snopes.com  

Go Back   snopes.com > About This Site > Technical Questions

Reply
 
Thread Tools Display Modes
  #21  
Old 30 May 2014, 08:59 PM
Richard W's Avatar
Richard W Richard W is offline
 
Join Date: 19 February 2000
Location: High Wycombe, UK
Posts: 24,937
Default

Quote:
Originally Posted by jimmy101_again View Post
A browser hijack looks like it is coming from outside but is actually 100% resident on your computer. Antimalware software often doesn't detect browser hijacks.
That depends what you mean by "resident". It's running on your computer, but typically it wouldn't install anything there or go anywhere other than the immediate session, otherwise it would stop being a browser hijack and become a straightforward virus, and you'd see warnings and so on that things were trying to install files - either from virus software or just from the operating system.

But you're right, anti-virus and malware software has no real way to detect a browser hijack unless it's doing something really dodgy. A simple redirect to a page that's trying to get you to click something dodgy wouldn't be caught.
Reply With Quote
  #22  
Old 31 May 2014, 12:09 AM
ganzfeld's Avatar
ganzfeld ganzfeld is offline
 
Join Date: 05 September 2005
Location: Kyoto, Japan
Posts: 22,692
Default

Quote:
Originally Posted by jimmy101_again View Post
In order for a popup to overlay the main screen requires some dodgy coding.
Once the malware (such as a virus - although a virus is a specific kind of malware not just any malware) that's in the computer (that is not coming from a script on a webpage, etc) can do that, it doesn't do that. Once it's in the computer it does whatever it's supposed to be doing in the computer and there's no reason for it to do that. Unfortunately, people reporting on this particular problem (as well as many others) confuse the behavior that's used to get the malware in and the the behavior of the actual malware - sometimes because the person is getting hit by the original ad times and don't remember or understand that they've already clicked on it and been pwned. So they find they have "a virus" and think that's what the "virus" does.

In any case, no, it doesn't require any especially dodgy coding. It requires - at most - a couple lines of JavaScript. Legitimate pages use it all the time.
Reply With Quote
  #23  
Old 31 May 2014, 04:13 PM
jimmy101_again jimmy101_again is offline
 
Join Date: 29 December 2005
Location: Greenwood, IN
Posts: 6,402
Default

Quote:
Originally Posted by ganzfeld View Post
Once the malware (such as a virus - although a virus is a specific kind of malware not just any malware) that's in the computer (that is not coming from a script on a webpage, etc) can do that, it doesn't do that. Once it's in the computer it does whatever it's supposed to be doing in the computer and there's no reason for it to do that.
Browser hijacks do specifically what you say malware doesn't do. They stay resident (rebooting doesn't affect them) and they redirect the browser. "Does whatever they are supposed to be doing" is hijack the browser and redirect it to web sites the user didn't request.
Reply With Quote
  #24  
Old 31 May 2014, 07:40 PM
Richard W's Avatar
Richard W Richard W is offline
 
Join Date: 19 February 2000
Location: High Wycombe, UK
Posts: 24,937
Default

I don't think it's a browser hijack. It's a straightforward redirect, which would usually be a cross-site scripting thing. (Like ganzfeld said, most redirects are perfectly legitimate - the cross-site scripting is used to inject one that isn't legitimate into a legitimate page). It works from a piece of embedded script in a web page. It doesn't need to install anything, and it runs in the browser so stops running when the browser closes:


http://securitycompass.com/computer-...SS/player.html

For what it's worth, a session hijack also doesn't need to install anything, runs in the browser and doesn't persist beyond the session, hence the name:

http://securitycompass.com/computer-...ng/player.html
Reply With Quote
  #25  
Old 31 May 2014, 11:51 PM
ganzfeld's Avatar
ganzfeld ganzfeld is offline
 
Join Date: 05 September 2005
Location: Kyoto, Japan
Posts: 22,692
Default

Quote:
Originally Posted by jimmy101_again View Post
"Does whatever they are supposed to be doing" is hijack the browser and redirect it to web sites the user didn't request.
Which claims to be a Firefox or Java update - but only on the ULMB? Yeah, that makes no sense at all. Again, that's how they get in, not what they do. (Also, what Richard W said.)

Last edited by ganzfeld; 01 June 2014 at 12:00 AM.
Reply With Quote
  #26  
Old 01 June 2014, 04:11 PM
jimmy101_again jimmy101_again is offline
 
Join Date: 29 December 2005
Location: Greenwood, IN
Posts: 6,402
Default

You are assuming that all it is is a bogus web page designed to look like, for example, the Java update page. That could be what is happening. Though why are so few users seeing those pages? Sheer chance that he is seeing it regularly on his two computers but of the tens (hundreds?) of other snopsters that have visited the pages few, if any, are seeing the same thing? That is certainly possible though it seems rather unlikely.

A second possibility: He has something similar to a browser hijack. Wherever it came from he has been there with both machines. Whatever exploit it is using is also common to both machines (like an old version of the web browser or Java or ...). If he uses the same security software on both machines then if that software misses the hijack on one machine it'll be missed on the other. The hijack is perhaps just randomly choosing when it will take a URL request and redirect to one of the bogus web pages. Hijacks like this exist, they can specifically redirect certain pages (like URLs that point to antivirus software) or they can randomly choose when to redirect a valid URL to a page of the hijack's choice. The tricky part of this approach to a hijack is that if you attempt to trace it back, the assumption is that when a web paged asked for http://xxxxx that url points to a bogus page. In fact, http://xxxxxx points to a perfectly valid page, one that isn't a threat, but your browser didn't go to that page the hijack inserted a different URL and went there instead.
Reply With Quote
  #27  
Old 01 June 2014, 04:35 PM
jimmy101_again jimmy101_again is offline
 
Join Date: 29 December 2005
Location: Greenwood, IN
Posts: 6,402
Default

Quote:
Originally Posted by ganzfeld View Post
Which claims to be a Firefox or Java update - but only on the ULMB? Yeah, that makes no sense at all. Again, that's how they get in, not what they do. (Also, what Richard W said.)
What the bogus site claims to be is completely irrelevant. To do the next step in their evil they need to install software using the normal installation procedures. So the bogus page says Firefox or Java update just because (1) those things get updated regularly, (2) a high percentage of people use those packages and (3) those packages are allowed by users to install software. The hijack could say "install bogus software" but few people would actually click that button right?

A browser hijack can be linked to anything. It could indeed be linked to snopes pages (that is, it only redirects URLs from pages with /message.snopes.com ). That might sound silly but it really isn't. It makes perfect sense. A user is less likely to think a link from a snopes page is bogus and will perhaps be a little more likely to not fully check the URL before hitting something as risky as a "install update" button. It makes a lot more sense to trigger the hijack based on a visit to snopes than it does to say a porn site (which, I am told, people often expect to be somewhat more likely to try to do something bad to their computer, but I, of course, wouldn't have any direct knowledge of that.) But agian, there is nothing at the snopes pages that has been hacked, the hijack is resident on the users machine and is simply watching (and changing when it wants) URL links.

In the past browser hijack have been linked to pages like Microsoft Help Center. There is nothing on a Microsoft controlled page that has anything to do with the hijack. The hijack (in the user's browser) just watches for requests to those Microsoft pages and redirects them, often to pages that look like MS pages but aren't.

So, to summarize, to build a successful browser hijack:
1. Trigger from a trusted site like snopes, or Microsoft, or ... (note that nothing bogus is at those web sites, they weren't hacked)
2. Direct to a bogus page that looks like the commonly encountered "time to update your software" site (like Java, or Flash, or browsers or operating systems, or antivirus, or ...).
3. The hijacker now gets to install software much more dangerous than the original browser hijack and the user themselves have bypassed the security software on their machine.
Reply With Quote
  #28  
Old 01 June 2014, 11:09 PM
ganzfeld's Avatar
ganzfeld ganzfeld is offline
 
Join Date: 05 September 2005
Location: Kyoto, Japan
Posts: 22,692
Default

Quote:
Originally Posted by jimmy101_again View Post
1. Trigger from a trusted site like snopes, or Microsoft, or ... (note that nothing bogus is at those web sites, they weren't hacked)
By 'browser hijack', I thought you meant browser hijack. That's just an ordinary redirect. ETA - Oh, I see what you mean. Sounds a bit farfetched to me but it's plausible.
Reply With Quote
  #29  
Old 01 June 2014, 11:16 PM
Richard W's Avatar
Richard W Richard W is offline
 
Join Date: 19 February 2000
Location: High Wycombe, UK
Posts: 24,937
Default

Quote:
Originally Posted by jimmy101_again View Post
So, to summarize, to build a successful browser hijack:
1. Trigger from a trusted site like snopes, or Microsoft, or ... (note that nothing bogus is at those web sites, they weren't hacked)
2. Direct to a bogus page that looks like the commonly encountered "time to update your software" site (like Java, or Flash, or browsers or operating systems, or antivirus, or ...).
3. The hijacker now gets to install software much more dangerous than the original browser hijack and the user themselves have bypassed the security software on their machine.
It's not my security that needs to be bypassed to do that, though. It's the security on the web page. (In this case, probably in an advert, since I doubt that the UBB software itself is straightforwardly vulnerable to injection attacks. Also if it was embedded in the thread, then it would show up more consistently. I have seen it in other threads again now).
Reply With Quote
  #30  
Old 01 June 2014, 11:20 PM
ganzfeld's Avatar
ganzfeld ganzfeld is offline
 
Join Date: 05 September 2005
Location: Kyoto, Japan
Posts: 22,692
Default

Yes, I think that's much much more likely. You might want to try checking to make sure your DNS hasn't been meddled with (which you've probably already done with the scans) but I seriously doubt your browser has been hijacked.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
"Think About This" safety video (warning: depictions of workplace injuries) Jenn Fauxtography 15 20 March 2011 07:31 PM
Fake Michael Jackson video Ulkomaalainen Fauxtography 4 31 August 2009 07:38 PM
Bin Laden video fake? 0b1knob Fauxtography 15 11 September 2007 12:56 PM
Fake flat tire pullover crooks warning snopes Inboxer Rebellion 11 03 June 2007 09:20 PM


All times are GMT. The time now is 01:51 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.