Spyware :: Threats :: Browser Hijackers :: Further Information




Start-up Programs

Start-up tasks are loaded automatically when Windows starts. Many programs these days tend to add there own task to load once it's been installed. The programs loaded are normally executable files. A complete list can be found in the registry.

HKLM\Software\Microsoft\Windows\CurrentVersion\x

Where x can be run, runonce, runservices and runservicesonce. Depending on the version of Windows installed.

More advanced Browser Hijackers automatically add an item on the start-up list which could, for instance, load a program to "check" the operating system and browser settings haven't been corrected back to how they were. If they have be corrected the program could remake all the changes back to how they were, making it impossible for the user to have control of their browser without having to edit the start-up list themselves and manually remove this task.

Windows Policies

Policies allow the administer of the system to restrict particular functions of the operating system. This can be particularly useful if the system is shared between people or is available to the public. You might want to restrict access to certain operations like the control panel or access to the registry editor.

Some hijackers even go as far as to use policies to restrict access to your control panel, registry editor or parts of your Internet Options screen. They do this by changing policy settings within your registry. Needless to say this is totally unacceptable. Internet Controller and also Hijackthis are programs which can resolve these problems.

Browser Settings

All the major browsers like Internet Explorer, Netscape and Opera have settings which can be altered to configure the browser to suit your needs, by changing various functions within your browser. Typically this will contain basic settings like your homepage, font size and colours to more advanced settings like cookie management or whether to allow scripting or activeX for example.

Stage 1 : How Browser Hijackings get though your system

A. Browser vulnerabilities

Internet explorer is well known for its security weaknesses, someone could exploit these loopholes to try to bypass the conformation screen to alter your homepage or bookmarks folders. Even worse run an executable file or .hta file possibly by an ActiveX drive-by install (installs without informing the user). to change policies and append a start-up program to make removal difficult even for an experienced user. There has been a bug in Internet Explorer and Outlook that allows a .hta file to be written to your system then run later when the system restarts just by viewing a web page.

Example: The website whazit.com uses this method. They paid affiliate web sites to automatically install their hijack on peoples machines. It is reported that they paid companies 0.14USD of each complete install of their hijack.

B. Enticement

This method involves tricking an unsuspecting user into actually downloading and running the Hijack themselves. This is particularly dangerous because this will mean the user could install a standalone .exe file. This can be achieved by false statements about what they're downloading and making the user believe it's something else like a browser enhancement of an operation system update. It's also known that some sites give messages saying it's essential to install this plug-in to view their site correctly. Many sites try to trick users claiming that their 'verisign certificate proves that our software is safe'. Unknowing users might believe this and not realise certificates are used for authentication purposes not for proving how good their software is.

C. Low or no security measures in place

If the browser settings are at the minimal it's possible that ActiveX scripts could install by themselves without needing the user to agree with what's being installed. Perhaps previous attacks or installations could have changed their browser settings without their knowledge. For example, the aol installation cd automatically adds aol.com to the browser trusted sites, then automatically downloads updates.

Stage 2 : What damage do Hijackers cause once on your system

With all the other threats with internet security like viruses, Trojans and spyware. Browser Hijackers considered quite low down the list compared to these types of attacks. The most common practise of a browser hijacker is too alter your homepage, bookmarks and search page and may make it very difficult for you to revert them back. Whereas it can be quite disturbing to find out your homepage has been changed and whenever you type an incorrect url it might automatically redirect the browser to a pornographic site, browser hijackers won't harm your data or spread themselves through emailing your entire address book. The most worrying thing about Browser hijackers is they do, for an amount of time, have control over your browser configuration. They can therefore compromise your security by allowing unsigned scripts without prompting the user for example. Therefore, I think it's more worrying the damage which can be caused by other attacks taking advantage of a weakness caused by a browser hijack.

Stage 3 : How to sort a browser hijacking attack

Typically the removal of a hijacker will involve editing of the windows registry, browser settings, and removal of files/directories on your system to revert your system back to how it was.

Prevention

Although is not impossible to prevent a hijacking of your browser you can protect yourself a great deal if you follow these steps.

Manual Removal [at your own risk]

Run the registry editor pressing start->run and typing 'regedit'


Manually Fixing a Browser Hijacking Attack

Description of Keys

These keys below can often get modified by hijackers, they can be create very annoying effects if they get altered. TopSearcher is a good example of this. Microsoft has some information on how to fix an example of Broswer Hijacking.

Key Name Description
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main\Start Page
Your Homepage [initial url loaded when you first open your browser]
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Main\Default_Page_URL
Your Default Homepage.
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Main\Search Page
Your Search Page - If you type in an invalid URL, it will search using the address within this key.
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Main\Default_Search_URL
Your Default Search Page
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Search
Search Settings

Policy Settings

You can manually remove these restrictions by viewing the following registry keys;
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ [divided into subfolders]
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer [divided into subfolders]

Line
Browser Hijackers : Further Info on Adoko
URL Prefix Attacks
Internet Reset Hijack (iereset.inf hijack)
Host Hijack
Adoko Forum - If you've been hijacked, and need any advice on how to remove it - try the adoko forum.

Line
Browser Hijackers : Links
Internet Controller - A program from Adoko.com, you might find this useful for sorting out hijacking problems.
Hijackthis - A great program for sorting out hijacking problems.