A browser hijacker is the type of malware which alters your device’s browser settings so that you are redirected to web sites that you had no intention of visiting. It is an old, and yet very prevalent problem today.
Most browser hijackers use an ‘as-a-service’ business model. When a browser hijacker changes the default homepage or search page of a user, for instance, the ‘substitute’ site would be that of the customer, who pays for the traffic this service generates. The browser hijacker is the hook that enables all other “services” – generating pop-up ads, distributing malvertising and spyware or adding adult content sites to your bookmarks list.
One of the most efficient ways to deal with browser hijackers is by blocking the redirected sites on the DNS level. This protects users from watching unwanted content or downloading unwanted (malicious) code without the need for installing any browser addon or latest patch.
One other way that domain blocking helps is by disrupting the browser hijackers’ business model: if you block the domains the hijackers are redirecting to, you kill the extra generated traffic; you kill the extra generated traffic, the ‘customers’ will be less inclined to use the browser hijacker’s service.
In order to efficiently block browser-hijacker redirected domains, you need to quickly and consistently detect such domains. DNS data is a great source to achieving that, and the analysis below shows some of the more recent findings in our browser hijackers research.
The graph above shows the hourly count of unique clients that we see in a sample of the worldwide DNS data querying three recent browser hijacker domains. The traffic pattern for all three is very consistent – users are being redirected in the tens of thousands (!) per hour in the first 24 hours, followed by a quick drop to a few hundreds (and later dozens) of users per hour afterwards. Then they are replaced by the next redirected domain.
The graph below shows the hourly number unique clients affected by domain hijacker domains over the last two weeks, in a sample of DNS data we receive worldwide. The waves in the graph tells the rise-and-fall story of every single domain:
What all of this indicates is the need to block early; updating a blacklist a couple of hours late means that dozens of thousands of users have already been affected.
Maliciousness and domain name patterns
Our recent browser hijackers related research found a growing tendency towards using dictionary-based DGA’s (Domain Generation Algorithms) when generating the redirected domains. Unlike a typical DGA, which usually ends with the creation of non-humanly-readable domain name (which can more easily be spotted by security tools), the dictionary-based DGA makes things more difficult by combining non-semantically related dictionary words, to create domain names that are human-readable, and which therefore raise less suspicion.
By using pattern detection tools, along with enrichment from our Domain Reputation System (DRS), we are able to identify and block these dictionary-based DGA domains as soon as they surface (…and the robustness of the DNS data we use gives us the unique position to properly use our tools).
Figure 2: Domain Reputation System (DRS)
here are some recent examples for browser hijackers domains we’ve blocked in close to real-time:
Browser hijackers are an old security problem, yet the number of users being affected by this type of threat today is still extremely high. On average we see (and block) 145K unique clients per day trying to reach browser hijackers redirected domains; by extrapolation, the total daily number of infected clients could reach over 4M worldwide (including laptops, desktops, and mobile devices – and good luck finding a security patch for your android browser).
The solution used by Nominum to protect users from browser hijackers is through blocking redirected domains in the DNS level; this is an elegant, device agnostic, patch-less, popup-blocker-less solution, yet, it requires robust research & analysis to detect the right domains in the shortest time. In this post we shared some of the analysis (and data) that we perform to identify the hijackers’ domains, and reclaim the browser.
All rotating domains generated by this threat are continuously identified by Nominum under Threat ID 10000 and labeled “Browser-Hijack/A.redirector”.