ISPs and Adware: a Case Study

I recently switched to one of the biggest ISPs in China and leased a 2M ADSL broadband Internet connection. I manually set up a PPPoE connection named “Telecom” in Windows XP, configured to use the username and password I received from my ISP. I tested the connection and found that most protocols (DNS, ICMP, FTP, and even HTTPS) worked fine, but my browsers were always redirected to a special page telling me that I needed to use the special PPPoE dial-up client “ChinaNetClient,” supplied by my ISP, to dial the ADSL connection.

Using Wireshark to sniff the traffic, I determined that HTTP (only port 80) sessions were being hijacked, and this page was being sent to my browser.

At this point I decided to read the EULA in the contract with my ISP (something I should have done beforehand), and found that it says I should use only the special ChinaNetClient to dial my ADSL connection, and that they cannot guarantee that I will be able to access the Internet if I use other clients.

So I downloaded and installed the client software and used the same username and password I used in my Telecom connection.

 

As expected, the HTTP hijacking stopped. But to my dismay, the ChinaNetClient pushed advertisements to my Windows desktop.  It seems my ISP is eager to introduce its additional services. I don’t like the thought of having to install unfamiliar software just to dial an ADSL connection, much less unfamiliar software that displays unwanted ads. Who knows what else it might bring to my desktop?

So I was determined to learn how to get my ADSL connection working without using the client from my ISP. First I noticed that the client set up another PPPoE connection named “Vnet_PPPoE” in Network Connections, similar to the Telecom connection I manually created. Assuming the ChinaNetClient just uses the Vnet_PPPoE connection to dial the ADSL, I wondered how my ISP’s server knows whether I used the ChinaNetClient.

Using Wireshark again, I found that after the client successfully dials up, it appears to connect to an HTTP server inside my ISP’s network and send some account information.

 

I suspected there is some authentication server in my ISP waiting to receive the dial client’s authentication information, and when received, tells the hijack devices to skip my IP address. The HTTP session packets seemed easy to forge so I wrote a small program that would connect to the authentication server. If my suspicion was correct, I should be able to connect using my Telecom connection, then run my program, and hopefully prevent the HTTP hijacking. Alas it was no use, the hijacking continued.

So I compared the packets my program sent one by one with the packets the ChinaNetClient sent, but I found no differences. Now I was clueless. I clicked here and there in the ChinaNetClient and found nothing unusual. I finally opened the Vnet_PPPoE connection that ChinaNetClient created, and here I did find something unusual. The username in the Vnet_PPPoE properties was just the string “UserName,” not the username I input in the ChinaNetClient UI.

I opened the pcap files I had saved and searched for the username and password sent in the PPPoE dial session. To my surprise, I found that although the Vnet_PPPoE connection sent my real password, the username was not exactly the username I got from my ISP. It wasn’t “UserName” as displayed in the Vnet_PPPoE properties either. It added two special characters (“~l”) to the username I got from my ISP.

So I modified the username in my Telecom connection to the username I found in the packet captures, connected, and sure enough the hijacking stopped. It seems my ISP keeps two usernames for me. If I use the orginal username, it will prevent me from accessing Internet Web sites and ask me to download and install the ChinaNetClient software, so they can push what they want to my desktop.

After being able to access the Internet normally, I searched online and found many discussions on this topic. Apparently the ISP adds different additional characters to usernames in different Chinese cities. Others found the real username recorded in the event viewer of Windows.