|
|
Joe St Sauver, Ph.D.
Director, User Services and Network Applications
joe@uoregon.edu
We've recently become aware of malicious websites that exploit a vulnerability in unpatched versions of Internet Explorer. If your system is unpatched and you happen to visit one of these "booby-trapped" websites, you may find that your web browser has been hijacked.
When your web browser is hijacked, attempts to view some websites (such as common search engines or popular web directory sites) get automatically redirected to an alternative website of the hijacker's choice without your consent, frequently via a BHO (Browser Help Object). Because it is common for alternative sites to feature explicit adult content, this can obviously be a rather disconcerting experience.
Moreover (and as if that weren't enough), at least in some cases:
- the modifications made by the browser hijacking code may result in system stability issues or general system performance slowdowns,
- the browser hijacking code may compromise your privacy or the security of what you do online by "reporting back" to its controllers on the sites you visit, or information you pass to those sites,
- your desktop may begin displaying pop-up advertisements, and
- the browser hijacking code may contain features designed to actively resist removal of the infestation using standard anti-spyware or anti-virus programs.
Now that you're aware of this threat, what should you do?
As always, make sure you've run Windows Update and have installed any
critical updates available for your system. To start Windows Update, you can
either go to Start ->Windows Update or visit
http://windowsupdate.microsoft.com/
Details of the vulnerability involved in many of these web browser hijackings is available at MS Security Bulletins MS03-011 ( http://www.microsoft.com/security/security_bulletins/ms03-011.asp ) and MS00-075 ( http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-075.asp )
First, make sure you really are infected. At least in some cases (e.g., you begin seeing pop-up advertisements directly on your desktop but see no other odd symptoms), you may merely need to disable Windows Messenger (see http://www.stopmessengerspam.com/ ).
If your browser is definitely being hijacked (e.g., you attempt to go to Google but get sent to some other site instead), your first step should be to run Norton AntiVirus, which is available for free to UO faculty, UO students, and UO staff under UO's site license via the Duckware CD-ROM. (Be sure you download the most current anti-virus definitions before scanning your system.)
Your second step should be to run Spybot Search and Destroy (http://cc.uoregon.edu/cnews/summer2003/spybot.html) and/or Ad-aware (http://www.lavasoftusa.com/). Our experience has been that they will flag and remove at least some spyware software that Norton doesn't catch.
In other cases, however, your browser may still exhibit symptoms of hijacking. In that case, you may want to check SpywareInfo's Browser Hijacking site (listed in the "More Information" section below). This site provides additional excellent suggestions for regaining control of your browser.
Finally, you should recognize that no matter how thoroughly you decontaminate your system once it's been hijacked, it's extremely easy to miss one or more residual security vulnerabilities. Assuming you have good backups dating from prior to the time you were infected, the best approach (when feasible) is to do a low-level format of your hard drives and then reinstall your system from scratch.
Important note: If you decide to do a complete reinstall from scratch, please be sure you patch your Windows system using the UO Security CD before you connect your newly reinstalled system to the network (see http://cc.uoregon.edu/cnews/fall2003/securitycd.html ).
If you don't patch your newly reinstalled system using the UO Security CD before you connect to the network, you will almost certainly find yourself replacing a browser-hijacking infestation with some other nasty virus or worm--and you'll end up having to start all over again. (Yes, the online world has become a very crazy and hostile place if you're using Microsoft Windows!)
1. SpywareInfo's Browser Hijacking Info Site
http://www.spywareinfo.com/articles/hijacked/
2. "The CoolWebSearch Chronicles"
http://www.spywareinfo.com/~merijn/cwschronicles.html
3. "BHO Cop Keeps IE Problems at Bay"
http://cc.uoregon.edu/cnews/spring2003/bhocop.html