{{short description|Form of unwanted software}} '''Browser hijacking''' is a form of unwanted software that modifies a web browser's settings without a user's permission, to inject unwanted advertising into the user's browser. A browser hijacker may replace the existing home page, error page, or search engine with its own.<ref>{{cite web|url=http://www.microsoft.com/security/resources/hijacking-whatis.aspx|title=Browser Hijacking Fix & Browser Hijacking Removal|work=Microsoft|access-date=23 October 2012|archive-date=7 February 2015|archive-url=https://web.archive.org/web/20150207081529/http://www.microsoft.com/security/resources/hijacking-whatis.aspx|url-status=live}}</ref> These are generally used to force hits to a particular website, increasing its advertising revenue.

Some browser hijackers also contain spyware, for example, some install a software keylogger to gather information such as banking and e-mail authentication details. Some browser hijackers can also damage the registry on Windows systems, often permanently.

While some browser hijacking can be easily reversed, other instances may be difficult to reverse. Various software packages exist to prevent such modification.

Many browser hijacking programs are included in software bundles that the user did not choose and are included as "offers" in the installer for another program, often included with no uninstall instructions, or documentation on what they do, and are presented in a way that is designed to be confusing for the average user, to trick them into installing unwanted extra software.<ref name=malwarebytes>{{cite web|url=https://www.malwarebytes.org/pup/|title=Malwarebytes Potentially Unwanted Program Criteria|publisher=Malwarebytes|access-date=2015-08-07|archive-date=2016-04-09|archive-url=https://web.archive.org/web/20160409041138/https://www.malwarebytes.org/pup/|url-status=live}}</ref><ref>{{cite web|title=Rating the best anti-malware solutions|url=https://arstechnica.com/security/2009/12/av-comparatives-picks-eight-antipua-winners/|publisher=Arstechnica|access-date=28 January 2014|date=2009-12-15|archive-date=2014-02-02|archive-url=https://web.archive.org/web/20140202092753/http://arstechnica.com/security/2009/12/av-comparatives-picks-eight-antipua-winners/|url-status=live}}</ref><ref>{{cite web|title=Threat Encyclopedia – Generic Grayware|url=http://about-threats.trendmicro.com/us/archive/grayware/GENERIC_GRAYWARE|publisher=Trend Micro|access-date=27 November 2012|archive-date=14 July 2014|archive-url=https://web.archive.org/web/20140714140157/http://about-threats.trendmicro.com/us/archive/grayware/GENERIC_GRAYWARE|url-status=live}}</ref><ref name="PUP Criteria">{{cite web|title=PUP Criteria|publisher=Malwarebytes|url=http://www.malwarebytes.org/pup/|access-date=2019-01-06|archive-date=2016-04-09|archive-url=https://web.archive.org/web/20160409041138/https://www.malwarebytes.org/pup/|url-status=live}}</ref>

There are several methods that browser hijackers use to gain entry to an operating system. Email attachments and files downloaded through suspicious websites and torrents are common tactics that browser hijackers use.{{Citation needed|date=March 2017}}

== Security == === Rogue security software === Some rogue security software will also hijack the start page, generally displaying a message such as "WARNING! Your computer is infected with spyware!" to lead to an antispyware vendor's page. The start page will return to normal settings once the user buys their software. Programs such as WinFixer are known to hijack the user's start page and redirect it to another website.

=== Non-existent domain pages === The Domain Name System is queried when a user types in the name of a website (e.g., wikipedia.org) and the DNS returns the IP address of the website if it exists. If a user mistypes the name of a website then the DNS will return a Non-Existent Domain (NXDOMAIN) response.

Historically, some Internet Service Providers (ISPs) like EarthLink in 2006 intercepted NXDOMAIN responses at the server level to redirect users to ad-heavy search pages, sparking significant privacy concerns.[6] On modern networks, this practice has largely declined due to widespread adoption of encrypted DNS protocols (such as DoH and DoT) and browser-level error handling, which prevent ISPs from tampering with unresolved domain queries.<ref>{{cite news|last=Mook|first=Nate|title=EarthLink Criticized for DNS Redirects|url=http://betanews.com/2006/09/06/earthlink-criticized-for-dns-redirects/|access-date=9 May 2012|newspaper=betaNews|date=2006-09-06|archive-date=2012-05-01|archive-url=https://web.archive.org/web/20120501085718/http://betanews.com/2006/09/06/earthlink-criticized-for-dns-redirects/|url-status=live}}</ref>

=== Operation === Unwanted programs often include no sign that they are installed, and no uninstall or opt-out instructions.<ref name=malwarebytes/>

Most hijacking programs constantly change the settings of browsers, meaning that user choices in their own browser are overwritten. Some antivirus software identifies browser hijacking software as malicious software and can remove it. Some spyware scanning programs have a browser restore function to set the user's browser settings back to normal or alert them when their browser page has been changed.

== Avoidance == As of Microsoft Windows 10, web browsers can no longer set themselves as a user's default without further intervention; changing the default web browser must be performed manually by the user from Settings' "Default apps" page, ostensibly to prevent browser hijacking.<ref name=verge-w10defaults>{{cite web|title=Mozilla blasts Microsoft for making it harder to switch to Firefox in Windows 10|url=https://www.theverge.com/2015/7/30/9076445/mozilla-microsoft-windows-10-browser-default-apps-complaint|website=The Verge|publisher=Vox Media|access-date=October 18, 2015|date=2015-07-30|archive-date=2015-07-31|archive-url=https://web.archive.org/web/20150731081027/https://www.theverge.com/2015/7/30/9076445/mozilla-microsoft-windows-10-browser-default-apps-complaint|url-status=live}}</ref>

== Examples of hijackers == A number of hijackers change the browser homepage, display adverts, and/or set the default search engine; these include '''Astromenda''' (www.astromenda.com);<ref>{{cite web|url=https://www.symantec.com/security_response/writeup.jsp?docid=2014-102413-2921-99|title=PUA.Astromenda|work=Symantec|access-date=2015-08-24|archive-date=2015-09-08|archive-url=https://web.archive.org/web/20150908065844/https://www.symantec.com/security_response/writeup.jsp?docid=2014-102413-2921-99|url-status=dead}}</ref><ref>{{cite web|url=http://www.lavasoft.com/mylavasoft/company/blog/how-to-remove-astromenda-search-from-your-browser|title=How to Remove Astromenda Search From Your Browser|work=Lavasoft|access-date=2015-08-24|archive-date=2015-09-05|archive-url=https://web.archive.org/web/20150905095120/http://www.lavasoft.com/mylavasoft/company/blog/how-to-remove-astromenda-search-from-your-browser|url-status=live}}</ref><ref>{{cite web|url=https://support.norton.com/sp/en/au/home/current/solutions/v104104984_EndUserProfile_en_us|title=Remove Astromenda, Buzzdock and Extended Update toolbar from your browser|work=norton.com|access-date=2015-08-24|archive-date=2015-09-25|archive-url=https://web.archive.org/web/20150925110518/https://support.norton.com/sp/en/au/home/current/solutions/v104104984_EndUserProfile_en_us|url-status=live}}</ref> '''Ask Toolbar''' (ask.com); '''ESurf''' (esurf.biz) '''Binkiland''' (binkiland.com); '''Delta''' and '''Claro'''; '''Dregol''';<ref>{{Cite web | url=http://www.pcvirus-lab.com/dregol-search-removal/ | title=Dregol Search Removal &#124; Removal Guide | access-date=2016-03-22 | archive-date=2021-04-10 | archive-url=https://web.archive.org/web/20210410185435/http://www.pcvirus-lab.com/dregol-search-removal/ | url-status=live }}</ref> '''Jamenize'''; '''Mindspark'''; '''Groovorio'''; '''Sweet Page'''; '''Mazy Search'''; '''Pensirot'''; '''Search Protect by Conduit''' along with '''search.conduit.com '''and variants; '''Tuvaro'''; '''Spigot'''; '''en.4yendex.com'''; '''Yahoo'''; etc.

{{Further|MonaRonaDona}}

=== Babylon Toolbar === Babylon Toolbar is a browser hijacker that will change the browser homepage and set the default search engine to isearch.babylon.com. It is also a form of adware. It displays advertisements, sponsored links, and spurious paid search results. The program will also collect search terms from search queries.

Babylon's translation software prompts to add the ''Babylon Toolbar'' on installation. The toolbar also comes bundled as an add-on with other software downloads.<ref name="Getting rid of Babylon">[http://blog.chron.com/helpline/2012/07/getting-rid-of-babylon/ Getting rid of Babylon] {{Webarchive|url=https://web.archive.org/web/20121026013638/http://blog.chron.com/helpline/2012/07/getting-rid-of-babylon/ |date=2012-10-26 }} Jay Lee, The Houston Chronicle, July 25, 2012</ref>

In 2011, the CNet site ''Download.com'' started bundling the Babylon Toolbar with open-source packages such as Nmap. Gordon Lyon, the developer of Nmap, was upset over the way users of his software were tricked into using the toolbar.<ref>{{Cite web |last=Leyden |first=John |title=Download.com sorry for bundling Nmap with crapware |url=https://www.theregister.com/2011/12/09/download_nmap_toolbar_row_latest/ |access-date=2023-01-11 |website=www.theregister.com |language=en |archive-date=2023-01-11 |archive-url=https://web.archive.org/web/20230111223538/https://www.theregister.com/2011/12/09/download_nmap_toolbar_row_latest/ |url-status=live }}</ref> The vice-president of Download.com, Sean Murphy, released an apology: ''The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused.''<ref>[http://download.cnet.com/8301-2007_4-57338809-12/a-note-from-sean-regarding-the-download.com-installer/ A note from Sean regarding the Download.com Installer] {{Webarchive|url=https://web.archive.org/web/20120727160619/http://download.cnet.com/8301-2007_4-57338809-12/a-note-from-sean-regarding-the-download.com-installer/ |date=2012-07-27 }} Download.com December 7, 2011</ref>

Similar variants of the Babylon toolbar and search homepage exist including: Bueno Search, Delta Search, Claro Search, and Search GOL. All of these variants state to be owned by Babylon in the terms of service.

All of the toolbars were created by Montiera.<ref>{{cite web |url=http://montiera.com/caseStudies-babylon.html |title=Montiera |website=montiera.com |access-date=13 January 2022 |archive-url=https://web.archive.org/web/20161203092916/http://montiera.com/caseStudies-babylon.html |archive-date=3 December 2016 |url-status=dead}}</ref>

=== Conduit (Search Protect) === Conduit is a hijacker that steals personal and confidential information from the user and transfers it to a third party. This toolbar has been identified as ''Potentially Unwanted Programs (PUPs)'' by Malwarebytes<ref>{{cite web | title = How to remove Search Protect by Conduit Ltd | publisher = Lavasoft | date = 2013-06-01 | url = http://lavasoft.com/mylavasoft/company/blog/how-to-remove-search-protect-by-conduit-ltd | access-date = 2013-10-12 | archive-date = 2014-09-10 | archive-url = https://web.archive.org/web/20140910000857/http://lavasoft.com/mylavasoft/company/blog/how-to-remove-search-protect-by-conduit-ltd | url-status = live }}</ref> and is typically bundled with free downloads.<ref>{{cite web | title =Bundle Your Software with a Custom Toolbar & Start Making Money| publisher = Conduit Ltd. | year = 2013 | url = http://toolbar.conduit.com/bundle-software.aspx | access-date = 2013-10-12 | archive-url=https://web.archive.org/web/20140331144103/http://toolbar.conduit.com/bundle-software.aspx | archive-date=2014-03-31}}</ref><ref>{{cite web | title = Download me II—Removing the remnants of the Web's most dangerous search terms | website = Ars Technica | date = 2013-08-25 | url = https://arstechnica.com/information-technology/2013/08/download-me-ii-removing-the-remnants-of-the-webs-most-dangerous-search-terms/ | access-date = 2013-10-12 | archive-date = 2013-10-01 | archive-url = https://web.archive.org/web/20131001104117/http://arstechnica.com/information-technology/2013/08/download-me-ii-removing-the-remnants-of-the-webs-most-dangerous-search-terms/ | url-status = live }}</ref> These toolbars modify the browser's default search engine, homepage, new tab page, and several other browser settings. There are similar variants of conduit search such as trovi.com, trovigo.com, better-search.net, seekforsearch.com, searchitdown.com, need4search.com, clearsearches.com, search-armor.com, searchthatup.com, premiumsearchweb.com, along with other variants which were created in a customized way for the toolbar creation service Conduit Ltd used to offer.{{Citation needed|reason=Each variant needs a reliable source of its own.|date=March 2017}}

A program called "Conduit Search Protect", better known as "Search Protect by conduit", can cause severe system errors upon uninstallation. It claims to protect browser settings but actually attempts to block changes to the malicious settings. Search Protect has an option to change the search homepage from the "recommended" search home page Trovi, but users have reported it changing back to Trovi after a period of time.{{Citation needed|date = May 2015}} The uninstall program for Search Protect can cause Windows to be unbootable because the uninstall file not only removes its own files, but also all the boot files in the root of the C: drive.{{citation needed|date=September 2014}} and leaves a BackGroundContainer.dll file in the start-up registry.<ref>{{cite web|title=Fixing BackgroundContainer.dll Left Over by Conduit Ltd|url=http://appuals.com/fixing-backgroundcontainer-dll-error/|publisher=appuals|access-date=20 March 2015|archive-date=26 March 2015|archive-url=https://web.archive.org/web/20150326021509/http://appuals.com/fixing-backgroundcontainer-dll-error/|url-status=live}}</ref> Conduit is associated with malware, spyware, and adware, as victims of this hijacker have reported unwanted pop-ups and embedded in-text advertisements, on sites without ads.

Perion Network Ltd. acquired Conduit's ClientConnect business in early January 2014,<ref name="PerionConduitClientClonnectAcquisitionPressRelease">{{cite press release |author=<!--Staff writer(s); no by-line.--> |title=Perion Completes Acquisition of Conduit's ClientConnect Creating a Leading Provider of Digital Solutions for Publishers |url=http://www.businesswire.com/news/home/20140102005313/en/Perion-Completes-Acquisition-Conduit%E2%80%99s-ClientConnect-Creating-Leading |location=Tel Aviv, Israel; San Francisco |agency=Business Wire |date=2014-01-02 |access-date=2015-06-07 |archive-date=2015-06-13 |archive-url=https://web.archive.org/web/20150613002633/http://www.businesswire.com/news/home/20140102005313/en/Perion-Completes-Acquisition-Conduit%E2%80%99s-ClientConnect-Creating-Leading |url-status=live }}</ref> and later partnered with Lenovo to create Lenovo Browser Guard,<ref name="LenovoBrowserGuard">{{cite press release |author=<!--Staff writer(s); no by-line.--> |title=Perion Partners with Lenovo to Create Lenovo Browser Guard |url=http://www.businesswire.com/news/home/20140618005930/en/Perion-Partners-Lenovo-Create-Lenovo-Browser-Guard |location=Tel Aviv, Israel; San Francisco |agency=Business Wire |date=2014-06-18 |access-date=2015-06-07 |archive-date=2015-07-04 |archive-url=https://web.archive.org/web/20150704164655/http://www.businesswire.com/news/home/20140618005930/en/Perion-Partners-Lenovo-Create-Lenovo-Browser-Guard |url-status=live }}</ref> which uses components of Search Protect.

Victims of unwanted redirections to conduit.com have also reported that they have been attacked by phishing attempts and have received unwanted junk mail, telephone calls from telemarketers, and other spam. Some victims claim that the callers claimed to be Apple, Microsoft, or their ISP, and are told that personal information was used in some phone calls, and that some of the calls concerned their browsing habits and recent browsing history. Personal information harvested by such spyware is frequently leveraged in highly targeted social engineering and phishing campaigns.<ref>{{cite web|title=How To Remove Search Protect By Conduit Ltd|url=http://www.lavasoft.com/mylavasoft/company/blog/how-to-remove-search-protect-by-conduit-ltd|publisher=Lavasoft|access-date=3 December 2014|archive-date=2 December 2014|archive-url=https://web.archive.org/web/20141202045957/http://lavasoft.com/mylavasoft/company/blog/how-to-remove-search-protect-by-conduit-ltd|url-status=live}}</ref>

=== istartsurf.com === The browser hijacker istartsurf.com may replace the preferred search tools. This infection travels bundled with third-party applications and its installation may be silent. Due to this, affected users are not aware that the hijacker has infected their Internet Explorer, Google Chrome or Mozilla Firefox browsers.<ref name=kaspersky>{{cite web| title=Remove istartsurf| url=http://support.kaspersky.com/viruses/solutions/10319| website=support.kaspersky.com| publisher=Kaspersky Lab| access-date=24 June 2010| archive-date=30 September 2013| archive-url=https://web.archive.org/web/20130930164408/http://support.kaspersky.com/viruses/solutions/10319| url-status=live}}</ref>

=== Search-daily.com {{anchor|Search-daily}} === <!-- Search-daily Hijacker redirects here --> ''Search-daily.com'' is a hijacker that may be downloaded by the Zlob trojan. It redirects the user's searches to pornography sites. It is also known to slow down computer performance.<ref>{{cite web|title=Browser Hijacker|date=31 July 2023 |url=https://original-nodsrv.com/browser-hijacking/|publisher=nodsrv}}</ref>

=== Snap.do === Snap.do (Smartbar developed by Resoft) is potential malware, categorized as a browser hijacker and spyware, that causes web browsers to redirect to the snap.do search engine. Snap.Do can be manually downloaded from the Resoft website, though most users are entrapped due to it being bundled with other software and installed unintentionally. It affects Windows and can be removed through the Add/Remove program menu. Snap.Do also can download many malicious toolbars, add-ons, and plug-ins like DVDVideoSoftTB, General Crawler, and Save Valet.

General Crawler, installed by Snap.do, has been known to use a backdoor process to re-install and re-enable itself every time an affected user removes it through their browser(s) or through Windows' built-in uninstaller.

Snap.do will disable the option to change your homepage and default search engine.

Resoft will track the following information: * The Internet domain and IP address from which the user accesses the Resoft Products (location, ID, etc.) * Screen resolution of the user's computer monitor (display) * The date and time the user ''intentionally'' or ''unintentionally'' accesses Resoft products * The pages the user is visiting with the Resoft Products (with or without knowledge of using Resoft products, Snap.do) * If the user ''willingly'' or ''unwillingly'' linked to a Resoft website from another referring website, the address of that site

=== SourceForge Installer === A previous installer of SourceForge included adware and PUP installers.<ref>{{Cite web |title=istartsurf.com - browser hijacking - startup page on all browsers {{!}} Endpoint SWAT: Protect the Endpoint Community |url=https://community.broadcom.com/groups/communities/community-home/digestviewer/viewthread?MessageKey=26df5804-2174-47a2-855a-79f3e8556aa7&CommunityKey=62d32cad-f043-4d8a-8dd1-60b4f76dc271&tab=digestviewer |access-date=2023-01-11 |website=community.broadcom.com |archive-date=2023-01-11 |archive-url=https://web.archive.org/web/20230111223539/https://community.broadcom.com/groups/communities/community-home/digestviewer/viewthread?MessageKey=26df5804-2174-47a2-855a-79f3e8556aa7&CommunityKey=62d32cad-f043-4d8a-8dd1-60b4f76dc271&tab=digestviewer |url-status=live }}</ref>

One particular one changes the browser settings of Firefox, Chrome, and Internet Explorer to show the website "istartsurf.com" as the homepage. It does so by changing registry settings and reverting the settings if the user tries to change them.

On June 1, 2015, SourceForge claimed that they stopped coupling "third party offers" with unmaintained SourceForge projects.<ref>{{Cite news|url=https://sourceforge.net/blog/third-party-offers-will-be-presented-with-opt-in-projects-only/|title=Third party offers will be presented with Opt-In projects only - SourceForge Community Blog|date=2015-06-01|work=SourceForge Community Blog|access-date=2018-08-16|language=en-US|archive-date=2018-08-11|archive-url=https://web.archive.org/web/20180811025220/https://sourceforge.net/blog/third-party-offers-will-be-presented-with-opt-in-projects-only/|url-status=live}}</ref>

=== Trojan.WinLNK.Agent === A '''''Trojan.WinLNK.Agent''''' (also '''''Trojan:Win32/Startpage.OS''''') is the definition from Kaspersky Labs of a Trojan downloader, Trojan dropper, or Trojan spy. Its first known detection goes back to May 31, 2011, according to Microsoft Malware Protection Center. This ''Trojanware'' opens up an Internet Explorer browser to a predefined page (like to ''i.163vv.com/?96''). Trojan Files with the '''''LNK''''' extension (expression) is a Windows shortcut to a malicious file, program, or folder. A ''LNK'' file of this family launches a malicious executable or may be dropped by other malware. These files are mostly used by worms to spread via USB drives (i.e.).<ref name=autogenerated2>[https://threats.kaspersky.com/en/threat/Trojan.WinLNK.Runner/ Kaspersky Threats — TROJAN.WINLNK.RUNNER<!-- Bot generated title -->]</ref><ref name=autogenerated1>[https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fStartpage.OS Trojan:Win32/Startpage.OS<!-- Bot generated title -->]</ref> In 2016, India had the most incidents relating to this Trojan with 18,36 % worldwide.<ref name=autogenerated2 />

Other aliases: * ''Win32/StartPage.NZQ'' (ESET)<ref name=autogenerated1 /> * ''Trojan.WinLNK.Startpage'' (Kaspersky Labs)<ref>[https://threats.kaspersky.com/en/threat/Trojan.WinLNK.StartPage/ Kaspersky Threats — TROJAN.WINLNK.STARTPAGE<!-- Bot generated title -->]</ref> * ''Trojan:Win32/Startpage.OS'' (Microsoft)<ref name=autogenerated1 />

Other variants: * ''Trojan.WinLNK.Agent.ae'' * ''Trojan.WinLNK.Agent.ew''<ref>[https://securelist.com/analysis/kaspersky-security-bulletin/73038/kaspersky-security-bulletin-2015-overall-statistics-for-2015/ Kaspersky Security Bulletin 2015. Overall statistics for 2015 - Securelist<!-- Bot generated title -->]</ref>

=== Vosteran === Vosteran is a browser hijacker that changes a browser's home page and default search provider to vosteran.com. This infection is essentially bundled with other third-party applications. The identity of Vosteran is protected by privacyprotect.org from Australia. Vosteran is registered through Whiteknight.<ref name="how-to-remove">{{cite web|title=Remove Vosteran|url=https://www.how-to-remove.com/vosteran|publisher=How To Remove|access-date=25 November 2014|date=2014-11-25|archive-date=2015-02-13|archive-url=https://web.archive.org/web/20150213101222/https://www.how-to-remove.com/vosteran|url-status=live}}</ref>

=== Trovi === Trovi is a browser hijacker typically distributed through third-party download portals (such as Download.com) and legacy freeware repositories. These platforms frequently bundle unwanted software into the installers of otherwise legitimate open-source or freeware applications without the original developers' consent.

Trovi uses Bing (a legitimate search engine) to provide results to the user. Although the address bar changes to Bing.com when showing search results, search keywords are executed through Trovi regardless. Trovi formerly used its own website to show search results with the logo at the top left hand corner of the page but later switched to Bing in attempt to fool users more easily. Trovi is not as deadly as before with taking the ads out of the search results depending on what browser is being used, but is still considered a browser hijacker.

It also controls the homepage and new tab page settings to prohibit the ability to change them back to the original settings. Depending on whatever browser is being used, ads may appear on the page.

When it infects a user's computer, it makes a browser redirect from Google and some other search engines to trovi.com.<ref>{{Cite web |date=2018-09-07 |title=How To Remove Trovi.com & Trovi Search From Mac Or Windows |url=https://malwaretips.com/blogs/trovi-removal/ |access-date=2023-01-11 |language=en-US |archive-date=2022-12-05 |archive-url=https://web.archive.org/web/20221205004225/https://malwaretips.com/blogs/trovi-removal/ |url-status=live }}</ref>

Trovi was created using the Conduit toolbar creation service and has known to infect in similar ways to the Conduit toolbar.

== References == <references />

== External links == * [https://www.virustotal.com/de/file/f1d4a03f60d9c4169d8008489e8ae040948004cff4811d7b70c49a81911fad44/analysis/1443129087/ Analysis of a file] at VirusTotal

Category:Types of malware Category:Web security exploits