I recently watched a local TV news report about the latest crop of browser hijack viruses, which are disguised as antivirus programs. For example, in the “Antivirus 2009” attack (Figure 1), a security alert pops up telling you that it’s running a scan, after which it gives you the bad news that your computer is infected with viruses and other malware. Figure 2 shows a more generic “Message from web page” attack, which notifies you that there are signs of viruses and malware on your computer. Some of these disguised programs try to get you to purchase a program that will remove the malware, whereas others tell you that you can download a free removal program. Either way, if you try to download the program, your machine will become infected with a single click. (Here is the
TV news report about the browser hijack viruses.)
Figure 1: “Antivirus 2009” attack
Figure 2: Generic “Message from web page” attack
To thwart these attacks, the TV news report advises you to “close out the web browser immediately.” Anyone who has experienced this type of attack knows that you can’t close the browser by any
normal means. The only apparent exit strategy is to click something on the hijacked screen, such as a Cancel, Exit, or No Thanks button. When clicked, the machine becomes infected.
There are countless anti-malware products and how-to articles on the web that provide complicated disinfection procedures. However, there are two best-practice lines of defense as well as other solutions, including one easy procedure that I use.
On newer Windows OSs (e.g., Windows 7, Windows Vista), one best practice is to keep User Access Control (UAC) enabled. When it’s enabled, an attack program will trigger a UAC prompt because the program is trying to perform an operation that requires Administrator-level permissions. The user must be savvy enough to press the No button when presented with the UAC dialog box.
The other best practice is to not set the user account type to Administrator. With that said, some legacy line of business (LOB) software won’t run unless the user has administrative privileges. Similarly, some nonlegacy utilities require administrative privileges, such as backup software that uses Microsoft Volume Shadow Copy Service (VSS) snapshots.
In addition to these two best practices, there are other safe-browsing solutions, including antivirus software that lets you browse in “sandbox” sessions. (In these sessions, you lose OS functionality such as cut and paste.) Alternatively, you can do your browsing on a virtual machine (VM) that’s isolated from the Windows OS.
I use a technique that doesn’t require additional software and lets you keep the user account type set to Administrator. Suppose that you receive a warning message like that in Figure 2 on a computer running Windows 7. First and foremost, don’t click anything in the open browser window or open a new browser session. Instead, follow these steps:
1. Check the program icons in the taskbar (or tap the Tab key while holding down Alt) to see if there are additional bogus dialog boxes or forms being spawned by the initial unwanted browser hijack program. Figure 3 shows an additional Windows form that was an offspring of the “Message from web page” attack. You can’t see this form running on the main screen because it’s hidden underneath the
Message from webpage dialog box.
Figure 3: Taskbar icon for the “Message from web page” attack
2. Click Ctrl+Alt+Delete to bring up Windows Task Manager.
3. On the Applications tab, find the Internet Explore (IE) application that reflects the URL you can see in the infected IE window’s address bar. Right-click the offending IE application and select Go To Process. You’ll be taken directly to the instance of IE that’s under attack in the Processes tab.
4. Click the End Process button.