Windows Phone IE redirect "virus"?

wuiyang

New member
Oct 2, 2013
405
0
0
Visit site
before i say anything about the "virus", I cleared my IE browser history MANY times (I spam clicking it), soft reset my phone (volume down + power button). And it is still there. I'm using my own Wi-Fi (not sure if someone hacked it...)

Also did the following things:
Mark "Use SmartScreen Filter to help protect against unsafe websites"
In Cookies from websites "block all"
Close the freakin tab for god sake

This "virus" affected on any webpages that shows up ad. I opened Windows Phone Stack Exchange , it showed a pop up, titled something like "Message from webpage", message is "Please update your Lumia 520 right now to continue. " (in Chinese, Lumia displayed in English only), I pressed OK, and it started the redirect "virus", cleared my IE browser history MANY times, when I go back to the same page (windows stackexchange), it redirect again, it is a redirect loop FYI.

Later, I am surfing on NokiaPowerUser, another popup shown, same title, message display "Scandals of xxxxx! press ok to see it!" (in my country language, not my phone language), and I pressed back button (not OK), and a loud BEEP sound was heard, does it "hack" my phone? This BEEP doesn't sound like system default sound/ringtune/etc at all, neither I have this sound file.

My phone started to lag after that, and display "loading..." in main screen, I immediately soft reset my phone. Once reset complete, my phone still lag, and still display "loading..." in main screen, soft reset again. I hope that it is not going to happen again.

What the hell just happened? I don't know if the "virus" are strong enough to take play that BEEP sound to my speaker. I am very concerned if it really is a "virus", if anyone seen this situation before, does it still redirect?
 
Last edited:

jmshub

Moderator
Apr 16, 2011
2,667
0
0
Visit site
You were taken to a website that delivers a fake antivirus screen. These webpages are step one to eventually offering you a download to "fix" your virus problem. Sadly, if you download and install the program, you install a virus. However, they only work on desktop Windows. So, the website will display all of the virus nonsense because it would on any web browser, including a Chromebook or Mac. But, the virus cannot download and install to your phone.
 

wuiyang

New member
Oct 2, 2013
405
0
0
Visit site
You were taken to a website that delivers a fake antivirus screen. These webpages are step one to eventually offering you a download to "fix" your virus problem. Sadly, if you download and install the program, you install a virus. However, they only work on desktop Windows. So, the website will display all of the virus nonsense because it would on any web browser, including a Chromebook or Mac. But, the virus cannot download and install to your phone.

What? Did you read it at all? I didn't even download anything
 

xandros9

Active member
Nov 12, 2012
16,107
0
36
Visit site
Well, websites playing media isn't unheard of. I've seen autoplay videos I think on my phone sometimes.

Those message from webpages are just javascript dialog boxes, harmless by themselves.

We haven't seen any confirmed malware event in Windows Phone to this date.
 

wuiyang

New member
Oct 2, 2013
405
0
0
Visit site
Well, websites playing media isn't unheard of. I've seen autoplay videos I think on my phone sometimes.

Those message from webpages are just javascript dialog boxes, harmless by themselves.

We haven't seen any confirmed malware event in Windows Phone to this date.

My IE kept redirecting, any software to record the phone screen?
 

someone2639

Active member
Sep 25, 2014
3,070
0
36
Visit site
You could use a conventional camcorder.

Also, why are we trying to bat off the possibility of a virus? I mean, people have hacked wp, and I think if they're still secretly trying, that might be all they can do at the moment. I mean, I don't think internet Explorer Mobile gets security updates as often as desktop. They're trying to market it as Universal, sharing the same code. That would also mean the same vulnerabilities patched in desktop are present on Mobile.

Not saying it's a virus, but I'm saying it's just as likely.
 

opalchip

New member
Aug 10, 2015
6
0
0
Visit site
Hi, I am located in China - using a Nokia 930 which was purchased in the U.S., and I have recently started getting similar IE redirects which take me to a Chinese language site (which, shall we say, is not appropriate for children...) The latest one happened from the Salon.com homepage, but it's random. This is curious, because it's happening on a wireless network at my workplace, and NO ONE else there is getting these pop-ups. (Of course, no one else there has a Windows phone either - but it is not happening on the pc's there which run Vista).
When I try to back out of the nasty page, a popup appears in Chinese which I can't read, but which has two action buttons - DOWNLOAD or CANCEL. If I press cancel, it starts downloading something anyway. If I continue hitting the back (capacitive) key, the popup just keeps reappearing. So the only escape is to force shut down IE and restart. I can go straight back to say, the Salon.com page where this occurred and it does not repeat. But it might happen 10 minutes later from a different page.
1. Any ideas as to what's going on and how to prevent it?
2. Is it now dangerous to connect my Phone to my PC via USB?
Thanks.
 

wuiyang

New member
Oct 2, 2013
405
0
0
Visit site
Problem fixed:
The problem of it is due to the DNS. [DNS is a server that convert websites link to IP (eg: bing.com to 204.79.197.200)]
The current DNS you are using is either ad-supported or hacked DNS, it is hard to identify, but you can look your current DNS server through settings.
Try to change your router settings:
1. Change DNS(please, do not use google DNS (8.8.8.8), it has vulnerable, use http://dns.norton.com/)

If you are IT pro:
1. Change your default gateway, other then 192.168.0.x, 192.168.1.x
2. Create DMZ (if possible, let it be outside DHCP pools, eg: you used 192.168.70.x as your gateway, use every number other then 70)
3. Denied all access, except Ethernet
4. Update your router
5. Check your router's vulnerable through search engine
For more details, check out the answer here windows - Is my modem compromised? - Information Security Stack Exchange
 

opalchip

New member
Aug 10, 2015
6
0
0
Visit site
Thanks, for the info. I have already installed a brand new router (bought in the U.S.) and still have the same issue. I will change the default DNS today, but here's the thing ---- This redirect ONLY occurs on my Windows Phone. I also have Android, iPhone - no issues using their browsers on the same router at the same time. I have two Vista laptops and an XP desktop point of sale system running there. Even using IE on the same websites, I do not get a redirect. Now, the router does play a role, because I do not get the redirect at my home - only at my shop. However, there is clearly an inherent weakness in the Windows Phone 8.1 IE browser that does not exist in all the others. Hopefully it cannot get out of the "sandbox" that MS claims protects the phone. And hopefully, the Edge browser will make the whole issue go away. But there is a cause for concern here. I only connect the phone (Nokia 930) to my home laptop, which I am taking to the shop tomorrow, to see if it has also been compromised now in some way. Will post the results tomorrow.
 

opalchip

New member
Aug 10, 2015
6
0
0
Visit site
Well, without someone at MS analyzing my phone, it's hard to say for sure - but if this is not malware, it's at minimum an exploit coming from the somewhere on the network (not likely the router as I just replaced it and the redirect appeared immediately on the new one) that is not being allowed by any other device I tested, including 5 Androids, 2 iPhones, and 4 Windows Vista laptops. I could not duplicate the redirects on any Vista machine, even after dropping all IE security settings to minimum - even while the redirects were happening on my Windows Phone concurrently. The only real test left is to Hard Reset the phone and see if the problem disappears. If it DOES disappear, then i think it's pretty safe to say that malware was present in some form. If it DOESN'T disappear, then I'd have to think there is an inherent vulnerability in the Phone version of IE.
 

wuiyang

New member
Oct 2, 2013
405
0
0
Visit site
Well, without someone at MS analyzing my phone, it's hard to say for sure - but if this is not malware, it's at minimum an exploit coming from the somewhere on the network (not likely the router as I just replaced it and the redirect appeared immediately on the new one) that is not being allowed by any other device I tested, including 5 Androids, 2 iPhones, and 4 Windows Vista laptops. I could not duplicate the redirects on any Vista machine, even after dropping all IE security settings to minimum - even while the redirects were happening on my Windows Phone concurrently. The only real test left is to Hard Reset the phone and see if the problem disappears. If it DOES disappear, then i think it's pretty safe to say that malware was present in some form. If it DOESN'T disappear, then I'd have to think there is an inherent vulnerability in the Phone version of IE.
It depends on your cookie, if your IE still have redirect cookie, then it will continue to redirect, try to clear your browser data, check your DNS setting in Wi-Fi setting.
 

opalchip

New member
Aug 10, 2015
6
0
0
Visit site
Hi, I don't see how to change the DNS on the phone. I know that used to be available with WP7, but now the custom settings are all grayed out on the Wireless Network Edit menus. (I see there is some global option under Wireless Static IP - but that completely blocks me connecting to other networks). I have deleted browsing history, search history, and soft reset many times. Now I am also getting pop ups in addition to the redirects...
 

a5cent

New member
Nov 3, 2011
6,622
0
0
Visit site
Also, why are we trying to bat off the possibility of a virus?

It's not about denying the potential existence of malware. What can be denied however, is the possibility of being infected by doing only what the OP described.

Being infected in that way would require a catastrophic flaw in IE. The chances of that happening are extremely small. The chances of a WCentral member being the first to spot such a huge bug (rather than MS or a security researcher) are almost zero. On top of that, that malware would also have to target and be able to run on WP, a platform not even legitimate devs are super keen on developing for, much less malware devs. Add all those probabilities up and you can safely deny this is related to malware, even after just reading the first sentence.

The OP's ISP engaging in DNS hijacking ... that's far far more believable.
 

a5cent

New member
Nov 3, 2011
6,622
0
0
Visit site
Re: Windows Phone IE redirect "virus"?

I have deleted browsing history, search history, and soft reset many times. Now I am also getting pop ups in addition to the redirects...
Have you tried:


a) close every tab open in IE.
b) then delete all browsing history.
c) close and reopen IE
d) retest


If that doesn't change anything, I'd specify alternate DNS servers on your new router, rather than on your devices.

You can try Google's at:
8.8.8.8
8.8.4.4
 

opalchip

New member
Aug 10, 2015
6
0
0
Visit site
Hi - Sorry to be so slow at replying - I don't have much time lately... I have tried all these things you mention, and in addition I have changed the DNS server on my routers multiple time (currently using 208.67.222.220 and 46.244.10.5).

I am in China, so there is no question that ISP's are DNS hijacking ... but generally on attempted connections to blocked addresses like Facebook,Twitter, etc., not on Neowin or Engadget. (I do run a flushdns script on all my pc's at startup). But I think the "undeniable" point here is this: I have many other devices running on these networks all day, every day, including 5 android phones, 2 ios phones and 2 ipads, 3 vista machines and 2 macs - and none of them have ever exhibited these popups and redirects. How to explain that, if this is not at minimum a "weakness" in the mobile version of IE? Now, I'm not getting bent out of shape because I plan on having a Cityman with Edge browser very soon :excited: - but there is something going on. I have attached images of one popup and one redirect (most of the redirects are not appropriate content, if you know what I mean...)
 

Attachments

  • popup.jpg
    popup.jpg
    59.6 KB · Views: 5
  • redirect.jpg
    redirect.jpg
    60.8 KB · Views: 5
Last edited:

wuiyang

New member
Oct 2, 2013
405
0
0
Visit site
You can try Google's at:
8.8.8.8
8.8.4.4
I wouldn't recommend Google's DNS, as there's no safety protection, try https://dns.norton.com/homeuser.html

Hi - Sorry to be so slow at replying - I don't have much time lately... I have tried all these things you mention, and in addition I have changed the DNS server on my routers multiple time (currently using 208.67.222.220 and 46.244.10.5).....

Did your DNS changed without anyone modify? then you are infected with Trojan.DNSChanger, reset your modem is the only solution (remember to note down all information for internet connection like ISP username and password)
 

a5cent

New member
Nov 3, 2011
6,622
0
0
Visit site
How to explain that, if this is not at minimum a "weakness" in the mobile version of IE? Now, I'm not getting bent out of shape because I plan on having a Cityman with Edge browser very soon :excited: - but there is something going on. I have attached images of one popup and one redirect (most of the redirects are not appropriate content, if you know what I mean...)

I'm not denying that IE may be exhibiting some weakness. Maybe it is. Maybe it isn't. All I'm saying is that your WP device definitely isn't infected by malware.

One possible explanation might be that whoever is injecting this advertising into your web requests, might be targeting IE explicitly (due to its large desktop user base), without excluding mobile IE users. Then this wouldn't be a weakness in IE at all, but rather just the result of other browsers not being targeted. I'm not saying that's what is happening. I'm just saying there are a LOT of possibilities and jumping to conclusions without understanding the problem is never a good idea.

What I'd find interesting is if the problem persists after changing mobile IE's user agent string. Would you consider installing the Windows Phone app "user agent switcher" and checking if you still get this behaviour after having IE pretend to be a different browser?

https://forums.windowscentral.com/e...-agent-switcher%2F9wzdncrcx40f&token=TLof-Ey4

Did your DNS changed without anyone modify? then you are infected with Trojan.DNSChanger, reset your modem is the only solution (remember to note down all information for internet connection like ISP username and password)

I don't know anything about this trojan, but according to Wikipedia it infects Windows and OSX installations. It doesn't seem capable of infecting routers or WP devices.

I wouldn't recommend Google's DNS, as there's no safety protection, try https://dns.norton.com/homeuser.html

I'm not recommending anything. I'm trying to diagnose the problem using a public DNS server that is (hopefully) available world wide. Let's not make more problems before we know what the first problem really is.
 

opalchip

New member
Aug 10, 2015
6
0
0
Visit site
Hi, No DNS virus problem - I changed to those servers myself. (I also ran the Avast network threat scan and that says all is good.) I'll install the "user agent switcher" app and see what happens. I'll also try running IE and Chrome on the Windows machines here - normally I only use Firefox - so the possibility of it being an IE only "injection" is one explanation.
 

a5cent

New member
Nov 3, 2011
6,622
0
0
Visit site
Re: Windows Phone IE redirect "virus"?

Unless your router or network infrastructure is compromised, this has nothing to do with a virus. The problem likely isn't even on your network, but instigated by your ISP.


Another test would be to:


A)

Turn off WiFi

Turn on cellular data



B)

Turn on WiFi

Turn off cellular data



and see how it behaves in both scenarios. Please report back on those tests too - without use of the UA switcher.
 

wuiyang

New member
Oct 2, 2013
405
0
0
Visit site
AFAIK, this problem happens to the Wi-Fi you have connected, this rarely happen with cellular connection, my concern about it is that this might be an old virus, and happening in Windows Phone's IE. Some adware like "adserverplus" will automatically plant a adware cookie to browser.

But what we have seen is that even if we delete our cookie and reset our browser, the problem still exist. Does that mean IE didn't delete it?
Second, I dont have this issue after I changed my DNS, does it means that there's specific DNS that can attack Windows Phone's IE vulnerable?

I hope that Microsoft found out this problem and was fixing it (or had fixed it), and when will Mozilla develop Firefox for Windows Phone?

EDIT: Forgot to mention, while I having DNS problem, I can't connect to Facebook on my Nokia X, and weird redirection and redirect ad on google chrome on Windows. Later found out that I got Trojan.DNSChanger is due to the VPN (ZenMate) I'm using, when I remove it, DNS problem is gone.
 
Last edited:

Members online

Forum statistics

Threads
322,919
Messages
2,242,896
Members
428,005
Latest member
rogertewarte