I recently watched a local TV news report about the latest crop of browser hijack viruses, which are disguised as antivirus programs. For example, in the “Antivirus 2009” attack (Figure 1), a security alert pops up telling you that it’s running a scan, after which it gives you the bad news that your computer is infected with viruses and other malware. Figure 2 shows a more generic “Message from web page” attack, which notifies you that there are signs of viruses and malware on your computer. Some of these disguised programs try to get you to purchase a program that will remove the malware, whereas others tell you that you can download a free removal program. Either way, if you try to download the program, your machine will become infected with a single click. (Here is theTV news report about the browser hijack viruses.)
Figure 1: “Antivirus 2009” attack
Figure 2: Generic “Message from web page” attack
To thwart these attacks, the TV news report advises you to “close out the web browser immediately.” Anyone who has experienced this type of attack knows that you can’t close the browser by any
normal means. The only apparent exit strategy is to click something on the hijacked screen, such as a Cancel, Exit, or No Thanks button. When clicked, the machine becomes infected.
There are countless anti-malware products and how-to articles on the web that provide complicated disinfection procedures. However, there are two best-practice lines of defense as well as other solutions, including one easy procedure that I use.
On newer Windows OSs (e.g., Windows 7, Windows Vista), one best practice is to keep User Access Control (UAC) enabled. When it’s enabled, an attack program will trigger a UAC prompt because the program is trying to perform an operation that requires Administrator-level permissions. The user must be savvy enough to press the No button when presented with the UAC dialog box.
The other best practice is to not set the user account type to Administrator. With that said, some legacy line of business (LOB) software won’t run unless the user has administrative privileges. Similarly, some nonlegacy utilities require administrative privileges, such as backup software that uses Microsoft Volume Shadow Copy Service (VSS) snapshots.
In addition to these two best practices, there are other safe-browsing solutions, including antivirus software that lets you browse in “sandbox” sessions. (In these sessions, you lose OS functionality such as cut and paste.) Alternatively, you can do your browsing on a virtual machine (VM) that’s isolated from the Windows OS.
I use a technique that doesn’t require additional software and lets you keep the user account type set to Administrator. Suppose that you receive a warning message like that in Figure 2 on a computer running Windows 7. First and foremost, don’t click anything in the open browser window or open a new browser session. Instead, follow these steps:
1. Check the program icons in the taskbar (or tap the Tab key while holding down Alt) to see if there are additional bogus dialog boxes or forms being spawned by the initial unwanted browser hijack program. Figure 3 shows an additional Windows form that was an offspring of the “Message from web page” attack. You can’t see this form running on the main screen because it’s hidden underneath the Message from webpage dialog box.
Figure 3: Taskbar icon for the “Message from web page” attack
2. Click Ctrl+Alt+Delete to bring up Windows Task Manager.
3. On the Applications tab, find the Internet Explore (IE) application that reflects the URL you can see in the infected IE window’s address bar. Right-click the offending IE application and select Go To Process. You’ll be taken directly to the instance of IE that’s under attack in the Processes tab.
4. Click the End Process button.
Figure 4: Message indicating that the attack has been defeated
At this point, you’ll still see the remnants of the defeated attack in the Website restore error tab, as Figure 5 shows. You can close the tab because you’ve safely avoided the virus. Note that when the attack occurred, I had several other IE instances running in the same browser session. During this entire defensive maneuver, I never closed a single one, as you can see in Figure 5.
Figure 5: Remnants of the defeated attack in the Website restore error tab
Out of curiosity, I tried to induce another “Message from web page” attack. I opened a new IE session and typed in the base domain with the “www.” prefix. This time my antivirus product intercepted the attack. As this demonstrates, there’s no single antivirus product that catches all malware all the time. In this instance, I’m guessing that the antivirus product was able to detect the threat potential for one of the following reasons:
- It originated from a fresh IE session in a fresh IE instance (unlike the first attack, which originated from a search engine link).
- The browser redirect had been corrected by the search engine.
- The antivirus product had been updated since the original attack.
To verify that nothing crawled through during the original attack or during my attempt to intentionally induce the attack, I scanned the Temporary Internet Files folder. I also made sure that no strange services were running in Task Manager. In Services.msc, I once saw a service named something like XYZWW6CY after an attack on a PC. The service wasn’t started, but with a random name like that, I suspected it was up to no good and did some investigating. I ended up deleting its entry in the HKLM\SYSTEM\CurrentControlSet\services registry key.
While in Task Manager, I also rechecked the Processes tab. Plus, I ran the System Configuration Utility (msconfig.exe) and checked the utility’s Services and Startup tabs for unusual listings. Finally, I performed a quick scan with my antivirus program. I didn’t find anything suspicious during these checks, so I felt confident that the attack had been thwarted.
I hope the Task Manager–based procedure can help you avoid a browser hijack attack and the malware it delivers. This procedure is so easy that I’ve even trained children to do it.
