Jump to content

Browser Hijacker Getting Missed?


Recommended Posts

This is a new concern, I haven't seen this present on other desktops yet.

If I try to access selfserve.pcmobile.com on my computer, I can access it no problem.

If I try to access the same website from another computer in our building, I get the Malwarebytes Block Website with a popup saying "btnativedirect.com" has been blocked. A little googling says that this is a browser hijacker, except all the tools to remove it appear to be from Russia. This is the first website we have seen that gets hijacked on that computer, all of the searches work properly, all of the googling works properly, everything seems fine except this website. I just tried this on another computer on our network and it also gets the btnativedirect.com has been blocked message. This other computer is completely bare-bones, nothing installed on it except some backup software and Chrome. It doesn't browse the internet or even get used for anything other than an automatic backup.

What concerns me is that Malwarebytes has scanned this computer everyday for a month and hasn't detected anything. I've also run the host of other Malwarebytes technician tools, ADW etc. and it all comes back clean. But it is DEFINITELY blocking me from accessing that website from that computer. It doesn't happen on any other computer that I've checked.

So either:

a) real-time protection on that PC is screwed up and identifying a false-positive

b) daily threat scans are missing this browser hijacker (and so do all the other Malwarebytes tools)

c) something is not working on MY computer that is allowing me to visit that website and not getting blocked by Malwarebytes

Link to post
Share on other sites
  • Staff

The blocks work based on IP, it could be that your machine is resolving to a different one for that domain or to a sibling domain. Your machine is on a group/policy with the Endpoint Protection pieces enabled and not the default Incident Response, right? Just verifying. Do you get a block when you try to visit iptest.malwarebytes.org ?

Here's a VT link to the btnativedirect.com URL hit data https://www.virustotal.com/#/ip-address/209.15.13.136
selfserve.pcmobile.com does not resolve to a malicious IP for me, so I cannot confirm a block for it either.

Also, hitting a realtime web block doesn't always mean something is on your PC causing a browser redirect, it can be an ad on the site you are browsing. Having scans come up clean but you hit a web block is not out of the ordinary at all.

a) real-time protection on that PC is screwed up and identifying a false-positive

Not uncommon, blocks can be verified by our research team if you'd like us to confirm.

b) daily threat scans are missing this browser hijacker (and so do all the other Malwarebytes tools)

Not very likely. Anti-Malware, ADWCleaner and the JRT tech incorporated into both are extremely effective. You may see an object be removed and then come back again, but that is more due to the type of malware you may be dealing with, what program it may be attaching itself to and a general lack of knowledge around different, more advanced, malware removal tactics for situations like that rather than a real time or scanning engine failure. As in, it's not the tool, it's how you use it, and that can change dramatically based on the foe you are up against. Time and experience removing malware will build up your arsenal of approaches. You can also activate us to assist in removals if needed, many of us are highly adept and can remove malware by hand if needed.

c) something is not working on MY computer that is allowing me to visit that website and not getting blocked by Malwarebytes

We can verify this by looking at the IP as I had mentioned and also testing the response of the realtime components.

Link to post
Share on other sites

Replying on mobile because I'm out and about.

Yes endpoint protection is fully enabled.

All computers get the appropriate website blocked message when trying to access the iptest website and the btnativedirect website but only two machines on the network get blocked. I will try an flush DNS next time I'm at those machines.

 

Is this the only recommendation for now?

Link to post
Share on other sites
  • Staff

For now yeah, that's all I can think of. An extra piece we can ask about is for the website. If you want to post a screenshot of the hit entry for the machines that are blocking selfserve.pcmobile or btnativedirect, then I can check the IP with the research team.

Another key may be this, any VM a user may use, that has the agent installed on the VM host as well, the VM client will be unable to connect to the address, but will not produce a pop-up or entry into the logs that a block has taken place. If you are not rocking VM's, this doesn't apply but your problem description sounds a bit like this behavior.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.