One of the reasons I do enjoy my job is the ability to discover
and learn new things. I don’t think a day goes by that most of us in the
technology space don’t learn at least one *tidbit* of new information. Things
have gotten far more complicated that they ever were ,its impossible to know
everything , thankfully the collective hive mind of the intertubes are a never
ending connect-the-dots search for technology ( among other things!)
enlightenment.
My situation began when I noticed that in the last few days ,
when I rebooted my PC, my default browser would open to the MSN homepage. Now I
know what you are thinking ( as was I ) “Oh crap , I have some malware”. The
strange thing was that once I clicked my homepage button , it would go back to
my configured page. This would only happen on booting up , which is why I hadn’t
paid a lot of attention to it, really. Strange behavior for malware , NO?
Today however , I was battling a rather nasty Excel/VBA issue
(a story for another time) that was crashing Office regularly.I attempted a few
reboots to fix that problem and finally realized my browser’s issue.
As I mentioned above , my first thought was malware so this problem took center
stage.
At first I was curious as to how such strange behavior was taking over my daily driver, and how did it get past my defenses?
First I have my PFSense Open Source Firewall with Antivirus. Then my local
machine is running Malware bytes premium ( with auto updates). Plus, of course I
also have windows defender. Surely, these great tools coupled with my
*safe surfing habits* would keep me protected, right ? Was it a Drown Attack vector? Was it
something new that no one knew about ? Doubtful, to say the least, but only time
would tell.
Lets look thru the usual startup locations. The great and
knowledgeable Mark Russinovich has built the sweetest set of sysinternals
tools. One of my favorites is Autoruns. This tool will show you every possible place that
some evil (or even pseudo-evil) software will attempt to hide itself for
startup. Just Like with his alter ego , Jeff
Aiken , malware has no chance to hide from sysinternals!
Lets take a tally here …
Autoruns? – Nada! Malwarebytes – Zilch! Windows Defender? Zero! HAVP? no hits!
Taking a step back , I found a hint in the URL that my default browser was opening up to , which was http://www.msn.com/?ocid=wispr. A search for “WISPR” yielded the clue as to why this *just started* happening to me.
As it turns out there is a feature in windows at least as far
back at least 7 ( that I guess I never thought about) , called Microsoft NCSI (No,
its not the latest techno investigative team from Redmond, although it sure
sounds like one!) It stands for Network Connectivity Status
Indicator.. II vaguely knew that this existed when
troubleshooting strange NIC behavior (Example, when a NIC gets flagged in the
wrong zone so windows firewall rules get applied incorrectly) , but had no idea
that it would affect the browser and bypass all browser configuration!
Basically, the feature works like this.When
your Windows computer comes on line, with network connectivity, it will try to
hit the text file , located on the web at www.msftncsi.com/ncsi.txt. If
windows cant hit it , it assumes you are at a public hotspot
and will need a browser to sign in to the access point, so your default browser
is launched. Since I really do have internet access ( no
captive portal needed here in the Northern woods!) the page then redirected me
to the MSN homepage.
As it turns out this problem was (like many) self inflicted.
You see , recently, I began tinkering with Raspberry Pi
machines. First I built an Airsonos box that made streaming that much easier and friendly
at home. Then I found out about a cool network wide ad blocker called Pi-hole (don’t you love open
source project names?) Pi-hole is simply linux box running dnsmasq that maintains its own blacklists for ad servers.
When a device pointed to pihole for DNS requests a blocked site , Pi-hole simply
serves up a tiny txt or jpg instead that bandwidth hogging sidebar!
Can you guess what happened when I added www.msftncsi.com to my whitelist ? HINT: No
more *hijack*
If this behavior annoys you you can disable it in the registry
as well. Siimply change the value named EnableActiveProbing located at the key named:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet
to a “0” from the default , “1” if you look thru this key you can see other
parameters such as the host and path of the target file, so I guess you can customize this for a your own tastes.
Also , Pi-hole has a script that be used to add domains to the whitelist. It seems that wildcards are not supported yet so no *.domain.com.
Phew, glad that one was solved!
Till next time, folks. Keep on learnin’ !!
No comments:
Post a Comment