Internet Explorer Search Bar Malware Hijack

Recently, the Google Gala malware has been hijacking the Google Search engine in Internet Explorer’s Search Bar. In addition, Fast Browser Searching apparently has been being installed through some means and stealing the Google Homepage of other users.

Google Gala and Fast Search hijacks is nothing new, but they are making a serious comeback. I am not sure how they are injecting themselves into the Google Search on IE8 Search Bar, but they definitely are corrupting the Google Search engine in the IE8 Search Bar. This has been known to happen in Firefox in the past as well. And who knows how long it will be till Google Chrome and other browsers will be hit the same way, if not already.

Browser makers need to harden their Search Bar against this type of attack, but until they do, we have to take matters into our own hands.

If you feel the need to use Internet Explorer, I would strongly suggest hiding or removing the IE8 Search Box and going directly to Google website instead.

As shown at w7forums link above, to hide/remove the IE8 Search Box:

Start -> run -> gpedit.msc

Or better yet, change to an alternative browser, like Google Chrome or Mozilla Firefox.

The advantages of Google Chrome with built-in Flash player that is updated automatically through Google Chrome’s update mechanism is quite attractive. In addition, Google Chrome is fast to load and now has extensions such as Adblock Plus, WOT, FlashBlock and others, like Mozilla Firefox has had for a long time. In addition, Google Chrome has a built-in ‘sandbox’ feature which can save a world of hurt while browsing the web. Although it is not perfect, it is a great feature.

I have to say for years now, I have not used any built-in browser search bar. I go directly to the Google website, or other favorite search engine websites directly. I would suggest that, until browser developers harden their search bars, it would be wise to not make use of search bars for searching.

In addition, I would strongly suggest you install and run, CCleaner frequently. Close your browser after every use and right click on the Recycle Bin and choose Run CCleaner after every use of the browser.

If you do get hit with malware like Security Shield for any reason, but especially in this case, due to the redirection/hijack of search results in the IE8 Search Bar, you will need to use rkill or the Task Manager (if available) to find/kill the Security Shield oddball named process and then update and run Malwarebytes Antimalware to get rid of related registry entries, hidden files, etc., as shown at BleepingComputers Forum Security Shield (Uninstall Guide).

Or call your computer expert to help you with removal of the malware.

The most important thing is not to continue to use the computer on the Internet until it is removed to keep from getting hit with more malware. Redirection to malware sites posing as legitimate websites and searches is a strong possibility while infected with malware.

EDIT: I started writing this post yesterday morning and got it published at 12:06PM. Within hours, there was a security advisory by Microsoft and articles about:

Microsoft Security Advisory (2501696)
Vulnerability in MHTML Could Allow Information Disclosure

Frequently Asked Questions

What is the scope of the advisory?
Microsoft is investigating new public reports of a vulnerability in MHTML on all supported editions of Microsoft Windows. This vulnerability manifests itself in Internet Explorer.

Is this a security vulnerability that requires Microsoft to issue a security update?
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process, or providing an out-of-cycle security update, depending on our customer needs.

What is MHTML?
MHTML (MIME Encapsulation of Aggregate HTML) is an Internet standard that defines the MIME structure that is used to wrap HTML content. The MHTML protocol handler in Windows provides a pluggable protocol (MHTML:) that permits MHTML encoded documents to be rendered in applications.

What causes this threat?
The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context.

What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could inject a client-side script in the user’s Internet Explorer instance. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker could convince a user to click a specially crafted link that would inject a malicious script in the response of the Web request.

Sure sounds like this may be the problem I was writing about in this posting.

About these ads