This nasty malware is infecting every web browser — what to do now

Malware
(Image credit: Shutterstock)

A gang of crooks is infecting Chrome, Firefox, Edge and other browsers with malware that hijacks search results with ads and sometimes even steals user passwords and other login credentials, Microsoft said yesterday (Dec. 10) in a blog post. 

The malware strain, which Microsoft calls Adrozek, infects Windows machines via "drive-by downloads" that try to get through browser defenses as soon as a browser loads one of more than 2 million malicious web pages. 

The malware, which constantly changes its code to avoid traditional antivirus detection, installs itself as what seems to be a normal audio-related program.

"At its peak in August, the threat was observed on over 30,000 devices every day," Microsoft said, adding that the malware campaign is still operating. "End users who find this threat on their devices are advised to re-install their browsers."

Adrozek specifically targets Mozilla Firefox, Google Chrome, the new Microsoft Edge browser and the Yandex browser, widely used in Russian-speaking countries. But as the latter three all are based on the Chromium open-source browser, other browsers such as Brave, Opera and Vivaldi should also be considered vulnerable.

You'll be able to tell you're infected if you get a whole lot of weird-looking web links in your search results, as in the images below. The links aren't necessarily malicious, but the crooks behind Adrozek get a few pennies every time someone clicks on one of them.

Screenshot comparison of regular search results and search results with ads injected by Adrozek malware.

Screenshot comparison of regular search results and search results with ads injected by Adrozek malware. (Image credit: Microsoft)

How to get rid of and avoid Adrozek malware

Normally, you can get rid of browser-hijacking adware if you can reset Chrome or reset Firefox

But Adrozek burrows deep into the browsers, altering or mimicking legitimate extensions, switching off security protections, disabling automatic updates and even altering Registry entries and creating a separate Windows service to run independently, so getting rid of it requires a lot more. 

You'll have to delete Firefox and all Chromium-based browsers entirely (make sure you save your bookmarks first), run a malware scan with your choice of the best antivirus software, reboot the PC, run the malware scan again and then reinstall your browsers and import your saved bookmarks. 

To avoid Adrozek infection, keep your browsers up-to-date at all times and, well, use one of the best antivirus programs. 

Such drastic removal actions might not be entirely justified if Adrozek simply added dodgy search results. Perfectly legal if ethically dubious "unwanted programs" do this all the time. 

But because Adrozek actively steals saved passwords from Firefox, and disables automatic updates and security settings on all browsers, it qualifies as honest-to-goodness malware and needs to be removed ASAP.

"While the malware's main goal is to inject ads and refer traffic to certain websites, the attack chain involves sophisticated behavior that allow attackers to gain a strong foothold on a device," the Microsoft blog post said. "The addition of credential-theft behavior shows that attackers can expand their objectives to take advantage of the access they're able to gain."

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

  • Kcrowz
    You say that the crooks behind Adrozek are paid for each click on their "weird-looking" web links, and you show a screenshot of these links, which appear to be Xbox pages. Are those payments coming from Xbox? I mean, if you assume that their income is derived from the companies that show up in the search, it would be pretty easy to "follow the money" and find out who the crooks are. Or are the weird links themselves to fake pages? Just curious...
    Reply
  • Bahus
    Kcrowz said:
    You say that the crooks behind Adrozek are paid for each click on their "weird-looking" web links, and you show a screenshot of these links, which appear to be Xbox pages. Are those payments coming from Xbox? I mean, if you assume that their income is derived from the companies that show up in the search, it would be pretty easy to "follow the money" and find out who the crooks are. Or are the weird links themselves to fake pages? Just curious...

    Those links aren't legit Xbox links and they are not paid by Xbox. The links are to fake websites pretending to be Xbox. Probably serving more malware. The 'download and download free' is a warning sign' as Xbox and Microsoft would never advertise like this.
    Reply