Browser hijacking

What is browser hijacking?

Browser hijacking is a type of malware that takes over your browser to make it do things you do not intend. In the most harmless scenario, your browser starts using different search engines or starts displaying ads that create revenue for the malware author. In a much worst case, your browser is hijacked to download very malicious software such as ransomware, which will encrypt your entire system until you’ve paid a fee to the bad guys.

Historically, malware was crafted to target specific operating systems. The object of any malware is to infect as many computers as possible, so Windows has been one of the largest targets in the past. As the use of other operating systems increased it became less efficient to develop and maintain multiple versions of malware for each different platform. At the same time, Internet usage was increasing and browser developers began creating cross-platform browsers. This formed the perfect attack vector. Write-once, deploy-everywhere malware is now delivered over the Internet via web browsers every minute of the day.

How does it happen?

The trickiest part of any hijack is creating new ways to trick people into installing the malware. Some of the more common methods of deploying malware into a browser are:

Convincing users to install a maliciously crafted browser plugin or program.

Many browser extensions such as Chrome Currency Converter, Web Timer, User-Agent Switcher, and more have been known to redirect users through an unknown proxy and then show users ads.

Tricking users to visit sites that do drive-by downloads.

A drive-by download refers to the malicious practice of downloading code, usually Javascript, to your browser without your knowledge.

All malware is not created equal. Different devices have different security models so some malware is designed for specific platforms. Sucuri has a recent blog post detailing malware that is designed to target mobile devices. Once it has identified that you’re using a mobile device of some kind, it then makes further decisions on the best way to infect you. It does this based on your specific device and browser combination and attempts to install either a toolbar or a mobile app.

Many email phishing attacks are constructed to try to get people to visit drive-by sites.

Embedding malicious javascript into a legitimate website that does undesirable things.

Its unlikely that a malware author has a website popular enough to attract enough visitors to deploy their malicious software. It’s better to place the malware on legitimate websites with lots of existing traffic. To that end, many malware authors are also website hackers or they purchase exploited websites from a hacking-as-a-service service (HaaS) on which to deploy their malicious code.

How do you avoid it?

Don’t ignore Google blacklist warnings

Google offers a program named Safe Browsing which seeks to catalog all of the malicious sites on the Internet. It shares that information in a publicly available list which other browsers can use to warn users when they are about to go to a malicious site. Mozilla Firefox, Google Chrome and Apple Safari all use the Safe Browsing lists.

An image similar to this is displayed if you attempt to visit a site that is currently on the Safe Browsing list:

Google safe browsing warning

The Safe Browsing list is updated frequently so there’s a very good chance that a warning for a site legitimately means that the site is currently infected with malware, or it is currently hosting a phishing page. The program was some very large privacy issues such as logging requested sites and setting cookies that the NSA has historically used for tracking people. But, if you’re going to use it then pay attention to the warnings.

Disable Javascript in your browser

Most websites use a mix of server-side and client-side technologies. Examples of  server-side technology are scripting languages like PHP or ASP.net. Those languages are executed on the web server and the results are sent to your browser in plain HTML. Server-side technologies do not have direct access to your computer.

The term client-side refers to code that executes in your browser. The most common client-side language on the web is Javascript which is downloaded to your browser and is then executed by your browser. You can infer from this that Javascript potentially has the ability to determine local information such as your real IP address, the ability to read things you’re typing into the website such as passwords, and to download other scripts that you may not be aware of.

One of the best security measures you can take is to disable Javascript by default in your browser. This will break many web pages, so you will frequently have to re-enable it but at least you become aware that the site you’re visiting is attempting to get your browser to execute Javascript. There are a variety of plugins that make this process easier than digging through your system settings to enable/disable it.

The NoScript extension for Firefox and Script Block for Chrome work well for this. They disable Javascript and Flash by default and provide one-click access to allow Javascript on a per-site basis instead of enabling it across the board. It’s a little work, but it helps a great deal to protect against arbitrary Javascript execution in your browser.

Chrome Script Block plugin

Beware malware browser extensions

There are many malware detection and cleaning plugins. At face value this may sound good, but unfortunately many malware authors have discovered that the best way to trick people into downloading their malicious plugin is to pretend it is something else. Malware masquerading as an anti-malware extension is the height of irony and it works. Therefore, it is important to make sure that any extensions you install are legitimate.

The Chrome extension store is legendary for distributing malicious extensions. In 2015, Google funded its own study and discovered that tens of millions of Chrome users have some variety of add-on based malware installed. Google attempts to identify and block malware from its store, but it there are problems with identifying malware via automated scanning and it’s too Herculean a task to do manually. It’s not tough for a malware developer to upload an extension with no malicious code in order to pass the scanning, but then have it download malicious code once it is installed.

It pays to be a little skeptical when choosing extensions. Here are some things to look for using one of the script blocking extensions as an example. The Script Click extension has 295 users, 4 reviews, wants to read everything on every website I visit and was updated just last week.

Chrome extension script click

By contrast, the Script Block extension has 81,000 users (that is not visible in the screenshot), 347 reviews and has been in its current state for about six months. It still wants to read every site I visit, however.

Chrome extension script block
The Script Block extension fares better in the credibility test so the next step is to search the Internet for reviews and reports of it being exploited or being malicious. If it comes up clean, it seems like a reasonable choice.

Finally, it’s important to understand what the extension does in order to evaluate the permissions it is asking for. It’s entirely reasonable that a script blocking extension has to be able to read every web page you visit. This is the only way it can determine if there is Javascript in the page so it can block it. However, if you’re installing a weather or search extension and it wants this same permission to read every web page you visit, that is a warning flag.

Be paranoid about links

In the course of a day we are all presented with the opportunity to click on many Internet links. They come in emails, websites, instant messaging chats, message boxes and QR codes. They come from our friends, our family, our jobs and strangers. Any one of those links can direct you to a drive-by site or install malicious things on your system.

If you are in doubt about any link, hover over it before clicking it. Most programs will expose the real URL of the link in its bottom toolbar or in a floating tooltip.

LinkedIn email link
If that doesn’t work, right-click the link to copy it to your clipboard and then paste it somewhere safe such as Notepad to see what is really is before deciding to click it.

How do you detect it?

Malware that is aimed at making money usually does so through advertising or sponsored links. This type of malware is usually easier to spot because it displays ads to you or redirects you to unfamiliar search pages. A change in behaviour that you can’t explain, or new toolbars showing up in your browser are tell-tale signs that your browser is being hijacked.

More malicious malware may run processes or programs on your computer in an attempt to steal information from you or encrypt your data. Those programs use system resources, so if you see an increase in system activity, that may indicate malware. Symptoms can include:

Hard drive activity when you’re not using your computer

This can indicate a program is searching through your hard drive, or ransomware is encrypting your files. It can also be a legitimate process on your system such as an antivirus scanner that works when the system is idle. You can use the process explorers explained below to help identify the true cause.

A drop in performance

All running applications have to share the available memory and processing power of the computer. If malware is performing intensive processes while you’re using the computer this can result in a noticeable speed lag.

Unfamiliar processes running

All computers have some method of listing running programs. If you notice any of the symptoms listed above you can review the running programs to see if there are any that should not be there.

MacOS (OSX)

The process application for MacOS is named Instruments. The easiest way to bring it up is to use the Command + Spacebar and type Instruments. It will show you a list of all running processes.

MacOS Instruments
Linux

The command-line top command is the quickest way to see all running processes. You’ll want to run it as the root user to ensure that you see all the processes and it will allow you to view all running processes and how much memory and CPU resources they are using.

Linux top command
Windows

The Windows process explorer is named Task Manager. The easiest way to launch it is to press the control+alt+delete keys and select Task Manager from the screen.

Windows Task Manager

How do you fix it?

Browser hijacking malware falls into the same category as a virus, hence a suitable anti-virus program is a good method to remove it, there are options available from $20 such as TotalAV. There is no end of anti-malware applications on the market that purport to be able to remove malicious code. Comparitech maintains an Antivirus FAQ here which explains the best practices of selecting a suitable Antivirus program. There is no one size fits all antivirus because factors such as operating system and personal use patterns play a factor.

Performing routine backups is a critical part of any malware recovery. There are situations where you may be unable to clean the malware, or it causes so much damage that it makes sense to reinstall everything. There are a number of cloud backup options here.

If your infected device is a tablet, phone or Chromebook that stores all of your data in the cloud, it may be quicker to just reset the device to the factory settings. This will remove everything, including the malware, and you can restore your data from the cloud. If you’re dealing with a proper computer then you will probably want to clean it as-is instead of re-installing everything. However, in either case, it is critical that you also scan your backed up data for malware before restoring any of it to your newly cleaned system. If the malware is contained in your backup you will instantly re-infect your system.