Your Browser's Been Hijacked!
Nov 1, 2004 12:00 PM, By Allen J. Singer
Computer viruses, trojans and worms are not new phenomena. These pesky parasites have been inflicting electronic pain on computers since Arpanet first went online in 1969. Since then, computers used in both the business office and the home are successfully using firewalls and products made by Norton Antivirus and McAfee to keep safe from unwanted online intruders. But a different epidemic is affecting web users everywhere regardless of profession, social standing and surfing habits. Computers all around the globe are being attacked by software that sneaks through firewalls and even the best virus protection software.
It's called spyware, or malware or scumware; it means the same whichever term is used. Spyware is made up of trojans and other insidious virus programs that are attached to websites and wiggle into computer systems through security holes in Windows. Once installed, the software, or spyware then works behind the scenes doing any of a number of things such as creating endless pop-ups, redirecting the start page to an unwanted search or adult page, recording surfing habits, continuously causing run time errors and low memory alerts, or at worst corrupting important system files. Hapless users waste hours trying to get rid of this unwanted software. Sometimes un-installation is easy, but many times it is nearly impossible without expert help.
Spyware is closely associated with adware, but is not the same thing. Adware will come bundled with store-bought software and a lot of freeware available online. Kazaa and Bonzi Buddy are just two examples of the thousands of types of freeware that infamously include adware and spyware. The user installing Bonzi Buddy, for instance, might have the option of not installing some of its adware. But the included spyware is malicious: it will install itself without the user's knowledge and can be passive or dangerous, reporting surfing habits and slowing down the connection.
This hijacked home page is the potential result of a spyware trojan.
The offending spyware can come bundled with nearly any kind of software, or it can hide in websites � waiting for victims to click on the page. When a user opens a website containing a spyware trojan, the browser might freeze and the hard drive may start spinning. Depending on what was installed, any of a number of things might happen next. If it is an autodialer, the dial-up connection will be broken and a new call will be made from the computer. If the phone jack isn't immediately unplugged, a long distance call to a far-off land will be made, which can cost the liable user hundreds of dollars.
Other things can happen also: new links may now be in the favorites list, a new desktop image may appear, or pages may take forever to load. Or possibly, a surprising new home page may have taken place of the old one thanks to the hijacker, one of the most prevalent and irritating trends in spyware today. The variety most often seen is made by a Russian company called Cool Web Search, or CWS. This hijacker affects an amazing number of users, who, once infected, tear their hair out in hopeless frustration.
CWS developed a clever program. When it inflicts itself onto a computer, it installs new keys into the registry and look-alike files in various Windows directories. Many of the files are hidden and difficult to locate without using special software. The new homepage address under the tools menu is �About:Blank,� or something similar, and it cannot be changed back to the desired homepage. Page transitions are much slower and the user may not be able access his webmail, music networks or radio stations without being immediately redirected to the CWS page. At first this hijacking is annoying, but it quickly becomes a significant problem.
Variations on a theme
Different variants of CWS and other hijackers include Cool Search, Search For, Make Me Search, Find4U, Smartsearch and Gonnasearch. The basic idea behind hijacking is that a website company can increase its number of page hits by secretly installing a trojan into users' browsers, creating a third-party hijacker pay-per-click search engine. This in turn generates money for companies like CWS. It must be effective and profitable because there are thousands of websites that include hijackers. And a common misconception is that only adult websites contain hijackers. Many legitimate websites, including popular bulletin boards, can contain hijackers secretly installed by hackers or the site operators.
When a browser is hijacked, the user may see a page like this instead of the desired home page.
The programmers at Cool Web Search modify their parasite daily by altering its program so it cannot be easily eradicated, and make it self-replicating so it will change every time an attempt at removing it is made. A CWS infection will even prevent the user from accessing spyware information websites. New versions are released so often that virus programs cannot keep up.
Fortunately, several companies and private programmers have created utility programs to help users deal with CWS and many other forms of spyware. Most spyware removal programs are free online and are equally as effective as the $40 spyware removal programs that appear on pop-ups. Ironically, these costly removal programs contain spyware of their own. The most useful free utility released is Hijack This, created by Merijn. This program quickly lists the computer's autoloading programs, toolbars, browser helper objects, search pages, Internet Explorer plug-ins and other key elements surrounding IE. The user then removes anything on the list that looks unfamiliar. Merijn's second most-useful utility is CW Shredder, designed to quickly scan key files and remove anything known to associate with CWS, effectively uninstalling the hijacker.
And if the user is lucky, after a reboot CWS is gone. But it is rarely that easy.
This will only do so much to help the user remove the always-evolving CWS infection. Luckily, other programmers have jumped to the challenge and created more useful free removal programs to help fight the war against spyware. One such program is the current release of Spybot Search and Destroy. When used in conjunction with Hijack This, hijackers and other forms of spyware can be easily eliminated from an infected system. The free version of Ad-Aware by Lavasoft is also an effective tool; it can further seek out the bad files missed by Spybot S&D.
A computer gets hijacked when the user visits websites that have spyware trojans embedded in them. �Search For...� is a famous CWS hijack.
Another useful tool is Registry Mechanic by Winguides Software. Registry-ignorant users will find the free evaluation version useful as it performs deep scans into the registry, identifying and deleting unwanted hidden spyware keys.
And that's not all. The frequently updated utility About: Buster by RubbeRDucky (Marcin Kleczynski) cleans an affected system of the trojan Home Search Assistant, closely associated with CWS. X Cleaner by X Soft is a great utility for an overall system cleanout. This program even blocks Internet Explorer from a long list of known websites containing spyware trojans.
Users can usually remove hijackers or autodialers with the aid of a spyware removal program. Depending on the particular infection though, (and there are hundreds of varieties) the user will not be able to locate all of the hidden files, and the infections will come right back. At this point, it may look like the user cannot do anything else and is stuck with the hijacker and must wipe the hard drive clean and start over.
Thankfully there is free help online. Desperate affected users are jamming the help forums at anti-spyware websites like SpywareInfo.com. Here site visitors learn where spyware comes from, how to remove it, where to locate the programs to remove it, and best of all, the Malware Removal forum helps users with the spyware they just can't eradicate. Friendly and accurate information is available 24 hours a day from trained experts who enjoy the challenge and like to help people.
SWI asks infected visitors to first read the posted FAQ and download and update available free spyware removal programs before asking for help. If still unsuccessful, the user posts a Hijack This logfile in the Malware Removal forum and describes the problem. A board helper will read the file and either ask more questions or post a detailed response that explains what software to run and which files to remove. Users may have to download additional utility programs that isolate and remove hidden files, but after the necessary log analyses and instructions, the user will finish with a clean, smoothly running system.
SWI recommends users to run Spybot S&D and Ad-Aware weekly to prevent future re-infections. Spywareblaster and Spywareguard can also be installed to protect IE and to prevent unwanted sites from popping up in the browser. IE Spyad will put 4,000 bad sites into the restricted-sites list to keep the browser from accidentally getting sent to an unwanted site. At the same time, the user should install a firewall and constantly update the virus protection software. Regular Windows updates will also help keep a computer performing to modern standards.
Ad-Aware by Lavasoft is one of several programs that are effective tools for seeking out bad files and removing infections from a computer.
Microsoft has recently released Service Pack 2 for XP, which deals with the security issues plaguing the earlier editions that allowed trojans to infiltrate the systems. It also added a decent firewall to the package. However, it has been reported that SP2 has negatively affected some computers using anti-virus protection.
In the radio station environment, multiple users have access to individual machines, such as in the sales office, on-air studio or jock-prep area. Workstations such as these are more susceptible to trojans; these computers are used mostly for research and e-mail, and many untrustworthy sites may be visited while surfing. Users might be tempted to download freeware such as clock-syncers, weather bugs or the aforementioned Bonzi Buddy.
The IT administrator can spend hours manually searching for files in an infected machine. But because help is available on the Web to deal with the problem, problems can get solved much more quickly. With proper protection � not just limited to virus protection � a computer can be set up to prevent unauthorized downloads of unnecessary applications that could contain spyware. As the saying goes, an ounce of protection is worth a pound of cure. Invest in several pounds of protection for the home computer and office machines. At least it won't cost anything.
Singer is a freelance writer and former radio engineer in Cincinnati.
Where to find help.
These sites contain active help forums and links to free spyware removal software.
- Hijack This
- About Buster
- Ad-Aware 6 or SE
- BHO Demon
- Spybot Search and Destroy
- Spyware Blaster
- Browser Hijack Blaster
- Registry Mechanic
Keep in mind that this software is useful for identifying problems and correcting issues. If you have a problem that just cannot be solved after using the software, feel free to visit the forums at SWI or any of the other sites. Don't waste all day manually searching for hidden files or registry keys you cannot identify. This gives you a place to start, and the helpers on the forums will take it from there.
Here are some steps that you can take to avoid the trouble of spyware.
- Update virus protection daily.
- Update Windows. Not only with service packs, but if there are office machines still using Windows 98, it's past the time to upgrade to Windows XP.
- Install a firewall. Small stations take note.
- Train the staff not to download the cute applications (on private machines too). Usually one infection is enough to teach the lesson.
- Use an alternate browser. Following the release of Service Pack 2, companies like CWS will continue to search for security breeches in Internet Explorer. Use Mozilla or Opera instead.
- Use server-side e-mail filtering. Suspicious e-mails are quarantined and are held until the user allows them to pass through.
- Budget willing, use thin clients for shared machines. These workstations are read-only, and when rebooted they will turn back to the state when they were first installed.
- Use client desktop-level firewalls with central administration, in case the server firewall just isn't enough.