Monday 20 July 2015

Attacked by advanced browser hijacker – See who fared better, Google Chrome or Pale Moon Browser.

I recently had the misfortune to stumble across a browser hijack.

I used this opportunity to compare two browsers, Google Chrome and Pale Moon.





View on to see which browser surprisingly fared better. (I also ran a couple security related browser apps at it to see if they helped).


Context:

I currently am using 2 browsers, Pale Moon (a Firefox fork) and Google Chrome. So when I came across this attack website, I tried both browsers and several security plugins on it to see which fared better in terms of protection.

I run my browsers through sandboxie. It protects your system from virtually any browser related system attack. I highly recommend it. www.sandboxie.com (the site indicates it is a paid program now, but I am still using it for free. I suspect it will run free with limitations?). Winpatrol was also useful in killing/terminating my frozen browser. www.winpatrol.com (has a free and paid version).

Here's what the Attack Looked Like:

This pic is from Google Chrome.  Pale Moon looked similar, but pop up was different shape.

Results:

The site has far greater proficiency at taking control of Google Chrome (which surprised me).

Google Chrome:

-Browser was rendered useless. It was frozen and completely inoperable. A long narrow pop up appeared in the center of the browser with more warnings. If you cleared the pop up, it would appear again. The tab would not close. You could not open more tabs. The browser could not be closed by the upper right `X’ or via right clicking and selecting close in the task bar. You could not access Chrome options or tools or anything. Absolutely nothing worked in Chrome.

-The site indicated that my system was infected and tried to convince me that I needed to phone their provided number for help.

-An audible message kept repeating itself prompting me to phone them. It said I was infected and to phone them for cleaning.

Solution:  killed Google Chrome with Winpatrol (you can likely use Windows Task Manager). Then I deleted Sandboxie session. If I didn’t have Sandboxie running, I would have used Ccleaner.

Pale Moon:

-Annoying audible warning played trying to trick me into phoning them.

-Pop up in center screen appeared and webpage had same various warnings and promptings to phone for assistance. This tab would not close.

-However, I could open other tabs and continue browsing in these other tabs.

-With some clicking, I could manage to close the Pale Moon browser. You had to click a little box in pop up restricting pop up from reopening and then quickly closing tab or browser. After several attempts (if you were too slow, pop up would reappear) I could close browser.

-So it appear the takeover of Pale Moon was not complete, as in the case of Google Chrome. 

Supplementary:

With browsers open to infected site, I ran several anti-malware scans. And no body detected anything. So the website wasn’t trying to infect my system, just freeze my browser and trick me into phoning them, where they would likely try and acquire my credit card numbers for assistance.

-Windows Defender.

-Iobit Malware Fighter Paid version.

-Malwarebytes Free.

-Webroot Secure Anywhere.

-Zemena Anti-malware (which uses numerous antivirus engines including Bitdefender, Eset, etc).

Extension Run Down:

Several extensions were tried and didn’t help with anything. Site Raters and scanners tried that were impudent:

-WOT.

-Bitdefender Trafficlight.

-Avira Browser Safety.

These did not stop navigation to site. And they did not rate it as malicious (yet).

Flash block, Adblock Latitude, Adblock Plus, BrowserProtect, and Protect-Access free did nothing to hinder this particular attack.

One extension offered a warning:

Webroot Reputation Toolbar

Webroot warned me that the site was a moderate risk, so you could steer clear from a search. But if directed there, it does not stop the take over nor give control back. But it did offer some warning where others did not.

Further testing:

If you wish to try a different browser or extension on this particular site, please post results in comments for us. The site in question is www adwaresystemscan com. This site is malicious; don’t go there if you don’t know what you are doing. Use Sandboxie or equivalent protection.

4 comments:

  1. Updated to include Internet Explorer 11 (with Active X filtering on, Protected Mode on, and SmartScreen filter on - Windows 7)

    IE experienced the same symptoms as Google Chrome browser. It was completely inoperable and frozen: annoying voice warnings and pop ups were all present. I could not shut down the browser via the browser and was forced to do so with WinPatrol.

    ReplyDelete
  2. Updated to include Microsoft Edge (on windows 10 - with default config). With Edge, I could control my browser and exit the tab or browser.
    ______________________________________________________

    Further information concerning attack from Microsoft's malware page:

    Rogue:JS/FakeCall.D

    "This threat is a webpage that claims your PC is infected with malware. It asks you to phone a number to receive technical support to help remove the malware.

    The website is a hoax and cannot find malware on your PC."

    https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Rogue%3aJS%2fFakeCall.D&threatid=222748&enterprise=0#tab=1

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete