A Net monster hijacks browsers

Spyware: The pests that cause hard-to-fix computer problems are only going to increase because they're financially driven, experts say.

August 05, 2004|By Lou Dolinar | Lou Dolinar,NEWSDAY

Think of it as spyware meets Freddy Krueger - a genre of Internet monster that hijacks your browser and, like the villain of Nightmare on Elm Street, can't be killed.

This new "kruegerware" can steal your home page, lock you permanently to a porno site or ship all your Google queries to a dubious ad-driven alternative.

Increasingly, this type of program doesn't just wreak havoc. It can avoid detection by popular spyware programs, and even if you think you've gotten rid of it, it usually comes back, like Freddy.

Jeff Toplak, 30, of Elmont, N.Y., who works at a Home Depot, has been struggling with a browser hijacker that resets his home page on his home computer to a crude search engine and portal called greatsearch. biz.

"Once I open Explorer, it goes to that site, and I get two windows that pop up that say viruses have been detected," Toplak said.

The "viruses" are processes that are tampering with Explorer, and his anti-virus program indicates they can't be deleted. He tried to clear them out manually and "they are immediately downloaded from the Internet and restored when I reopen Explorer," he says. He's spent hours on the problem, and finally got rid of it with some highly specialized software.

Most experts think these persistent pests are only going to increase. The reason, according to Sam Curry, Computer Associates' resident security guru, is "unlike most hacking and most viruses, spyware is financially driven; people wouldn't do this if it didn't pay."

How it works

The way it works: Web sites that refer users to other sites may get commissions on sales, or on the volume of traffic directed. By locking in a page like greatsearch.biz as a user's main search page, kruegerware authors can generate hundreds of thousands of dollars in commissions. "They wouldn't do it if it didn't work, and if people didn't click through it. The returns exceed the risk," Curry said.

Greatsearch is a comparatively mild case. Truly gory details are chronicled at www. spywareinfo.com/7/8merijn/index.html, the home page of Merijn Bellekom, a Dutch student who, like Dracula's literary foe Van Helsing, has dedicated his life, or at least his spare time, to fighting immortal evil with cool technology. In this case, it is browser hijackers that send computers to the home page of a Russian company, Cool Web Search.

Says Curry: "Cool Web Search is a horrible one, with 30 different iterations, and trying to find all the tentacles when you go in can be impossible. It will leave things like registry keys that say, if these files are missing, go to thus and so a page and download them."

For a couple of years, Bellekom has written and rewritten a program called Cwshredder to remove more hijackers associated with the Cool Web Search page, but acknowledges that a couple are so slick he can't touch them. Some are like an inoperable form of cancer - they burrow into Windows so deeply that removing them will destroy Windows and force a new installation.

Biggest problems

Some of the biggest problems are caused by badly designed hijackers, which, rather than go about their business surreptitiously, cause computers to crash or slow down substantially. More successful versions can create bookmarks to pornographic Web sites, batter the user with porno popup ads, or set the home page to an unwanted address. Some of the worst of these addresses are listed on the www.spyware info.com site. Cool Web Search didn't respond to Newsday e-mails, but on its Web site, the company denied it is responsible for the problems.

"The anti-virus companies really are targeting this, but the problem is that you don't have perfect targeting of so many different variants overnight," Belllekom said. "Some anti-virus programs remove the main parts of the most widespread variants, but leave traces behind, sometimes allowing it to restore itself and reinfect a system. I'm sure that they will eventually remove all of the variants properly."

Newsday is a Tribune Publishing newspaper.

Baltimore Sun Articles
|
|
|
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.