Tuesday, March 15, 2016

Why Did My Home Page Change? ( Hint: It's Not What You Think)

One of the reasons I do enjoy my job is the ability to discover and learn new things. I don’t think a day goes by that most of us in the technology space don’t learn at least one *tidbit* of new information. Things have gotten far more complicated that they ever were ,its impossible to know everything , thankfully the collective hive mind of the intertubes are a never ending connect-the-dots search for technology ( among other things!) enlightenment.

My situation began when I noticed that in the last few days , when I rebooted my PC, my default browser would open to the MSN homepage. Now I know what you are thinking ( as was I ) “Oh crap , I have some malware”. The strange thing was that once I clicked my homepage button , it would go back to my configured page. This would only happen on booting up , which is why I hadn’t paid a lot of attention to it,  really. Strange behavior for malware , NO?
Today however , I was battling a rather nasty Excel/VBA issue (a story for another time) that was crashing Office regularly.I attempted a few reboots to fix that problem  and finally realized my browser’s  issue. As I mentioned above , my first thought was malware so this problem took center stage.

At first I was curious as to how such strange behavior was taking over my daily driver, and how did it get past my defenses?

First I have my PFSense Open Source Firewall with Antivirus. Then my local machine is running Malware bytes premium ( with auto updates). Plus, of course I also have windows defender. Surely, these great tools coupled with my *safe surfing habits* would keep me protected, right ? Was it a Drown Attack vector? Was it something new that no one knew about ? Doubtful, to say the least, but only time would tell.

Lets look thru the usual startup locations.  The great and knowledgeable Mark Russinovich  has built the sweetest set of sysinternals tools. One of my favorites is Autoruns. This tool will show you every possible  place that some evil (or even pseudo-evil) software will attempt to hide itself for startup. Just Like with  his alter ego , Jeff Aiken , malware has no chance to hide from sysinternals!

Lets take a tally here …

Autoruns?  – Nada!  Malwarebytes – Zilch! Windows Defender? Zero!  HAVP? no hits!

Taking a step back ,  I found a hint in the URL  that my default browser was opening up to , which was  http://www.msn.com/?ocid=wispr. A search for “WISPR” yielded the clue as to why this *just started* happening to me.

As it turns out there is a feature in windows at least as far back at least  7  ( that I guess I never thought about)  , called Microsoft NCSI (No,  its not the latest techno investigative team from Redmond, although it sure sounds like one!) It stands for Network Connectivity Status Indicator.. II vaguely knew that this existed when troubleshooting strange NIC behavior (Example, when a NIC gets flagged in the wrong zone so windows firewall rules get applied incorrectly)  , but had no idea that it would affect the browser and bypass all browser configuration!

Basically, the feature works like this.When your Windows computer comes on line, with network connectivity, it will try to hit the  text file , located on the web at www.msftncsi.com/ncsi.txt.  If windows  cant hit it , it assumes you are at a public hotspot and will need a browser to sign in to the access point,  so your default browser is launched. Since I really do have internet access ( no captive portal needed here in the Northern woods!) the page then redirected me to the MSN homepage.

As it turns out this problem was (like many) self inflicted.

You see , recently, I began tinkering with Raspberry Pi machines. First I built an Airsonos box that made streaming that much easier and friendly at home. Then I found out about a cool network wide ad blocker called Pi-hole (don’t you love open source project names?) Pi-hole is simply linux box running dnsmasq   that maintains its own blacklists for ad servers.  When a device pointed to pihole for DNS requests a blocked site , Pi-hole simply serves up a tiny txt or jpg instead that bandwidth hogging sidebar!

Can you guess what happened when I added  www.msftncsi.com to my whitelist ? HINT: No more *hijack*

If this behavior annoys you you can disable it in the registry as well. Siimply change the value named EnableActiveProbing located at the key named: 

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet

 to a “0” from the default , “1” if you look thru this key you can see other parameters such as the host and path of the target file, so I guess you can customize this for a your own tastes. 

Also , Pi-hole has a script that be used to add domains to the whitelist. It seems that wildcards are not supported yet so no *.domain.com.


Phew, glad that one was solved!

Till next time, folks. Keep on learnin’ !!

No comments:

Post a Comment