Browser hijacking

Last updated

Browser hijacking is a form of unwanted software that modifies a web browser's settings without a user's permission, to inject unwanted advertising into the user's browser. A browser hijacker may replace the existing home page, error page, or search engine with its own. [1] These are generally used to force hits to a particular website, increasing its advertising revenue.

Contents

Some browser hijackers also contain spyware, for example, some install a software keylogger to gather information such as banking and e-mail authentication details. Some browser hijackers can also damage the registry on Windows systems, often permanently.

While some browser hijacking can be easily reversed, other instances may be difficult to reverse. Various software packages exist to prevent such modification.

Many browser hijacking programs are included in software bundles that the user did not choose and are included as "offers" in the installer for another program, often included with no uninstall instructions, or documentation on what they do, and are presented in a way that is designed to be confusing for the average user, to trick them into installing unwanted extra software. [2] [3] [4] [5]

There are several methods that browser hijackers use to gain entry to an operating system. Email attachments and files downloaded through suspicious websites and torrents are common tactics that browser hijackers use. [ citation needed ]

Security

Rogue security software

Some rogue security software will also hijack the start page, generally displaying a message such as "WARNING! Your computer is infected with spyware!" to lead to an antispyware vendor's page. The start page will return to normal settings once the user buys their software. Programs such as WinFixer are known to hijack the user's start page and redirect it to another website.

Non-existent domain pages

The Domain Name System is queried when a user types in the name of a website (e.g., wikipedia.org) and the DNS returns the IP address of the website if it exists. If a user mistypes the name of a website then the DNS will return a Non-Existent Domain (NXDOMAIN) response.

In 2006, EarthLink started redirecting mistyped domain names over to a search page. This was done by interpreting the error code NXDOMAIN at the server level. The announcement led to much negative feedback, and EarthLink offered services without this feature. [6]

Operation

Unwanted programs often include no sign that they are installed, and no uninstall or opt-out instructions. [2]

Most hijacking programs constantly change the settings of browsers, meaning that user choices in their own browser are overwritten. Some antivirus software identifies browser hijacking software as malicious software and can remove it. Some spyware scanning programs have a browser restore function to set the user's browser settings back to normal or alert them when their browser page has been changed.

Avoidance

As of Microsoft Windows 10, web browsers can no longer set themselves as a user's default without further intervention; changing the default web browser must be performed manually by the user from Settings' "Default apps" page, ostensibly to prevent browser hijacking. [7]

Examples of hijackers

A number of hijackers change the browser homepage, display adverts, and/or set the default search engine; these include Astromenda (www.astromenda.com); [8] [9] [10] Ask Toolbar (ask.com); ESurf (esurf.biz) Binkiland (binkiland.com); Delta and Claro; Dregol; [11] Jamenize; Mindspark; Groovorio; Sweet Page; Mazy Search; Search Protect by Conduit along with search.conduit.com and variants; Tuvaro; Spigot; en.4yendex.com; Yahoo; etc.

Babylon Toolbar

Babylon Toolbar is a browser hijacker that will change the browser homepage and set the default search engine to isearch.babylon.com. It is also a form of adware. It displays advertisements, sponsored links, and spurious paid search results. The program will collect search terms from your search queries.

Babylon's translation software prompts to add the Babylon Toolbar on installation. The toolbar also comes bundled as an add-on with other software downloads. [12]

In 2011, the CNet site Download.com started bundling the Babylon Toolbar with open-source packages such as Nmap. Gordon Lyon, the developer of Nmap, was upset over the way users of his software were tricked into using the toolbar. [13] The vice-president of Download.com, Sean Murphy, released an apology: The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused. [14]

Similar variants of the Babylon toolbar and search homepage exist including: Bueno Search, Delta Search, Claro Search, and Search GOL. All of these variants state to be owned by Babylon in the terms of service.

All of the toolbars were created by Montiera. [15]

Conduit (Search Protect)

Conduit is a PUP / hijacker. It steals personal and confidential information from the user and transfers it to a third party. This toolbar has been identified as Potentially Unwanted Programs (PUPs) by Malwarebytes [16] and is typically bundled with free downloads. [17] [18] These toolbars modify the browser's default search engine, homepage, new tab page, and several other browser settings. There are similar variants of conduit search such as trovi.com, trovigo.com, better-search.net, seekforsearch.com, searchitdown.com, need4search.com, clearsearches.com, search-armor.com, searchthatup.com, premiumsearchweb.com, along with other variants which were created in a customized way for the toolbar creation service Conduit Ltd used to offer.[ citation needed ]

A program called "Conduit Search Protect", better known as "Search Protect by conduit", can cause severe system errors upon uninstallation. It claims to protect browser settings but actually blocks all attempts to manipulate a browser through the settings page; in other words, it makes sure the malicious settings remain unchanged. Search Protect has an option to change the search homepage from the "recommended" search home page Trovi, however, users have reported it changing back to Trovi after a period of time.[ citation needed ] The uninstall program for Search Protect can cause Windows to be unbootable because the uninstall file not only removes its own files, but also all the boot files in the root of the C: drive.[ citation needed ] and leaves a BackGroundContainer.dll file in the start-up registry. [19] Conduit is associated with malware, spyware, and adware, as victims of this hijacker have reported unwanted pop-ups and embedded in-text advertisements, on sites without ads.

Perion Network Ltd. acquired Conduit's ClientConnect business in early January 2014, [20] and later partnered with Lenovo to create Lenovo Browser Guard, [21] which uses components of Search Protect.

Victims of unwanted redirections to conduit.com have also reported that they have been attacked by phishing attempts and have received unwanted email spam, junk mail, other messages, and telephone calls from telemarketers. Some victims claim that the callers claimed to be Apple, Microsoft, or their ISP, and are told that personal information was used in some phone calls, and that some of the calls concerned their browsing habits and recent browsing history. Personal information used in phishing attempts may be associated with spyware. [22]

istartsurf.com

The browser hijacker istartsurf.com may replace the preferred search tools. This infection travels bundled with third-party applications and its installation may be silent. Due to this, affected users are not aware that the hijacker has infected their Internet Explorer, Google Chrome or Mozilla Firefox browsers. [23]

Search-daily.com

Search-daily.com is a hijacker that may be downloaded by the Zlob trojan. It redirects the user's searches to pornography sites. It is also known to slow down computer performance. [24]

Snap.do

Snap.do (Smartbar developed by Resoft) is potential malware, categorized as a browser hijacker and spyware, that causes Internet browsers to redirect to the snap.do search engine. Snap.Do can be manually downloaded from the Resoft website, though many users are entrapped by their unethical terms. It affects Windows and can be removed through the Add/Remove program menu. Snap.Do also can download many malicious toolbars, add-ons, and plug-ins like DVDVideoSoftTB, General Crawler, and Save Valet.

General Crawler, installed by Snap.do, has been known to use a backdoor process because it re-installs and re-enables itself every time an affected user removes it through their browser(s).

Snap.do will disable the option to change your homepage and default search engine.

Resoft will track the following information:

By using the Resoft Products, the user consents to have their personal data transferred to and processed both within and outside of the United States of America.

By using the Resoft website, the user agrees to the preceding uses of their information in this way by Resoft. [25]

SourceForge Installer

A previous installer of SourceForge included adware and PUP installers. [26]

One particular one changes the browser settings of Firefox, Chrome and Internet Explorer to show the website "istartsurf.com" as the homepage. It does so by changing registry settings and installing software which resets the settings if the user tries to change them.

On June 1, 2015, SourceForge claimed that they stopped coupling "third party offers" with unmaintained SourceForge projects. [27]

Vosteran

Vosteran is a browser hijacker that changes a browser's home page and default search provider to vosteran.com. This infection is essentially bundled with other third-party applications. The identity of Vosteran is protected by privacyprotect.org from Australia. Vosteran is registered through Whiteknight. [28]

Trovi

It can be found when installing "Cheat Engine" or a different version of "VLC Player" on www.oldapps.com, or when downloading applications from certain freeware sites, such as Softonic.com or Download.com.

Trovi uses Bing (a legitimate search engine) to provide results to the user. Although the address bar changes to Bing.com when showing search results, search keywords are executed through Trovi regardless. Trovi formerly used its own website to show search results with the logo at the top left hand corner of the page but later switched to Bing in attempt to fool users more easily. Trovi is not as deadly as before with taking the ads out of the search results depending on what browser is being used, but is still considered a browser hijacker.

It also controls the homepage and new tab page settings to prohibit the ability to change them back to the original settings. Depending on whatever browser is being used, ads may appear on the page.

When it infects, it makes a browser redirect from Google and some other search engines to trovi.com. [29]

Trovi was created using the Conduit toolbar creation service and has known to infect in similar ways to the Conduit toolbar.

Related Research Articles

Spyware is any software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.

CoolWebSearch is a spyware or virus program that installs itself on Microsoft Windows based computers. It first appeared in May 2003.

<span class="mw-page-title-main">Browser Helper Object</span> Plug-in module for Internet Explorer

A Browser Helper Object (BHO) is a DLL module designed as a plugin for the Microsoft Internet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet Explorer. Most BHOs are loaded once by each new instance of Internet Explorer. However, in the case of Windows Explorer, a new instance is launched for each window.

<span class="mw-page-title-main">AVG AntiVirus</span> Antivirus computer program

AVG AntiVirus is a line of antivirus software developed by AVG Technologies, a subsidiary of Avast, a part of Gen Digital. It is available for Windows, macOS and Android.

PDFCreator is an application for converting documents into Portable Document Format (PDF) format on Microsoft Windows operating systems. It works by creating a virtual printer that prints to PDF files, and thereby allows practically any application to create PDF files by choosing to print from within the application and then printing to the PDFCreator printer.

<span class="mw-page-title-main">Zango (company)</span>

Zango,, formerly ePIPO, 180solutions and Hotbar, was a software company that provided users access to its partners' videos, games, tools and utilities in exchange for viewing targeted advertising placed on their computers. Zango software is listed as adware by Symantec, and is also labeled as a potentially unwanted program by McAfee. Zango was co-founded by two brothers: Keith Smith, who served as the CEO; and Ken Smith, who served as the CTO.

Christopher Boyd, also known by his online pseudonym Paperghost, is a computer security researcher.

A browser toolbar is a toolbar that resides within a browser's window. All major web browsers provide support to browser toolbar development as a way to extend the browser's GUI and functionality. Browser toolbars are considered to be a particular kind of browser extensions that present a toolbar. Browser toolbars are specific to each browser, which means that a toolbar working on a browser does not work on another one. All browser toolbars must be installed in the corresponding browser before they can be used and require updates when new versions are released.

<span class="mw-page-title-main">Babylon (software)</span> Computer dictionary and translation program

Babylon is a computer dictionary and translation program developed by the Israeli company Babylon Software Ltd. based in the city of Or Yehuda. The company was established in 1997 by the Israeli entrepreneur Amnon Ovadia. Its IPO took place ten years later. It is considered a part of Israel's Download Valley, a cluster of software companies monetizing "free" software downloads through adware. Babylon includes in-house proprietary dictionaries, as well as community-created dictionaries and glossaries. It is a tool used for translation and conversion of currencies, measurements and time, and for obtaining other contextual information. The program also uses a text-to-speech agent, so users hear the proper pronunciation of words and text. Babylon has developed 36 English-based proprietary dictionaries in 21 languages. In 2008–2009, Babylon reported earnings of 50 million NIS through its collaboration with Google.

<span class="mw-page-title-main">Yahoo! Toolbar</span>

Yahoo! Toolbar is a browser plugin. It is available for Internet Explorer, Firefox and Google Chrome browsers.

<span class="mw-page-title-main">Genieo</span> Israeli company specializing in Mac malware

Genieo Innovation is an Israeli company, specializing in unwanted software which includes advertising and user tracking software, commonly referred to as a potentially unwanted program, adware, privacy-invasive software, grayware, or malware. They are best known for Genieo, an application of this type. They also own and operate InstallMac which distributes additional 'optional' search modifying software with other applications. In 2014, Genieo Innovation was acquired for $34 million by Somoto, another company which "bundles legitimate applications with offers for additional third party applications that may be unwanted by the user". This sector of the Israeli software industry is frequently referred to as Download Valley.

Freemake Video Downloader is a crippleware download manager for Microsoft Windows, developed by Ellora Assets Corporation. It is proprietary software that can download online video and audio. Both HTTP and HTTPS protocols are supported. Users must purchase a premium upgrade to remove Freemake branding on videos and unlock the ability to download media longer than 3 minutes in length.

The Conduit toolbar was an online platform that allowed web publishers to create custom toolbars, web apps, and mobile apps at no cost. It was developed by Conduit Inc. but demerged to Perion Network. Conduit had approximately 260,000 registered publishers who have collectively created content downloaded by more than 250 million end users. Web apps and pieces of content developed through Conduit's platform can be distributed and exchanged online via the Conduit App Marketplace. As of 2010, 60 million users consumed apps from the marketplace on a daily basis.

Mindspark Interactive Network, Inc. was an operating business unit of IAC known for the development and marketing of entertainment and personal computing software, as well as mobile application development. Mindspark's mobile division acquired iOS application developer Apalon in 2014, which was known for popular entertainment applications such as Weather Live, Emoji Keypad, and Calculator Pro.

<span class="mw-page-title-main">Torch (web browser)</span> Proprietary, adware supported web browser

Torch was a Chromium-based web browser and Internet suite developed by the North Carolina–based Torch Media. As of November 2022, downloads for Torch are no longer available, and upon clicking the download button, users are redirected to the Torch Search extension on the Chrome Web Store.

Download Valley is a cluster of software companies in Israel, producing and delivering adware to be installed alongside downloads of other software. The primary purpose is to monetize shareware and downloads. These software items are commonly browser toolbars, adware, browser hijackers, spyware, and malware. Another group of products are download managers, possibly designed to induce or trick the user to install adware, when downloading a piece of desired software or mobile app from a certain source.

Conduit Ltd. is an international software company. From its founding in 2005 to 2013, its most well-known product was the Conduit toolbar, which was widely-described as malware. In 2013, it spun off its toolbar business; today, its main product is a mobile development platform that allows users to create native and web mobile applications for smartphones.

A potentially unwanted program (PUP) or potentially unwanted application (PUA) is software that a user may perceive as unwanted or unnecessary. It is used as a subjective tagging criterion by security and parental control products. Such software may use an implementation that can compromise privacy or weaken the computer's security. Companies often bundle a wanted program download with a wrapper application and may offer to install an unwanted application, and in some cases without providing a clear opt-out method. Antivirus companies define the software bundled as potentially unwanted programs which can include software that displays intrusive advertising (adware), or tracks the user's Internet usage to sell information to advertisers (spyware), injects its own advertising into web pages that a user looks at, or uses premium SMS services to rack up charges for the user. A growing number of open-source software projects have expressed dismay at third-party websites wrapping their downloads with unwanted bundles, without the project's knowledge or consent. Nearly every third-party free download site bundles their downloads with potentially unwanted software. The practice is widely considered unethical because it violates the security interests of users without their informed consent. Some unwanted software bundles install a root certificate on a user's device, which allows hackers to intercept private data such as banking details, without a browser giving security warnings. The United States Department of Homeland Security has advised removing an insecure root certificate, because they make computers vulnerable to serious cyberattacks. Software developers and security experts recommend that people always download the latest version from the official project website, or a trusted package manager or app store.

WiperSoft is an anti-spyware program developed by Wiper Software. It is designed to help users protect their computers from such threats as adware, browser hijackers, worms, potentially unwanted programs (PUPs), trojans, and viruses. Currently available only for Microsoft Windows.

References

  1. "Browser Hijacking Fix & Browser Hijacking Removal". Microsoft . Archived from the original on 7 February 2015. Retrieved 23 October 2012.
  2. 1 2 "Malwarebytes Potentially Unwanted Program Criteria". Malwarebytes. Archived from the original on 2016-04-09. Retrieved 2015-08-07.
  3. "Rating the best anti-malware solutions". Arstechnica. 2009-12-15. Archived from the original on 2014-02-02. Retrieved 28 January 2014.
  4. "Threat Encyclopedia – Generic Grayware". Trend Micro. Archived from the original on 14 July 2014. Retrieved 27 November 2012.
  5. "PUP Criteria". Malwarebytes. Archived from the original on 2016-04-09. Retrieved 2019-01-06.
  6. Mook, Nate (2006-09-06). "EarthLink Criticized for DNS Redirects". betaNews. Archived from the original on 2012-05-01. Retrieved 9 May 2012.
  7. "Mozilla blasts Microsoft for making it harder to switch to Firefox in Windows 10". The Verge. Vox Media. 2015-07-30. Archived from the original on 2015-07-31. Retrieved October 18, 2015.
  8. "PUA.Astromenda". Symantec . Archived from the original on 2015-09-08. Retrieved 2015-08-24.
  9. "How to Remove Astromenda Search From Your Browser". Lavasoft. Archived from the original on 2015-09-05. Retrieved 2015-08-24.
  10. "Remove Astromenda, Buzzdock and Extended Update toolbar from your browser". norton.com. Archived from the original on 2015-09-25. Retrieved 2015-08-24.
  11. "Dregol Search Removal | Removal Guide". Archived from the original on 2021-04-10. Retrieved 2016-03-22.
  12. Getting rid of Babylon Archived 2012-10-26 at the Wayback Machine Jay Lee, The Houston Chronicle, July 25, 2012
  13. Leyden, John. "Download.com sorry for bundling Nmap with crapware". www.theregister.com. Archived from the original on 2023-01-11. Retrieved 2023-01-11.
  14. A note from Sean regarding the Download.com Installer Archived 2012-07-27 at the Wayback Machine Download.com December 7, 2011
  15. "Montiera". montiera.com. Archived from the original on 3 December 2016. Retrieved 13 January 2022.
  16. "How to remove Search Protect by Conduit Ltd". Lavasoft. 2013-06-01. Archived from the original on 2014-09-10. Retrieved 2013-10-12.
  17. "Bundle Your Software with a Custom Toolbar & Start Making Money". Conduit Ltd. 2013. Archived from the original on 2014-03-31. Retrieved 2013-10-12.
  18. "Download me II—Removing the remnants of the Web's most dangerous search terms". Ars Technica . 2013-08-25. Archived from the original on 2013-10-01. Retrieved 2013-10-12.
  19. "Fixing BackgroundContainer.dll Left Over by Conduit Ltd". appuals. Archived from the original on 26 March 2015. Retrieved 20 March 2015.
  20. "Perion Completes Acquisition of Conduit's ClientConnect Creating a Leading Provider of Digital Solutions for Publishers" (Press release). Tel Aviv, Israel; San Francisco. Business Wire. 2014-01-02. Archived from the original on 2015-06-13. Retrieved 2015-06-07.
  21. "Perion Partners with Lenovo to Create Lenovo Browser Guard" (Press release). Tel Aviv, Israel; San Francisco. Business Wire. 2014-06-18. Archived from the original on 2015-07-04. Retrieved 2015-06-07.
  22. "How To Remove Search Protect By Conduit Ltd". Lavasoft. Archived from the original on 2 December 2014. Retrieved 3 December 2014.
  23. "Remove istartsurf". support.kaspersky.com. Kaspersky Lab. Archived from the original on 30 September 2013. Retrieved 24 June 2010.
  24. "Browser Hijacker". nodsrv. 31 July 2023.
  25. "How To Remove Snap.Do Browser Hijacker". Lavasoft. Archived from the original on 8 August 2014. Retrieved 4 August 2014.
  26. "istartsurf.com - browser hijacking - startup page on all browsers | Endpoint SWAT: Protect the Endpoint Community". community.broadcom.com. Archived from the original on 2023-01-11. Retrieved 2023-01-11.
  27. "Third party offers will be presented with Opt-In projects only - SourceForge Community Blog". SourceForge Community Blog. 2015-06-01. Archived from the original on 2018-08-11. Retrieved 2018-08-16.
  28. "Remove Vosteran". How To Remove. 2014-11-25. Archived from the original on 2015-02-13. Retrieved 25 November 2014.
  29. "How To Remove Trovi.com & Trovi Search From Mac Or Windows". 2018-09-07. Archived from the original on 2022-12-05. Retrieved 2023-01-11.