TypedURLs (Part 2)

by Paul Nichols

In the first installment of the TypedURLs blog entry the various ways that this Registry key is populated was discussed.  But are there other mechanisms that write to this key that are not user-driven?

Take the following Regedit screenshot in Figure 1 for instance:

Figure 1 - Default TypedURLs key in IE6

Are we to believe that the user typed in the URL “http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome?”
As it turns out, this key is populated by default when a new user logs into Windows prior to ever opening Internet Explorer.  This key’s value is the default entry for url1 in IE6.  The first time the browser is opened by the user, this is the webpage which will be requested.  And yet it was never typed by the user.

This screen capture shows the default TypedURLs entry for IE8:

Figure 2 - Default TypedURLs key in IE8

Again, the user never typed in “http://go.microsoft.com/fwlink/?LinkId=69157.”  This is merely the default home page for user’s who are browsing with IE8.

Another method growing in popularity which can populate this key without user interaction is through infection by malware.  If a system is compromised and the malware can invoke the Windows API call RegSetValueEx, specific values can be set in the TypedURLs key.  There are many adware samples in the wild that write specific values to this Registry key, so that the user’s address bar is populated with entries chosen by the malware authors.  Many times these are used to generate revenue by having user’s visit a webpage, whereby the malware author receives a payment based on number of visitors. It is also a method used to socially engineer unsuspecting victims to visit sites they didn’t intend to browse.

One specific example of this type of malware is called “Adware.StartPage“, as designated by Symantec.  This executable copies itself locally and edits the AutoRun location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to ensure that the starting of the malware persists through reboots. It also changes a number of Registry values including those that control the user’s home page and the user’s TypedURLs (http://www.symantec.com/security_response/writeup.jsp?docid=2004-042715-3545-99&tabid=2).

Another malicious application discovered in 2005 called “Trojan.Startpage.Q” also edits the TypedURLs key.  This malware is set to download files from URLs hardcoded into the binary and sets the TypedURLs key to include these files to ensure future infection (http://www.symantec.com/security_response/writeup.jsp?docid=2005-093010-0049-99&tabid=2).

It is becoming increasingly common for some of the TypedURLs entries to be written by malware and not typed by the user at all.

Why is all of this important you might ask? Take for instance the case of the school teacher Julie Amero, who was arrested, tried and convicted for allegedly visiting pornographic websites while substitute teaching a class on October 19, 2004. The expert forensic testimony presented the TypedURLs Registry key, among other artifacts such as browsing history, as evidence that Ms. Amero exposed young students to pornographic images.  She was convicted based on this testimony.  When questioned, the expert witness stated that he never looked for malware on the system during his analysis.  Since the TypedURLs key and her Internet Explorer history were populated with illicit websites, Ms. Amero was convicted and faced as many as 40 years in prison.

But how do we know that Julie Amero was responsible? Did she really type these URLs and browse some of these sites intentionally, as her TypedURLs and index.dat history suppose?

Shortly after the conviction, a judge overturned the ruling and she was granted a new trial.  Upon further forensic analysis, the computer in question was found to have been infected with a spyware application called NewDotNet, which associates domain names that do not exist with specific content delivered by the malware.  There was also testimony stating that pop-ups appeared and spawned even more pornographic pop-ups when closed.  Therefore, Ms. Amero was likely the victim of malware infection and pop-up techniques used by website designers to trap the users and feasibly did not deliberately type or click on any pornographic links.

In summary, there are a number of ways the TypedURLs key is populated and depends not only on the version of Internet Explorer, but the version of Windows as well.  As highlighted by the Julie Amero case, making a forensic assessment from the TypedURLs key must be done with care and due diligence, taking into account its context, as well as all other artifacts and potential malware residing on the system.

Comments are closed.