WebSearcher PUP Hijacks and Locks Browser Proxy Server Settings

[starbuck]

 

Security researchers from Malwarebytes have come across a new PUP (Potentially Unsafe Program) named WebSearcher that secretly takes over the proxy server settings for Internet Explorer, Google Chrome, and Firefox, and blocks the user from changing them.

 

WebSearcher is distributed via applications with generic names like Video Codex and Video Player, and works by using a (locally hosted) proxy server to analyze the user's Web traffic and then sneakily inserting ads on legitimate websites.

 

What makes WebSearcher unique (and extremely annoying) is that this adware changes the proxy server settings inside browsers, using registry keys and other tricks, instead of the actual settings panel.

 

When accessing the settings panel, users can see non-standard values, but they can't change them (see IE screenshot below).

 

The only way to remove the hijacked proxy server settings is to remove the WebSearcher PUP.

 

Internally, WebSearcher works by abusing two libraries used by another legitimate application, the Fiddler Web debugging toolkit, a tool often employed by security researchers to debug malware behavior.

 

Besides the FiddlerCore.dll and FiddlerCoreWrapper.dll files, WebSearcher also uses Fiddler's "DO_NOT_TRUST_FiddlerRoot" root certificate, which Malwarebytes researchers advise users to remove until they manage to get rid of the WebSearcher infection. Leaving a root certificate in the hands of a PUP may not be a good idea, since it could use it to install other unwanted applications.

 

Modified & locked proxy settings in IE

 

 

Source:

http://news.softpedia.com/news/websearcher-pup-hijacks-and-locks-browser-proxy-server-settings-498465.shtml