New Tricks from Browser Hijackers? 104
Fortunato_NC asks: "I'm the IT manager for a small business that delivers its service via a browser-based application, and we take around two dozen to three dozen tech support calls from users each day. Many have something to do with pop-up ads making using our product nearly impossible, which is odd, since we don't have any advertising on our website. Of course, it's spyware causing the pop-ups, and we recommend using a product like Ad-aware to take care of the issue. However, not everyone gets the message.
Today I was on a client's computer using WebEx helping them remove yet another 'browser helper'. The uninstaller for this program consisted of running no fewer than four separate programs, each of which forced closed the Internet Explorer windows, killing the WebEx session, and making it very difficult to service an already upset client ('What do you mean I have to join the meeting AGAIN?'). It seems as if this product anticipated the need to have someone remotely help the user remove it and went out of its way to make that task nearly impossible. Has anyone else on Slashdott encountered spyware or malware specifically designed to make life miserable for *remote* support techs? What other nasty tactics are spyware authors using that you've noticed?"
Stop using IE (Score:2, Insightful)
Re:Stop using IE (Score:5, Insightful)
Not an option in almost all business environments. In fact, we're specifically prohibited from even suggesting to users that they use an alternative browser because it'd be a bigger support hassle for the desktop support group. SAP requires IE, WebEx requires IE, our timecard program requires IE, and now they want to migrate people from POP mail to using Exchange Server. I work for morons (the US government).
Re:Stop using IE (Score:2, Informative)
Re:Stop using IE (Score:1)
Fix it. Duh!
I work for morons (the US government).
Oh. Well, you can still quit, right?
So evaluate it! (Score:5, Insightful)
In fact, we're specifically prohibited from even suggesting to users that they use an alternative browser because it'd be a bigger support hassle for the desktop support group.
Several points.
First, you are wise to standardize on a browser to help reduce support costs, supporting IE+Mozilla/Firefox will cost more than supporting IE, on the surface. But wait - there's more!
While it costs more for support techs to be trained in both browsers, what if the Mozilla/Firefox users put in fewer trouble ticket calls for support?
It might just be that the cost of supporting IE+Mozilla/Firefox could be less than supporting IE!
Which then leads naturally one to consider whether moving all users to Mozilla/Firefox might lead to even greater savings.
Especially if you consider long term savings from internal web site developers creating content that is more W3C standard and less specific to IE version du jour on Windows OS du jour, things which will surely change.
OK, so don't suggest to users they use a different browser. Instead, do what you're supposed to do: evaluate Mozilla/Firefox in your testbed development department and see for yourself, before you even consider deploying it, whether it makes sense from a business perspective. And ask yourself what the true overall costs are of IE in terms of spyware, adware, security lapses if proprietary information about your business were to leak out, and how much downtime and loss of productivity users have to endure if they have to turn off Javascript, etc.
Then, when you know the answers for your business, do a roll-out and tell people not to use anything but Mozilla/Firefox!
BTW, in my environment it turned out that Mozilla/Firefox supported a lot more web applications than most people expected. Sites would say they needed IE, but it turned out that Moz worked fine. In fact, one of the few web applications that broke under Moz/Firefox was one that relied upon a broken old DOM model for Javascript that origined back in the old Netscrape 3 days.
Re:So evaluate it! (Score:1)
Homeland Defence mandates it. (Score:2)
And that turns out to be the Homeland Defence Office.
they're the ones who suggested that people (read: the government) start moving away from IE. The fact that it'll cut down on the most onerous of the support hogs is only a bonus.
(honest!)
Even better yet, you could point out that all of these support calls are an example of why Motherland Defence is suggesting a move away from IE. These nasty spyware progs might just as easily be snooping government
Re:So evaluate it! (Score:2)
Which then leads naturally one to consider whether moving all users to Mozilla/Firefox might lead to even greater savings.
This is just anti-IE bigotry. I just spent nearly the whole day tracking down a very nasty XUL/RDF incompatibility in Tab Browser Extensions that totally paralyzed the new Mozilla 1.7. That sort of thing is NOT easier and cheaper, and in fact, finding and fixing such problems requires a
Re:So evaluate it! (Score:2)
You just admitted here that it's not a Mozilla problem, but one involving an unsupported 3rd party extension.
I love the tab browsing extension, but it does not need to be installed in an environment where the goal is to simply replace IE. Most of these users don't even know what tabbed browsing is, so power user tools for tabs will be all but useless to
Re:So evaluate it! (Score:1)
You're right, of course. But with Mozilla at least you know what's going on internally. Had it been a problem with IE, the vast majority of helpdesk IT will swap out the entire computer...
Easier, maybe, but not cheaper.
in these sorts of discussions... (Score:1)
Re:Stop using IE (Score:3)
I've started the initiative within our web development group to make all of the applications Mozilla/Firefox compatible.
It's really not that tough most of the time, there are even dozens of guides that show the Javascript equivalent for things and all of that.
Of course, if you use ActiveX components, you're probably screwed.
Re:Stop using IE (Score:2)
No. No, it wouldn't. And you need to get in somebody's face about that.
Re:Stop using IE (Score:5, Insightful)
Simply telling them "that's not our fault" isn't going to cut it. If we're not providing the best experience possible, our customers can easily take their business to our competitors. And then, I'd be Asking Slashdot about where I could find a new job.
The fact is that most of the "low-end" computer users use MS products because they're the easiest to install - especially since they came preinstalled on the computer. Asking them to download and install software is beyond the capabilities of many of our users. I don't like it, but I have to play the cards I'm dealt - and right now those cards say that 90%+ of my customers are using IE. And unfortunately, when those customers are trying to use my product and spyware prevents them from doing so, it falls on me to fix it. If I don't, one of my competitors will.
Bad client. No biscuit. (Score:4, Insightful)
Which isn't always a bad thing.
There are customers who make you money, and there are customers who cost you money. It sounds this customer (the client requiring several WebEx sessions) is a money pit.
Now there are several good reasons to take a loss on a particular customer--large clients often grow from small clients, good clients come from referrals made by bad clients treated well, you don't want your support staff bailing on tough calls with the excuse, 'oh, this customer is losing us money' (that's a call for the bean counters, not the support or tech folks).
So, let's presume the company is losing money on such high-maintenance clients. Let's also presume the company is not willing to just let their business go. What do you do?
You do your homework! Boy Scouts' motto, Ounce of prevention, pound of cure, stich in time, and all that. Take a machine off the company network, do a standard client install, dial-up to the internet, and let the ad-ware be your guide. Install whatever it is you keep having to uninstall for your clients. Then document the steps to uninstall.
Rinse and repeat as needed. Go through the permutations of OSs, versions, and browsers to cover 95% of your client base.
Now, you still have clients with ad/spyware issues, and your support staff is still helping them out. For those that don't know but can learn, you put your documented cleaning routines on your web site or at least have a formatted email ready to go when the call comes in.
Those that can't follow the written directions, get the walk-through on the phone, but now 1) you don't sound like you're making up as you go along. Bad clients are more likely to become good clients when you have a solution on hand and ready to go. And 2) you can pass that job down the chain so you lose a little less money on that client.
Re:Bad client. No biscuit. (Score:5, Interesting)
We have a well developed set of internal procedures, but this particular piece of spy-crud was one we hadn't run across before. I do have a "field guide to American Spyware" that I distribute to all our sales reps and customer service folks, but some calls still end up back in the tech department. We'd rather be writing code than doing tech support, no doubt, but ultimately keeping the customers happy keeps our business growing - and it is growing - we've had record volume the last two months and are on pace to break records again this month.
Don't be so wussy, or tell your bosses not to. (Score:2)
Or, if it is, you tell your clients that you'll get rid of their spyware -- but you do it your way. That is, they pay you, mail in their computer, you send it back with a new hard drive with Linux installed and all their documents/programs copied over. You also send back their original hard drive in case they don't like it.
You also send them enough manuals that it's unlikely that they will ever have spyware installed ag
Re:Stop using IE (Score:5, Insightful)
Yet they seem to have no trouble at all installing all that spyware. Someone needs to create a one click install via a popup for Firefox, then you just put that popup on your site and wait until they inadvertently fix themselves.
Extra credit for the hacker if can wipe the existing spyware (the competition) and put the firefox path into all the shortcuts and registry keys that currently point to IE.
Imagine a "spyware" program that make the computer run better and safer than it was before.
Re:Stop using IE (Score:2, Informative)
And then the user won't be able to use Windows Update and they'll be worse off than they already are. Also, switching from IE wouldn't stop 99% of the crapware which mostly comes from people installing screensavers, P2P apps or those oh-so-cute little doggies that show up in the toolbars.
Re:Stop using IE (Score:2)
You can believe what you want, but I'll bet you money that if you put a typical user on the net with firefox they would get far less than half the amount of spyware installed on their system compared to the same user using IE. I'm using 50% to be completly safe, it's probably several o
Re:Stop using IE (Score:2)
Re:Stop using IE (Score:2)
Lesson learned: he should have open sourced it so others could fix his bugs.
Re:Stop using IE (Score:2)
Now consider what could be done if someone who actually knew how to program properly tried it.
Re:Stop using IE (Score:1)
Re:Stop using IE (Score:1)
a few steps to clear yourself of all problems (Score:1, Informative)
2. tell users with problems that the problem they are experiencing is beyond your control and has to do with IE and Windows sucking so bad.
3. Let them know that CERT recommends they use something else than IE like Firefox.
4. tell your clients that with Firefox their unwanted popups will never appear.
Re:a few steps to clear yourself of all problems (Score:5, Insightful)
If anyone is familiar with HijackThis they'll know that Spyware/Malware comes with several modules placed in different portions of people's startup/browser configurations so if a piece of the spyware is removed from one area the other modules will replicate back to these areas sometimes with random filenames and a host of many other tricks that anyone familiar with "the game" will know.
Anyway, a lot of us are going to need replacements for HijackThis because the last version Merijn released is just that: the last version.
Re:a few steps to clear yourself of all problems (Score:2)
My advice to people is to disengage the thick cable that's usually to be found lodged in the back of their machine near the main cooling fan; guaranteed end to all computer problems, but then I'm actually trying to get out of the computer-fixing game permanently.
If you aren't, it might pay to be a little nicer to your customers. I love Mozilla, but it's not for everyone, not while there are poorly-made sites that onl
Sounds nice but wouldn't work (Score:5, Interesting)
Making sure your web application works in most browsers is ofcourse sound advice but requires you to hire programmers and designers who know their business. You would be suprised to learn how many sites are setup by some frontpage kiddie. Or worse ASP kiddie. Ugh. They wouldn't know about cross-browser capabilitie if you hit them with the IE open-bug log.
And they would be spending all their time telling their client that IE is the default browser and that coding for the others is not worthwhile because if they don't they are out of a job. As to the market share of Mozilla and others. Supermarkets in holland are involved in a prize fight over 0.1% market shares. Denying browsers other then certain IE versions is like turning away full percentages of customers at the door. Doesn't make sense does it to fight for fractions and then refuse them entry.
Frankly there is no solution, if this tech manager has made sure that his web page can be accessed in every browser (if he hasn't he is beyond help anyway). He can't force his clients to switch browser (clients with a clue will have switched by now and no business can survive turning away the clueless braindead zombies that are still on IE), he can't stop spyware, he can't ask his clients to install something like vnc (or ensure that vnc isn't killed by spyware). He is screwed. Maybe he should sue MS for putting him out of business and costing jobs. Closed source IE costing jobs. Oh well, it made me laugh.
Re:Sounds nice but wouldn't work (Score:4, Insightful)
I actually talked to a customer today who I told should switch from IE, and she was receptive to it because the spyware was driving her bats. There's no question that you can't turn away people using IE, and you must ensure that your software is compatible with IE, but there's no reason in the world not to suggest that using other browsers would fix the problem. People who have the kind of severe spyware problems I've seen are likely to be receptive to that kind of pitch; they don't love IE, they just want to get things done. If that means download something new, I think they'd go for it.
D
We must live in different worlds (Score:4, Insightful)
I seen this problem before, the trick is hardly unknown. And yet there seems to be very little movement in people switching browsers. Sure a lot of noise is made about it here but just look at the statistics. How much did IE loose in a recent /. story? 1% wasn't it. OH WOOPIE. That was right after one of the biggest security hits in the history of computing (several regular sites being used to steal information and forward it to criminals) that was only stopped because it was to successfull and the receiving server was overloaded.
Of course I don't know if the guy with the problem has an IE only site, I was only speculating, but I have argued this point in the past with customers and employers and it rarely gets across. I found that the only way to reliable create a cross-browser site is if I am the person in control and then to just do it. Don't mention it, it doesn't cost any extra so no need for the customer ever to known his brand new site works with every graphical browser on every OS (well linux windows and OS-X) and can even be used with links. (lynx is harder)
I never ever had a customer or employer ask for cross-browser compitabilty let alone cross-platform.
My answer nowadays when people ask me about obvious MS caused spyware/trojans/virusses/bugs. "I don't know."
I used to recommend firebird or opera. And everytime I get repaid by having them complain to me that site X doesn't work anymore. Worse when I used to remove spyware they complained about their missing desktop toys. I only did that a couple of times. Waste of time.
Fat people don't listen to advice on diets, drunks don't listen to advice on not drinking, windows users don't listen to advice on security. If they did they wouldn't be fat drunk windows users.
BUT you could restore my faith in mankind, well womankind at least. Did your customer switch browser? I bet my cynisism against a shred of hope for the human race she didn't.
Re:We must live in different worlds (Score:2, Insightful)
One percent of IE users switching is something upwards of a few hundred thousand right? And it's a growing trend. We can assume alternative browser usage will plateau at some point once MS gets the lead out, but that's not for another couple of years, considering all the visible bad press IE has been getting lately, and the fact that their development team is way behind the curve.
I think the anti-IE backlash (and subsequent switching) will reac
Re:We must live in different worlds (Score:3, Insightful)
I think there are a few problems worth noting. First, we tend to sound a bit fanatical about these issues, and most people tend to discount fanatical statements. Imagine what you would say if someone told you your car had a good chanc
ASP Kiddie? (Score:1, Insightful)
I've been using ASP, PHP and Perl for the past few years on various projects, and recently won a UK accessibility Best Practise award for a huge ASP project - my point being that ASP and compatibility are not mutually exclusive! In fact, you find many more "web kiddies" using PHP than ASP, which requires small enterprise-level systems to do anything useful with, realistically.
Now the very interesting t
Your right of course (Score:2)
Solution: (Score:4, Insightful)
Re:Solution: (Score:1)
Re:Solution: (Score:2)
Re:Solution: (Score:1)
remote shremote (Score:5, Insightful)
Hate to break it to you, but when you've got a broken arm, you don't usually use that arm to set the bone.
Ever heard of non-browser based remote access? Like VNC, pcAnywhere, NetOP or remotely possible?
It has nothing to do with this vermin's author being clever, you're just using a not very optimal tool for your removal of that vermin.
Re:remote shremote (Score:3, Interesting)
However, our Diagnostic software does use an IE-shell so oftentimes it doesn't work. I've been bugging our developers/superiors to change this for years now but they don't seem to get the picture so I can see where this guy is coming from.
Anyway, try to get them to switch to a variant of VNC, better if it is provided by a firm so they work out all of the details making it SUPER-eas
Re:remote shremote (Score:1)
I second the motion to use VNC. I suggested it to my boss 6 months ago (immediately after starting the new job) and got it implemented soon after. My service calls out to other locations got cut by 75%, and I am now able to take care of removing spyware/etc. myself, instead of taking hours and hours trying to walk end users through downloading and installing Spybot/Ad-aware, or
Re:remote shremote (Score:2)
If this is webex, the problem is not so much the browser as the file explorer has some funky interaction with the software. It installs as an activex, but if you toggle the view file options to see 'hidden files' (or make any other changes for that matter that you typically do when carving out malware) it dumps you from the session. VNC works, but
nasty stuff (Score:5, Interesting)
Re:nasty stuff (Score:3, Interesting)
I couldn't resist trying it out. I visited it using Safari on my Macintosh and typed in a bunch of queries. Needless to say, the results were pathetic. My conclusion was that it was the most useless search engine in the world.
As I remember, the removal instructions f
Re:nasty stuff (Score:2)
Oh, you want useful results? I thought you wanted simple!
Don't click on any of the links, of course, or you'll be paying those slimeballs.
D
Re:nasty stuff (Score:1)
http://zestyfind.com/cgi-bin/search.cgi?keyword
http://zestyfind.com/cgi-bin/search.cgi?keyword
Re:nasty stuff (Score:1, Informative)
I would suggest Opera. I've been using it almost exclusively since I found version 3 back in the late 90s, and I've never EVER had a piece of spyware on my machine that didn't come with it. It's fast, small, customizable (especially for the intelligent user), and resilient when it fails. It has features for the serious browser user that Mozilla STILL doesn't have - in fact, all of Mozilla's best ideas (barring XUL perhaps) were in Opera first, and it's still ahea
Re:nasty stuff (Score:2)
Re:nasty stuff (Score:3, Informative)
Depending on whether housecall.trendmicro.com is ActiveX or Java or whatever, it might work. Just wouldn't be able to fix anything.
There is no stable NTFS writing driver yet. So
Re:nasty stuff (Score:1)
Bump that request for a live CD to save IT people forced at gunpoint to save Windows.
Re:nasty stuff (Score:1)
Safe mode (Score:4, Informative)
Doesn't work remotely, but seems to get pretty much all of them.. However, I have seen in the last month one or two running even in safe mode on Win2k. As soon as you reboot back, they re-install about 10 more. Thank god for norton ghost for those nasty ones.
On a side note, is there a huge list of IP's that these spamware come from, or report back to, or whatever? Sure would be handy to ban those IP's at the router..
Re:Safe mode (Score:2, Informative)
Referrer Log Spamming? (Score:3, Interesting)
Re:Referrer Log Spamming? (Score:1)
Netmeeting? (Score:3, Insightful)
Bad Malware... Bad! (Score:2, Insightful)
Not only is it set in the Hkey\..\run, but I had one that stuck it's html based install into the windows active desktop folder, so once the computer was "clean" it reinstalled itself on reboot...
I've even seen a few where if you try and use AdAware and the first thing you need to do after downloading it onto a new system is to update the REF. file... but adaware said no updates... Finally, I had to use another system to get the upda
Re:Bad Malware... Bad! (Score:1)
sjs132 writes:
if the author(s) of this crappy malware type software actually spent as much time/effort into a GOOD PRODUCT as they put into making it's removal difficult ... they would probably have a great product and people would enjoy using it, and maybe even give them legit business.
Most of the writers of malware don't distribute, they just post the code for all to see and comment on. Then they design scripts that will compile the code and post that. Most of the people who do actually distribute t
Here's the Linkage (Score:1)
Re:Here's the Linkage (Score:1)
Spyware (Score:2, Informative)
Anyways once I got the the pc running I ran Ad-aware and it found ~70 or so items and removed them, however I had to remove one file that Norton Anti-Virus detected, that ad-aware missed, in the windows folder and I noticed an explorer.001
Re:Spyware (Score:2)
I find that SpyBot is more effective than Adaware and Kaspersky AV is far superior to Norton, although if you keep the default settings, your machine will be unusable between 8 and 8:45 PM due to it's thorough scan.
Re:Spyware (Score:1)
When cleaning spyware/adware I use a combination of running Ad-aware, then Spybot, then HijackThis and finally manually browsing the HKLM\Run & RunServices keys to make sure everything is gone. If the user show signs of agression and being fed up with the
Re:Spyware (Score:1)
Chop
Re:Spyware (Score:2)
I got an old P2-350 awhile back, and since I'm a teenager who spends a lot of time on my computer, I LANed them up and while I'm playing games/IMing/coding/whatever my family uses that one.
Long story short, I've just formatted the hard drive and installed RH8.
If people like that don't want to learn to use Linux, then they should at least try Win2k/XP. I don't know about other people, but I've learned to put up with the registry (I have XP Home. The command prompt is s
I've noticed this tactic (Score:4, Funny)
It reminds me of something, but I can't remember what.
Re:I've noticed this tactic (Score:1)
possible solution(more a suggestion) (Score:1)
Listen Mode of VNC (Score:3, Informative)
Assuming that you can configure the forwarding on your personal network correctly (I think listen mode is port 5400, but look it up), you can set your workstation to "Listen" for new VNC connections from your client's computer. Your client initiates the connection from their VNC Server program
Use Interwise instead of WebEx (Score:1)
Computer Cops (Score:1)
Dealing with malware infected customers (Score:2, Interesting)
Adaware and other canned products will usually work fine for well known problems. For the latest threats you need someone who is skilled enough to research these problems, hunt them down, etc...
we take around two dozen to three dozen tech support calls from users each day. Many have something to do with pop-up ads making using our product nearly impossible
If the client is having a
Re:Dealing with malware infected customers (Score:1)
jcasey writes:
Windows/IE is targeted by crapware writers because of its popularity ... Lately many sites have been advising people to dump ie ...
A question, perhaps rhetorical: Since Internet Exploder is actually an integral part of the Windoze operating system, does there exist a means by which one might be able to remove it with its known hacks? I routinely recommend that people not use Microsoft's browser or their e-mail client because of the target size those programs represent coupled with the num
Nastier Browser Hijacks (Score:3, Insightful)
We've encountered a lot of these recently, using compromised IIS5.0 pages (innocuous sites)--you can read a high-level overview here.
People are hijacking sites and leaving them as-is, but appending malicious scripts. The sites are innocuous enough for average users to access regularly, but they take advantage of various IE exploits, such as Download.Ject and friends.
The MS patches for ADODB stuff aren't too widely used in a lot of outfits as they can break lots of bits and bobs of the help "system" in Outlook and other vaguely browser-related toys. I'm currently doing some security work for a large corporation, and am having a demon of a time just trying to figure out with application testing people which MS patches do exactly what, what they break, etc. Ah the joys of using high quality commercial software backed by a reputable vendor.
It's not just IE either; there've been a number of browser vulnerabilities released recently, albeit more to do with spoofing or redirects than actual remote code exploits. For Joe Average, though, the result will be nearly as serious (for example, if cnn.com prompts him to click 'yes' on a popup he may do it, when he would not for a random porno site.)
To be fair to Microsoft, their local security guys are being extremely cooperative and helpful just trying to sort out the mess.
Hacker Defender (Score:1)
To quote something I wrote nearer the time on a different forum
Re:Hacker Defender (Score:1)
what I'm hunting.. (Score:2)
yet down at the bottom, it shows CPU usage at 17-82% up and down, over the course of a few momments whereas last week, this was not the case, cpu usage matched the opposite of idle processes..
there is something here, that is hiding from task manager, and at least according to my firewall, it's not trying to connect to the internet at all..
I thought it was a malformed svchost-having found some weird versions, but I
Re:what I'm hunting.. (Score:2)
thank you very much.
Look2Me Installed as event processor? (Score:3, Informative)
Ended up booting to recovery console and deleting the file there so it wouldn't load, then was able to remove the entry from the registry.
A quick Google search reveals it as "Look2Me". More info here [sarc.com].
Clever spyware (Score:2)
In case you see something like this, here's how to get rid of it: