Partager via


Hijacking

I don’t know about you but as to the vast majority of my family and friends I “do something with computers” I get called upon to explain / fix / update all sorts of device, hardware, software and applications. Whilst this can be good for the ego and does give an interesting insight into how consumers use PC’s it can suck up an inordinate amount of time and so I try to avoid it or at least only fix common issues.

Just recently I have been asked to look at a number of people’s PC’s where they were getting homepage popups or the homepage was being redirected and I found some very scary things going on. Looking into these systems they were all running large amounts of adware / spyware / malware / hijacking programs, in the worst cases thousands of them. These normally didn’t do much damage other than snooping on peoples activities and slowing the system down (dramatically in some cases). The latest Homepage Hijacking programs however are really annoying because they always redirect the homepage and the search to some strange URL. The worst of these programs are incredibly sophisticated too; they spoof their URL with an innocent URL, encrypt their own URL so you cannot find it, update the start, homepage and search fields in the registry and then load a program which runs continuously updating the registry entry’s before locking the user out of the registry. It took me the best part of a day to unscramble that lot!

Anyway the lesson I learnt was to run a spyware / adware checking program and delete all adware and in the case of hijacking programs to use an anti hijack program. The sophistication of some of the highjack programs was such that the anti hijack programs which were suitable for end users did not get rid of the worst hijackers and I had to use registry editors such as Hijackthis which I would not recommend for untrained use.

The bottom line is that these Hijack programs are very annoying to the users and very difficult to get rid of. I cannot believe that they are legal, after all is someone came uninvited into your house without your knowledge and turned the place over leaving hours of work to clean things up I am sure that you could sue them.

The answer clearly is to make sure that the programs don’t get loaded in the first place. Windows XP SP2 (which I am running on my machine) has a considerable amount of support for popup and spyware blocking. I haven’t managed to test it with the really virulent hijacking programs because I am not sure where they came from so cannot try to reload them from an XP SP2 system. That’s how smart these things are.

So what have your experience of Hijacking been and have you any good tips? Does XP SP2 fix the problem or are you finding hijacking getting through? Finally is there anything going on to sue these hijackers? I would certainly join any lawsuit; they are one of the most unpleasant viruses I have come across in a long time.

Comments

  • Anonymous
    May 14, 2004
    The comment has been removed
  • Anonymous
    May 14, 2004
    The comment has been removed
  • Anonymous
    May 14, 2004
    IMO they aren't legal against the Computer Misuse Act, since they're making unauthorized changes to the computer. But I am not a lawyer.

    However, the EULA for the software that installed them may have actually included terms which explained what they were going to do - but who reads an EULA that takes up five or six screenfuls of text? Who knows what I agreed to in some of those licenses.
  • Anonymous
    May 14, 2004
    The comment has been removed
  • Anonymous
    May 14, 2004
    The comment has been removed
  • Anonymous
    May 14, 2004
    The comment has been removed
  • Anonymous
    May 14, 2004
    Another alternative may be to use Mozilla Firefox.
  • Anonymous
    May 14, 2004
    The comment has been removed
  • Anonymous
    May 14, 2004
    The "spyware 2.0" article says the anti-spyware mess their software called "web driver". Well having never heard of that particular software before, I must admit that such name sounds spy-ware like, so I guess some user had suspected it's cause of his/her problems and submitted it as being spy-ware even when it's not.
  • Anonymous
    May 14, 2004
    The comment has been removed
  • Anonymous
    May 14, 2004
    The comment has been removed
  • Anonymous
    May 14, 2004
    I believe XP SP2 will have a large impact on spyware launched via ActiveX.

    Unfortunately, I've seen a significant rise in the amount of spyware/adware delivered in actual programs (e.g., Kazaa).

    For ActiveX- and toolbar-based spyware, I plan to use SP2's AllowLists for further protection.

    Example:

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExt]
    "ManagementMode"=dword:00000001

    [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExtAllowList]

    [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExtAllowList{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    @="Acrobat Reader"

    [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExtAllowList{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    @="Windows Media Player"

    ...

    The keys may be placed under HKCU or HKLM and utilize the extension's CLSID. AllowLists are similar to <a href="http://www.javacoolsoftware.com/spywareblaster.html">Spyware Blaster's</a> method, but function for every Internet Explorer add on.

    I have a collection of roughly fifty common ActiveX/Toolbar/Other extensions so far; any unapproved extensions will be disabled even if installed.
  • Anonymous
    May 14, 2004
    The comment has been removed
  • Anonymous
    May 14, 2004
    "Until it becomes perfect, I won't run SP2 but it also sounds like SP2 won't fix the original problem: Spyware installing itself through IE without any warning. There will be ways to 'turn off' activeX based on company but how will you find out which company is producing the spyware application?"

    The majority of spyware is installed due to endless and/or auto prompting by websites. SP2 forces the user to click the "Information Bar" to allow the website to prompt the user for both non-user initiated downloads and ActiveX controls.

    XP SP2 adds the following protection to Internet Explorer:
    1.) Information Bar
    2.) One control prompt per control per page (after the user's request)
    3.) AllowLists/DenyLists
    4.) Add-on management
    5.) Window restrictions
    6.) Improved MIME handling
    7.) And so on

    ...

    Anywho, it appears my link to SpywareBlaster is broken. SpywareBlaster populates Internet Explorer's ActiveX compatibility flag, disabling and rejecting any controls in the list.

    SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
  • Anonymous
    May 17, 2004
    The comment has been removed
  • Anonymous
    May 18, 2004
    It's amazing how many friend's PC's Ive had to disinfect lately

    A handy tool that I recommended to all my friends to bring them up to date is the Windows Security Update CD. It is basically a local version of windows update and will turn on ICF, configure automatic updates and install SP1 and SP1 Rollup. It also includes a free copy of Computer Associates EZ Armor (AV and Firewall)

    For spyware/adware/malware removal, Adaware does the trick for me every time.