By Steve Espino – PC Tools Malware Research Team
Stealthy malware can redirect web search results to websites other than what was initially being searched for. The user may be redirected to advertising websites, fake antivirus sites, and some completely unrelated sites which generate revenue for the remote attackers and their partners.
The malware writers are able to execute this attack using various methods, for example: malicious browser plugins, infected executables and system files, rootkit malware, and also router-based malware.
TDSS
Most prevalent attacks that redirect web search results are TDSS-related. TDSS infections can be particularly trivial as they can mask their presence on the affected computer which makes it virtually undetectable.
Symptoms of infection apart from web search result redirection are unresponsive computers, inaccessible or missing files and folders, inactive antivirus software, inaccessible security-related websites, and frequent Windows crashes (BSOD).
Using GMER tool, unmasking TDSS
For more examples of TDSS infections and changes made to the affected system, you can refer to our ThreatExpert system.
PC Tools Spyware Doctor detecting a variant of TDSS
Information Theft
Since the network traffic has been hijacked, the remote attackers have the ability to collect sensitive information such as usernames and passwords, credit card details, online banking credentials etc. These are regarded as commodities in the underground communities, and again generate revenue for the remote attackers.
Router-Based Malware: Same Target, Different Approach
Although an increasing number of people are taking steps to secure their online environment, one step that most people probably overlook is securing their router/modem. Most of these devices are kept in a state that they have been shipped in.
Sneaky malware writers are aware of the fact the most router/modems are being used with default settings and/or have weak passwords, and are exploiting this vulnerability. This allows a remote attacker to make changes to the router/modem to their liking. They can even turn it into a zombie as part of bot network responding to remote commands, all without the users’ knowledge.
This is an approach where attacks are targeted against router/modems and not the actual computers, which can make detection a challenging task.
Router Cleanup
If the router/modem has been compromised there are necessary steps to perform in order to secure the device. But before doing anything, you need to make sure you have your internet connection configuration details from your Internet Service Provider (ISP) and ensure that you have your router/modem device user manual with you. If you have these details in digital formats, it might be a good idea to print these out as your may lose your internet connection if the settings are not properly configured.
While performing these steps you will be required to access the router/modem device web interface which can be accessed via the web browser using the following common IP addresses:
1. 10.0.1.1
2. 192.168.0.1
3. 192.168.1.1
4. 192.168.2.1
And if the device administrator credentials have been left as factory-default, the following would be the common credentials:
User: admin
Password: password
These settings may vary depending on the device being used and it always recommended to refer to the device user manual for correct settings.
To be on the safe side, it is recommended that a wired connection to the router/modem device be used while performing these steps:
1. Clear your computer’s DNS resolver cache
To speed up domain name resolution for frequently-visited websites, results of name resolution request are cached and may contain malicious entries causing the web search result redirection:
On the command prompt enter: ipconfig /flushdns
2. Reboot the router/modem
Some malware run in the router/modem memory so rebooting the device may sometimes do the trick.
Refer to the device user manual for instructions.
3. Update the device firmware
Firmware updates, often fixes bugs and address vulnerabilities that make them immune to this attack. Refer to the device user manual for instructions on how to get the latest firmware for your device. If your device has an option to automatically check and install updated firmware make sure to have that enabled.
4. Restore device to factory-default settings
This reverts the device to factory-default condition, erasing traces of the malware.
Refer to the device user manual for instructions.
5. Reconfigure internet connection settings
Please refer to instructions as specified by your ISP for the proper configuration.
6. Change the default admin password on the device
Remote attackers already know the default credentials for ‘fresh’ devices and easily crack weak passwords. It is highly recommended to use secure passwords. You may use the PC Tools Secure Password Generator.
7. Reconfigure your wireless connection
Depending on the device you are using, you might need to reconfigure your wireless connection before you can use it. Refer to your device user manual for configuration details and don’t forget to use secure passwords.
Fix TDSS-Related Web Search Redirection Using PC Tools™ HIT Scan
PC Tools™ HIT (Hidden Intrusive Threat) Scan is a powerful tool that exposes threats by detecting anomalies in the file system that would otherwise have been left undetected by conventional antivirus software.
The tool can be freely downloaded but PC Tools customers have the option to send the HIT Scan logs to our customer support representatives for further assistance if required.
For more information on how to obtain and use HIT Scan to fix TDSS-related web search redirection on your computer please refer to this document.
Protection
To ensure that your computer is appropriately protected, please take the necessary steps and ensure that all the relevant software in use have the latest updates and patches. The latter steps are necessary to patch known vulnerabilities and protect your computer from possible security thefts.
For the latest critical and security updates for Microsoft Windows, please use Automatic Updates or visit the following site.
It is also important to keep your antivirus software up-to-date with the latest versions and definitions.
Here are some of our free solutions:
PC Tools Patch Scanner – scans your computer for missing Windows updates.
PC Tools™ AntiVirus Free 2011 – free antivirus solution
Alternate Operating System Scanner (AOSS) – PC Tools utility for scanning rootkit malware that may otherwise be invisible while the computer is running
Browser Defender – PC Tools toolbar that allows you to surf safely by displaying site ratings as you browse the Internet.
For more software to keep your PC and identity secure against TDSS and other malware, please visit: http://www.pctools.com/pc-software