Internet World Wide Web Abstract Tech Background

WebSearcher PUP applies Proxy Lockdown

WebSearcher is an adware application brought to you by “Web Fox” and usually comes bundled with “extremely useful” applications like “Video Codex” and “Video Player”. WebSearcher uses a proxy to insert the advertisements into your normal web experience. 

Sniffer

What makes this one different?

What makes this one different is that it uses a set of permissions to get the three most popular browsers to use the proxy it has set. If you look in Internet Explorer (IE) under “Internet Options” on the “Connections” tab and click on “LAN settings” you will see this form with all the user options “greyed out”. Note the announcement you can see on the “Connections” tab that I highlighted.

warning2

Basically this means the system internet traffic controlled by the proxy settings are going through the application that controls port 9091 (in this case Sniffer.exe) and the normal user is blocked from changing that. That takes care of IE. In Chrome the change is pretty basic. The hijacker changes the “ProxyMode” value under the registry key HKEY_LOCAL_MACHINE/Software/Policies/Google/Chrome and sets the value-data to “system” which means Chrome has to use the same setting that was described earlier.

For Firefox the procedure they followed was a bit more complex. In the file “local-settings.js” these lines were added:

pref("general.config.obscure_value", 0); pref("general.config.filename", "mozilla.cfg"); 

This locks down the settings in Firefox and tells the browser to look in the file “mozilla.cfg” for the configuration. Looking at that file we will find this line:

lockPref("network.proxy.type", 5); 

The value 5 for “network.proxy.type” tells Firefox to use the proxy set for “system” (see above).

 

Extra word of warning

 

This adware abuses two libraries of the legitimate web debugging proxy Fiddler (FiddlerCore.dll and FiddlerCoreWrapper.dll) and the DO_NOT_TRUST_FiddlerRoot certificate, which has been known to sometimes cause slowdowns and errors on systems where the proxy is no longer present. If you experience these problems and want to check for and/or remove the certificate.

Procedure:

Use Winkey + R to open the Run box.

Type or Copy & paste certmgr.msc

Click ok to execute the command and the Certification Manager Window will open.

Select the Trusted Root Certification Authorities > Certificates and you should see something like the screenshot below.

 

You can delete certificates from this list by right-clicking on them and then choose Delete.

FiddlerCertificate

Removal and detection

 Malwarebytes Anti-Malware detects and removes WebSearcher as PUP.Optional.WebSearcher. A removal guide can be found on our forums.

protection1

Resources

 

Mozillazine: Locking_preferences

Mozillazine: Network.proxy.type

 

Pieter Arntz

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.