Posted on May 10, 2006 at 3:25 PM in how-to
Note: The below is an archived entry from Earthling, formerly EarthLink's official blog. The blog itself has been decommissioned and is no longer updated, and comments are trackbacks are no longer accepted.
In case you didn't follow the Yapbrowser malware story a couple of weeks ago, spyware watchers were alarmed to find an application that, when installed, redirected all a user's searches to child porn sites. There's a full play-by-play with video here showing what would happen if you downloaded and installed the software on your computer. When last we left off with the story, Wayne Porter of Facetime Security Labs challenged the Yapbrowser people to an online discussion and they agreed.
Just last week Porter heard back from Yapbrowser. On May 5 he published spokesperson John Sandy's answers to his questions, without comment, as were the rules of engagement.
You can read the whole thing here. He's also made it available in Sandy's original language, Russian.
If nothing else, the interview highlights several gaps where testing the application should have revealed that it was incorrectly redirecting to really nasty places. It's an interesting read, and I urge you to draw your own conclusions.
But what if, for whatever reason, you found your computer on the receiving end of something like what Yapbrowser did? It would be frustrating enough to have a piece of software hijack your web browser, but what if in so doing it also started delivering something illegal like child pornography?
I spoke to EarthLink protection software Product Managers Ben Kaplan and Liza Barry-Kessler about this, and they've provided some tips for what to do if such a thing happens to you, and how best to avoid a browser hijacking in the first place.
What to do if your browser starts redirecting to illicit material
Remove it, then report it. The first priority should be just getting it off of your machine and returning normal function to your computer.
- How To Remove it:
If you already have an anti-spyware/virus application on your computer like the EarthLink Protection Control Center, disconnect from the internet and start up the software if it's not already on. Perform a full scan of your machine and let the scan run its course. Remove any viruses or spyware the program finds. Once you've done that, restart your computer and run a second scan. Some spyware deliberately tries to hide from any kind of scan, so it's important to go through this again once after restart and again delete anything it finds.
In most cases, this will restore your computer to normal function. But because spyware is something of an arms race with programmers constantly working to defeat the tools, the path to a fully clean computer might require some extra steps in some extreme cases. Many experts suggest the extra step of starting up your computer again, this time in safe mode by pressing F8 when you see the first startup screen. When you see a bunch of hardware and memory information on the screen, press F8. Choose the "Safe Mode" option. This will temporarily protect your computer from additional damage, but it will also temporarily stop your computer from connecting to the internet via dial-up or direct DSL connection. From there, run a third-party standalone anti-spyware program like ad-aware and remove anything it recommends. After a restart to get out of safe mode, you should be in good shape. From there, you'll also want to open up the preferences of your web browser and clear all cache, cookies, and temporary internet files.
- How To Report it:
If you believe you've ran across child pornography anywhere, especially as part of a spyware infestation on your computer, report it to the National Center For Missing and Exploited Children. Use their Cyber Tipline page to get more information and drop a dime on the perpetrators. You can use the orange "Report" button to send them a report. (It's a fairly clunky web interface, but if you fill it out, they'll probably get enough information that they won't need to call you back for more details.)
Liza adds, "Remember, the possession of child pornography for any reason is a federal felony, so after you report it, make sure you've cleaned your cache, cookies, and temporary internet files. Don't go out looking for more examples to report. And please don't send the URL to us!"
Update: I was having internet troubles today, and in the confusion failed to add on the "how to avoid a hijacking in the first place" part of it. Here are a few tips from Ben on that:
- Get to know the products you are thinking about installing to your computer. Read
the EULA's(End-User License Agreement) thoroughly to make sure you know everything that's being installed in the package.
- If you choose to surf the internet for sexual content, know that that will increase the risk of spyware finding its way to your machine. The same goes for looking for hacked software.
- Don't agree to install anything unless you know what it is and are comfortable with its purpose on your computer.
- Get to know the products you are thinking about installing to your computer. Read
Comments
sometimes i wonder if my virus protection is really working my other spyware programs seem to work but not all work as well. I wonder if I should us another co. even though I paid so much for virus protection?
Posted by Everette Singleton | May 10, 2006 11:07 PM
I don't think Everette Singleton knows a lot about spelling, you know 'cus like she posted something about a virus and used a wrong word but I also had the same question as hers. Umm what should I do about my protection? thanx for listening, sincerely me. :-D
Posted by JB | May 14, 2006 10:13 PM
Everette: Are you using the EarthLink PCC now? As long as you keep the virus definitions up to date and keep the PCC on, it should take care of spyware and virus threats. Hope that helps!
Posted by Dave Coustan (earthling) | May 15, 2006 9:09 AM
What stupid American law considers "child porn" isn't child porn to me...
I'm 20 years old and 16 year old girls are only 4 years younger than me and they're still hot.
Posted by lee | May 17, 2006 3:27 PM
Dear Lee: It's not the age difference that matters, but it's more about the intentions that you bring to an unexperienced teenager. I'm 20 years old too and I understand your point of view, however taking advantage of someone younger would be like taking their chances of having their first "everything" with someone also unexperienced. Having friends our own age helps us blossom emotionally according to plan other than speeding up our life. We have to live life step by step with no rush, and make our decisions memorable not regretful. Hopefully now you understand the emotional effect you might have on an unexperienced teenage girl.
Posted by JB | May 26, 2006 1:56 PM
LEE: I think you and I need to e-mail each other.
Posted by JB | May 26, 2006 2:38 PM
Dave Coustan: You may think that now, but when you're 30, you'll still be looking at the 16 year olds.
I thought this when i was 16 and looking at girls a few years younger.
Now i'm 24 and facing a child porn conviction.
Posted by S | June 15, 2006 9:47 AM
I think 'S' needs a software protection to keep him out of trouble.
Posted by JB | June 22, 2006 10:55 PM
I can't figure out if my PCC firewall is giving me protection. Scanning my computer reveals no malicious software. But when my computer boots, I keep getting a firewall message that says some unknown program is trying to access the internet. What the heck is going on?
Posted by Greg Kipp | July 22, 2006 5:47 PM
OK. I have been experiencing a very frustrating situation for about 6 to 8 weeks or more, now. When I run PCC it is now finding 6 items, it started with two. I always delete them and the next day they show right back up. They are "WinMoviePlugin", CoolWebSearch", "Transponder.Bolger", "EliteMediaPopup", "SearchSquire", and "SpywareQuake. They have anywhere from one up to 5 variants listed, all of which reside in the Registry. I can track them in it, but I'm afraid to do anything there. I also run SpyBot S&D, Ad-Aware, and SpywareBlaster.
Sooo, I have downloaded CWShredder and ran it. It doesn't find anything! Before I try a system restore, I want to try the instructions you have for that listed above. My DOOFUS question is--"Am I disconnected from the Net if I just close out Total Access, or do I need to shut off my modem?
Posted by Cary | July 22, 2006 11:45 PM
Hi JB,
Can you tell me specifically what the Firewall Alert is telling you? If this alert appears when you are trying to access anything on the Internet, more than likely you are fine and should allow the communication. Are you seeing a message that says IP address # # # is trying to connect to # # #? If so, this is normal.
Posted by Ben | July 25, 2006 9:58 AM