New Tricks from Browser Hijackers?

Fortunato_NC asks: "I'm the IT manager for a small business that delivers its service via a browser-based application, and we take around two dozen to three dozen tech support calls from users each day. Many have something to do with pop-up ads making using our product nearly impossible, which is odd, since we don't have any advertising on our website. Of course, it's spyware causing the pop-ups, and we recommend using a product like Ad-aware to take care of the issue. However, not everyone gets the message. Today I was on a client's computer using WebEx helping them remove yet another 'browser helper'. The uninstaller for this program consisted of running no fewer than four separate programs, each of which forced closed the Internet Explorer windows, killing the WebEx session, and making it very difficult to service an already upset client ('What do you mean I have to join the meeting AGAIN?'). It seems as if this product anticipated the need to have someone remotely help the user remove it and went out of its way to make that task nearly impossible. Has anyone else on Slashdott encountered spyware or malware specifically designed to make life miserable for *remote* support techs? What other nasty tactics are spyware authors using that you've noticed?"

nasty stuff

[returnoftheyeti]

I've seen windows rebooting as soon as any user logs in (even safe mode). I've seen the media player exploit and Media Player added to HKEY LOCAL MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENT VERSION\RUN. So that the adware reinstalls its self even after running AdAware. I've seen a giant - full screen Active Desktop Ad advertising spyware removal, it even covers the taskbar. I've seen files that cant be deleted from the command line in the recovery console. Windows is the most insecure thing I've ever seen. What I want to know is if someone smarter than me can make a Knoppix like disk, that will read NTFS, run Adaware, CW Shredder, and an online scan like housecall.trendmicro.com and fix all the problems. Barts PE works ok for the purpose, but Knoppix is faster and more flexible.

Re:nasty stuff

[daviddennis]

I still remember the particularly nasty spyware program that redirected searches to ZestyFind.com. When you go to google and type in a search phrase. the software automaticlaly pulls up a ZestyFind search window and does your search there.

I couldn't resist trying it out. I visited it using Safari on my Macintosh and typed in a bunch of queries. Needless to say, the results were pathetic. My conclusion was that it was the most useless search engine in the world.

As I remember, the removal instructions for the program were something like ten pages long. I managed to do it but it was horrible.

Mozilla's looking pretty good about now. I managed to outsource that part of my job, thank goodness, but I will be talking to the outsource firm about that when I next see them.

D

Re:remote shremote

[Idealius]

Our tech support firm uses a variant of VNC and we've had no problems with our connections being disrupted by spyware/malware.

However, our Diagnostic software does use an IE-shell so oftentimes it doesn't work. I've been bugging our developers/superiors to change this for years now but they don't seem to get the picture so I can see where this guy is coming from.

Anyway, try to get them to switch to a variant of VNC, better if it is provided by a firm so they work out all of the details making it SUPER-easy for customers to connect. If your company refuses to change here's what you do: Per-customer ask your superior if you can see if VNC will get the job done where WebEx fails. Enough times of that and the point should get across.

Sounds nice but wouldn't work

[SmallFurryCreature]

He is very shy mentioning his business so lets presume it is not something big like a bank asking this. Just a tiny webshop trying to survive. Sure they could be courageos and suggest people install a real webbrowser instead of the bug collection known as IE but very few people are brave. It would be like a shop deciding to charge for parking (no return of parking fee with a purchase in the shop) and tell people to take the bus instead.

Making sure your web application works in most browsers is ofcourse sound advice but requires you to hire programmers and designers who know their business. You would be suprised to learn how many sites are setup by some frontpage kiddie. Or worse ASP kiddie. Ugh. They wouldn't know about cross-browser capabilitie if you hit them with the IE open-bug log.

And they would be spending all their time telling their client that IE is the default browser and that coding for the others is not worthwhile because if they don't they are out of a job. As to the market share of Mozilla and others. Supermarkets in holland are involved in a prize fight over 0.1% market shares. Denying browsers other then certain IE versions is like turning away full percentages of customers at the door. Doesn't make sense does it to fight for fractions and then refuse them entry.

Frankly there is no solution, if this tech manager has made sure that his web page can be accessed in every browser (if he hasn't he is beyond help anyway). He can't force his clients to switch browser (clients with a clue will have switched by now and no business can survive turning away the clueless braindead zombies that are still on IE), he can't stop spyware, he can't ask his clients to install something like vnc (or ensure that vnc isn't killed by spyware). He is screwed. Maybe he should sue MS for putting him out of business and costing jobs. Closed source IE costing jobs. Oh well, it made me laugh.

Referrer Log Spamming?

[xmas2003]

While I don't have any direct evidence of browser hijacking causing this (yet), it would not surprise if the the scumbags of the world are using this approach. In brief, referrer log spamming is causing the spammer's site (typically an adult/porn one) to be listed as the referrer (via HTTP_REFERRER) with the hope that the target web site will publish their web logs and the spammer will benefit with a link and/or more traffic - read more about referrer log spamming here. And these guys are smart enough to have "zombie" PC's do all the work for them, so some sort of browser malware would be one approach they would try.

Re:Bad client. No biscuit.

[Fortunato_NC]

I'd love to let go of some of our customers, but the nature of our product is facilitating a data exchange between customers, so letting customers go would diminish the value of our product. Plus, the customers who are "trouble" are also the same ones who are likely to have data to report to us.

We have a well developed set of internal procedures, but this particular piece of spy-crud was one we hadn't run across before. I do have a "field guide to American Spyware" that I distribute to all our sales reps and customer service folks, but some calls still end up back in the tech department. We'd rather be writing code than doing tech support, no doubt, but ultimately keeping the customers happy keeps our business growing - and it is growing - we've had record volume the last two months and are on pace to break records again this month.

Dealing with malware infected customers

[jcasey]

Of course, it's spyware causing the pop-ups, and we recommend using a product like Ad-aware to take care of the issue

Adaware and other canned products will usually work fine for well known problems. For the latest threats you need someone who is skilled enough to research these problems, hunt them down, etc...

we take around two dozen to three dozen tech support calls from users each day. Many have something to do with pop-up ads making using our product nearly impossible

If the client is having a client side problem with popup ads, then why not charge for your service or refuse to troubleshoot the problem? I assume of course that your web server has not been compromised.

A few things to consider are:

1. is the end user using a "power user" or administrator account? If so I would suggest that they set up a regular local/domain user account - this account. The "power user" and administrator accounts give the end user the ability to modify the OS and registry big time. You really cannot blame the "evil empire" if people's pc's are getting hosed because they have administrative rights and are clicking in unsolicited links, OKing every popup window they see without reading them etc...

2. Educate your customers about using the web securely - if needed, contact their IT dept and explain the problem.

3. Most (Windows) people dont patch their machines - educate them about this - while the evil empire is usually slow in issuing patches, old patches are better than none at all.

One last thing - Windows/IE is targeted by crapware writers because of its popularity - this is why you do not see anywhere near as many *nix/mozilla infestations etc... Lately many sites have been advising people to dump ie and use mozilla instead. If mozilla grows in popularity as a result, expect to see malware targeted for this too.