Browser hijacking

From Wikipedia, the free encyclopedia

Browser hijacking is the modification of a web browser's settings. The term "hijacking" is used as the changes are performed without the user's permission. A browser hijacker may replace the existing home page, error page, or search page with its own.[1] These are generally used to force hits to a particular website, increasing its advertising revenue.

Some browser hijacking can be easily reversed, while other instances may be difficult to reverse. Various software packages exist to prevent such modification.

Examples of hijackers

Onewebsearch

Onewebsearch, referred to as the onewebsearch virus, or onewebsearch.com redirection virus is malware, categorized as a browser hijacker. Onewebsearch utilizes browser hijackers and black-hat techniques to infect a computer system and attach add-ons, extensions, and toolbars to popular internet browsers without permission, which in turn causes internet browsers like Chrome, Firefox, and Internet Explorer to redirect to onewebsearch.com, search.onewebsearch.com, home.onewebsearch.com, start.onewebsearch.com, related web pages, and third party domain names.

Conduit Search

Conduit toolbars have been identified as Potentially Unwanted Programs by Malwarebytes[2] and are typically bundled with other free downloads.[3][4] The toolbars modify the browser default search engine, homepage, and several other browser settings.[5]

Conduit commits cyber crime, invades privacy, and this is generally their "dark" past, associated with malware and spyware.

Victims of unwanted redirections to conduit.com have also reported that they have received numerous dangerous spam emails, containing Trojan horses, and telephone calls from unethical callers claiming to be legitimate businesses such as Microsoft or the ISP. Some victims claim that personal information was used in the phone calls, and that some of the calls concerned their browsing habits and recent browsing history. Personal information used in phishing attempts may be associated with additional spyware.[6]

CoolWebSearch

CoolWebSearch (CWS) was one of the first browser hijackers. It redirected the existing home page to the rogue CWS search engine, with its results as sponsored links. With most antivirus and antispyware programs unable to properly remove this particular hijacker, a man named Merijn Bellekom developed a special tool called CWShredder specifically to remove this kind of hijacker. CoolWebSearch is a popular browser hijacker and is owned by fun web products.

Delta Search and Claro Search

Delta and Claro are programs that each offer a free search engine and toolbar often bundled with free downloads. These browser hijackers will redirect all searches to their own engines, to gain revenue. Automated tools are able to remove Delta, Claro, and their files, but the changes to the homepage and default search engine have to be reverted manually.

Search-daily.com

Search-daily.com is a hijacker that may be downloaded by the Zlob trojan. It redirects the user's searches to pornography sites. It is also known to slow down computer performance.[7]

MyStart.IncrediBar Search

MyStart.Incredibar Search is a computer virus, browser hijacker, and spyware that often comes embedded with many download applications and installers such as HyperCam. It is known to install itself into the following browsers: Firefox, Internet Explorer, Safari, and Google Chrome.[8] Upon installation, it begins to alter browser configuration settings and collect sensitive user information such as full name, telephone number, and home address.

Removing Incredibar can be an extremely daunting task since there are countless variations and most infected systems can expect to find undesirable Windows registry changes, browser configuration changes, and files with nothing but seemingly random strings that are installed into the user's local settings folders and depending on the user's operating system, its version, and even computer the location will vary from one PC to the next. In one version of Incredibar it appears to be a removable add-on, extension, plug-in, or BHO within web browsers; however, simply removing Incredibar via the inbuilt browser add-on removal process is not enough since the program has already combined registry and file installs of which re-installs itself upon a system reboot.

A few virus and spyware removal applications such as Webroot Spysweeper, Eset NOD32, AdwCleaner, and Junkware Removal Tool are known to remove Mystart.Incredibar Search, but using these applications to do so will not revert the user to their default search engine.

Nation Zoom

Nation Zoom is a browser hijacker that changes your home page to Nationzoom.com and default search provider to Search.yahoo.com.[9]

Babylon Toolbar

Babylon's translation software prompts to add the Babylon Toolbar, identified as a browser hijacker. The toolbar also comes bundled as an add-on with other software downloads.[10]

In 2011, the Cnet site Download.com started bundling the Babylon Toolbar with open-source packages such as Nmap. Gordon Lyon, the developer of Nmap, vented his anger online over the way the toolbar was tricked on users.[11] The vice-president of Download.com, Sean Murphy, released an apology: The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused.[12]

Qone8.com

Start.qone8.com is a browser hijacker that alters a browser's homepage and default search engine. It can also slow down the victim's PC and prevent many programs from running.

qvo6.com

qvo6.com is a browser hijacker which changes the browser homepage, and also runs strings to slow down the victim's PC. It can be difficult to remove manually, or with Internet tools.[13]

Mixi.DJ

Mixi.DJ offers a media player, but also a free toolbar and Conduit-based search engine, the toolbar being the one which they will prompt to add during installation. The toolbar is a new hijacker that alters a browser's homepage. It also adds itself to the computer's registry, creates strings in the memory, and changes the icon on Internet Explorer to a magnifying glass.

Snap.do

Snap.do (Smartbar developed by Resoft) is potential malware, categorized as a browser hijacker, that causes internet browsers to redirect to the snap.do search engine. Even (un)intentionally visiting Snap.do and Search.snap.do can lead to malicious drive-by downloads without consent. These downloads include multiple and malicious internet browser add-ons, extensions, and toolbars (provided by Conduit malware) like DVDVideoSoftTB (toolbar), General Crawler (malware add-on and auto-reinstalling backdoor) and Save Valet (adware). Snap.Do can be manually downloaded from the Resoft website, though it can be concluded that Snap.Do entraps their users to unethical terms, and without user consent. Like Mixi.DJ, it can also change the icons on some browsers, like Firefox and Internet Explorer, to a magnifying glass.[14]

Resoft will track the following information (from snap.do/snapdo.com's privacy policy,[15] copied, pasted, with edits):

1. The Internet domain and IP address from which you access the Resoft Products. (Your location, ID, etc.)

2. Screen resolution of your computer monitor (display).

3. The date and time you intentionally or unintentionally accessed Resoft products.

4. The page you are visiting with the Resoft Products (with or without knowledge of using Resoft products, Snap.do)

5. If you willingly or unwillingly linked to a Resoft website from another referring website, the address of that website.

  • By using the Resoft Products, you are consenting to have your personal data transferred to and processed both within and without the United States of America.
  • By using the Resoft website, you agree to the preceding uses of your information in this way by Resoft.

Searchnu.com

Searchnu.com domain and the domain search-results.com belong to the IAC Search & Media, Inc. This company is known by the name Ask Jeeves Inc. It has a lot of popular domains on the web and the most famous of them is Ask.com. When something is searched in the Searchnu search engine, the search results will redirect to Ask.com. The user can still access Google by searching for it, but Searchnu is still the homepage. Searchnu has 3 "clones" which are Searchnu.com/406, Searchnu.com/409 and Searchnu.com/421. However, removing Searchnu is easy following instructions.

Searchgol.com

Searchgol.com (can also be found as Search-Gol) is annoying search engine, which may show up on the infected computer instead of the user's default search engine. The cause of it getting onto the homepage is unknown, and it is known for downloading malware onto the computer. It replaces the default homepage for no reason and without the user's permission. Numerous antivirus websites and blogs say that searchgol is a virus, but it is a potentially unwanted program (PUP) because it sneaks inside the system in a bundle with other programs and initiates some changes on the system without the user's permission. Removing searchgol is not that easy, as the victim must perform a browser restore, before removing programs related or downloaded by the browser hijacker.

Removal

Most new hijackers will not allow a user to change back to their home page through Internet Properties. Modern hijackers' settings will most likely return upon reboot, however, well-updated antispyware software will likely remove the hijacker. Some spyware scanners have a browser page restore function to set the user's homepage back to normal or alert them when their browser page has been changed. Manual removal is also a good choice to give the user a good understanding of what to do while reverting all changes.

Rogue security software

Some rogue security software will also hijack the start page generally displaying a message such as "WARNING! Your computer is infected with spyware!" to lead to an anti-spyware vendor's page. The start page will return to normal settings once the user buys their software. Programs such as WinFixer are known to hijack the user's start page and redirect it to the website.

Beginning features confused with browser hijackers

EarthLink

In 2006, EarthLink started redirecting mistyped domain names over to a search page. This was done by interpreting the error code NXDOMAIN at the server level. The announcement led to much negative feedback, and EarthLink offered services without this feature.[16]

See also

References

  1. "Browser Hijacking Fix & Browser Hijacking Removal". Microsoft. Retrieved 23 October 2012. 
  2. "PUP.Optional.Conduit removal instructions". Malware Removal Guides. 2013-08-07. Retrieved 2013-10-12. 
  3. "Bundle Your Software with a Custom Toolbar & Start Making Money". Conduit Ltd. 2013. Retrieved 2013-10-12. 
  4. "Download me II—Removing the remnants of the Web’s most dangerous search terms". Ars Technica. 2013-08-25. Retrieved 2013-10-12. 
  5. "So long, uTorrent". First Arkansas News. 2010-12-15. Retrieved 2011-08-11. 
  6. Remove Conduit search
  7. "Browser Hijacker". MySearchCorp. Retrieved 3 July 2012. 
  8. "How To Remove The MyStart By Incredibar Browser Search Redirection Virus (Search.Incredibar.com)". Botcrawl.com=10 July 2012. 
  9. Wilson, Remove-PCvirus. "Remove Nation Zoom". remove-pcvirus.com. Retrieved 13 January 2014. 
  10. Getting rid of Babylon Jay Lee, The Houston Chronicle, July 25, 2012
  11. Download.com sorry for bundling Nmap with crapware The Register December 9, 2011
  12. A note from Sean regarding the Download.com Installer Download.com December 7, 2011
  13. Kiguolis, Ugnius. "Remove Qvo6". 2-spyware.com. Retrieved 8 August 2013. 
  14. "The firefox icon on desktop and taskbar has changed, how do I change it back." BlueWren 31 October 2013
  15. Remove Snap.do Virus. Botcrawl January 2, 2014
  16. Mook, Nate (2006-09-06). "EarthLink Criticized for DNS Redirects". betaNews. Retrieved 9 May 2012. 

External links

This article is issued from Wikipedia. The text is available under the Creative Commons Attribution/Share Alike; additional terms may apply for the media files.