different colour (in Firefox this will be blue or green) and a padlock symbol should appear in the browser status bar. Clicking on either of these items will show the certificate for the website. The secure certificate for a website must be registered against the exact address of that website. If the secure certificate address does not match the website address in the browser you will be alerted that there is a mismatch between the certificate address and the actual website address. However, if I am being particularly paranoid on a particular day then I also like to manually check. As such, if I visit an internet banking website and view the certificate I can see that certificate is issued for the same website address that I am currently visiting and therefore all is well, and I am on the real website. If you ever visit a bank (or any other) website that should be secure but it is not (i.e. it has no secure certificate) be very wary, as that is a very good indication you are probably on a fake website.