This is a guest post by Malwarebytes security researcher Pieter Arntz who takes a look back at the early 2000s when he was not employed in the cybersecurity industry but was part of a group of expert helpers that volunteered their time to help victims remove adware and malware from computers.
This story takes us back to 2003 and for a better understanding, you would need to be aware of the fact that the cybersecurity industry back then was shaped very differently from today.
Antivirus (AV) software dealt with malware such as viruses and worms, dedicated Anti-Trojan software focused entirely on Trojans, and computer infections such as adware, browser hijackers, dialers, spyware, and ad injectors were for the most part not detected by mainstream security software.
Instead, you needed to use dedicated anti-adware programs like Ad-Aware or Spybot to tackle these infections.
Even more problematic is that most adware and hijackers were written by companies who thought what they were doing was legal and would use the courts to prove that. This led to many AV companies just ignoring them to avoid the risk of a lawsuit.
As a consequence, many PC users that were affected by adware, dialers, and other undetected threats flocked to online help-forums to ask for assistance in getting rid of unwanted pop-ups, pop-unders, and browser windows that would spontaneously open to show advertisements.
Those few programs that promised to remove adware usually referred to it as spyware and offered no protection, just removal.
Hijackthis was a savior
I started helping users online in 1999 and removing the adware back then was usually relatively simple.
Most of these adware or hijackers altered the start-page in Internet Explorer or added a Browser Helper Object that was designed to retrieve and show advertisements. You should realize that Firefox and Chrome were not around yet and the alternatives for IE were only used by a few.
Using a simple diagnostic tool called Hijackthis that was created by Merijn Bellekom, we could create a quick fix via a few back and forth messages on a support forum or in a newsgroup and the helper and his client parted ways, both satisfied that the problem was solved.
Until the user fell victim to another dubious download or bundler, that is.
Since the posts were public, they were indexed by search engines and many other users found the answers provided by the helper and followed the relatively simple instructions to solve their problems.
Many forums at the time had dedicated “HijackThis” sections which were the only subforum where the HijackThis logs were allowed to be posted.
Adware starts to mimic malware
It didn’t take long before adware authors noticed that their hijacks and software were being removed almost as fast as they could publish them.
Due to this, some of them decided to make the removal of their adware more complicated.
First, we have Lop Adware
One of the first families to do this was called Adware.Lop whose goal was to hijack the user's browser so that it sent them to various pay per click search portals run by the now-defunct C2Media. It was named after the main domain the users were hijacked to lop.com.
To hinder removal Adware.Lop started using a random folder and filename and used Scheduled Tasks to trigger the advertising cycles. They were easy enough to recognize for expert helpers, but it made it a lot harder for the people that searched for answers since they couldn’t find any information about the file and folder names they were looking for.
It also raised the required knowledge level of the helper, which limited the number of available helpers.
Soon other adware authors started using random names, such as:
- PurityScan (ClickSpring) who added Startup entries in the registry pointing to randomly named files
- Wurldmedia who started with randomly named Browser Helper Objects
- The Peper Trojan, which manifested itself as a running process that showed porn popups and spawned a new copy of itself under a new name as soon as the process was stopped. Because of that behavior, it was considered a Trojan and the firm that spread Peper was forced to publish an uninstaller.
CoolWebSearch (CWS) arrives
Then came CoolWebSearch; the adware and family that started an active arms-race with the expert helpers as they released new variants each time a fix was learned for the previous one.
When first released, this family started as a hijacker that redirected users to CoolWebSearch (CWS) related sites.
They then added a new twist with the introduction of a custom CSS stylesheet for Internet Explorer
Custom stylesheet variants
During this increasing aggressiveness in adware programs, helpers had rallied together and had private discussions on IRC and in behind-the-scenes forums to exchange information and to work together on fixes. It took us weeks to find the explanation for the symptoms caused by the custom stylesheet.
These symptoms were extremely slow typing in text boxes and an off-screen popup triggered by a javascript in the stylesheet.
Their next variant was an “improved” version of this hijack that also included a HOSTS file hijack and a startup entry that reloaded the entire hijack every time the system booted. This one was a lot easier to figure out since we had wizened up to the stylesheet hijack.
The stylesheet plot was taken one step further when the CWS gang figured out they could use any filename for the user stylesheet and Internet Explorer would still load it.
On top of that, two domains were added to the Trusted Zone to ensure CWS could do its dirty work and install any updates they saw fit.
Use of Winsock LSPs
CWS then moved to use Winsock Layered Service Providers, which are DLLs that could be used to monitor and modify TCP/IP traffic in Windows. These programs were particularly useful for antivirus software who wanted to monitor network connections for malicious traffic but were also abused by adware to redirect users or inject advertisements.
To my knowledge CWS was the first adware to insert a new Layered Service Provider (LSP) into the TCP/IP stack. Identifying the file responsible was easy, but removing it had to be done properly or it would cause the network connection to break.
Due to this, a special tool called LSP-fix was developed that allowed helpers to remove LSPs without fear of breaking the TCP/IP stack.
Creating a webserver on your PC
After a few more variants including a fake driver update that only started in 20% of every system boot, the next deviously clever variant ran a web server on the affected machine that redirected Google, Yahoo, and any mistyped URL to a CWS domain. Users needed to stop the process before they could successfully start the full removal, which took place in the registry and inside the HOSTS file.
Bring in the reinforcements
During this evolution, CWS began to use filenames that looked legitimate at first sight such as svcinit.exe, ctfmon32.exe, msinfo.exe, and svchost32.exe. They also used different startup methods in the variants to come, like win.ini and system.ini entries, URL search hooks, protocol filters, and the Userinit registry key.
By then we had seen 20 different variants in a 6 months!
As these infections became so embedded into the Windows operating system, removing the infection incorrectly could cause Windows to stop operating properly. This also meant that the knowledge required to be a successful helper kept increasing.
To prevent advice that could damage Windows, the help forums started to put restrictions on who was allowed to help with the logs and in 2003 some of the experts started training-facilities for new helpers.
They did this on existing forums or started forums for that purpose. Some of the experts started to burn out due to having full-time jobs, but also volunteering many hours of helping, developing fixes, or hunting for and analyzing new malware.
This led some to stop helping and instead started to train new helpers as many who had received help wanted to pay it forward and provide help themselves.
As CWS showed it did not care if a few systems got wrecked during infection or removal, this need for trained helpers was evident.
The LSP hijack was a prime example, but there was also another variant where the Windows Media Player executable was deleted and replaced by the malware. In other variants files were dropped in folders that were hidden by default, and in many cases simply removing the malware files would make either the browser or even the entire system unusable.
If it hadn’t been for some specialized tools like CWShredder and About:Buster undoubtedly a lot more systems would have needed to re-format.
The industry changes
In early 2004, the industry started to change and pay attention to our cries for help.
AV software could no longer look a blind eye at adware that had become malware and started to add more kinds of infections to their definitions. Many of the market leaders of today were among the first to make that transition.
The specialized anti-trojan vendors were bought out or disappeared and a few new companies started to come up. In the same year, we also saw many Anti-Spyware vendors emerge.
Some of them were serious attempts at a solution, but most could be classified as rogues. And for many of these rogues, you could argue that the cure was worse than the problem.
What happened to the tools?
In 2004, the author of About:Buster started working on a program called RogueRemover. This later evolved into Malwarebytes which formally launched in 2008.
In 2007 TrendMicro bought HijackThis and CWShredder and does nothing with them, at least that’s how it looked to the outside world. They certainly stopped further development, much to the chagrin of the helpers that were trained to work with them.
LSP-fix is still available, but their help forums have closed. Also, many of the old helper forums have closed as well.
Only a select few were strong enough to survive the diminished influx of people looking for a solution to their malware problems.
Rearview perspective
My look at the developments during that period may differ from others, but looking back this is how I saw the industry evolving.
While I may be wrong about the underlying reasons, it is my firm belief that the customer's demand for software that could solve their problems was a deciding factor in the way the industry evolved.
The adware families that I described were the most troublesome ones to remove in my experience and could take up to 50 replies with detailed instructions, asking for follow-up logs, and more removal instructions, to help a victim restore his computer to a usable state.
It would almost certainly have been faster to reformat and start from scratch.
But the most important lesson for me was:
Under the right circumstances, a diamond in the rough can become a shining example of how things can and should be done.
This is not only true for some of the software that was developed as a result of this arms-race but very much so for some of the helpers we trained.
Comments
Chiragroop - 6 days ago
Unfortunately that's the thing. Any malware could be removed, or if not that, then perhaps a reinstall. But for ransomware, it encrypts your files and might even remove itself. But since you can't access your files and most people don't backup, it forces you to pay. (Though it seems like there has been a shift towards attacking businesses from the news, though it makes sense as businesses pay more).
More importantly, the way we told people to backup (use Time Machine or the like, File History or system images) meant that the disk would be plugged in or it would be backed up over the network, which ransomware can encrypt as well. I mean, automating it meant that people wouldn't forget to backup, but it didn't help.
NoneRain - 5 days ago
Great article!
mrbellek - 3 days ago
Excellent article, Pieter! And a very nice way to look back on the turbulent times back then. :) I was sad when I was forced to stop development on HJT and CWShredder due to lack of time, but thankfully Marcin and the AV companies have stepped up big time since then.