CEIDPageLock

CEIDPageLock is a rootkit that hijacks the users' browser to force them into loading a fake Web directory domain, which creates profit for the threat actor via advertising. CEIDPageLock also includes support for a backdoor that could install other threats, as well as significant anti-analysis and detection features. Users that identify symptoms of infection, such as changes to their homepages, should have appropriate anti-malware tools uninstall CEIDPageLock, which compromises the Windows kernel and should be assumed as active until one can verify otherwise.

Browser Hijackers Going to New Extremes

The overwhelming majority of browser hijackers are low-level threats that depend on disguising themselves as otherwise-benevolent browser add-ons, and, usually, represent a negligible security risk to the rest of the PC. However, a China-specific threat's campaign is changing that tradition by using high-level techniques like compromising the Windows kernel for hijacking Web browsers. Although malware experts find its methods highly unconventional, CEIDPageLock's motivation is, apparently, the same profit-through-advertising goal of any other browser hijacker.

CEIDPageLock is one of the many types of unsafe software whose distribution uses the RIG Exploit Kit, a drive-by-download threat that takes advantage of the user's browser vulnerabilities, such as outdated JavaScript, for infecting the rest of the PC. CEIDPageLock runs through a Windows driver that loads automatically and includes robust stealth features. New versions also are upgraded with the extra anti-analysis protection of VMProtect.

After infecting Windows, CEIDPageLock takes over the user's browser and swaps the homepage into a copycat domain of 2345.com, a Chinese Web directory. Other browser-hijacking features within CEIDPageLock's payload include taking over the search results and even monitoring network traffic for specific sites, which triggers an automatic redirection to corrupted pages. While malware analysts find no current cases of CEIDPageLock abusing its capabilities for installing other threats, it does include the theoretical ability to execute remote code, instead of just exposing victims to unwanted advertisements.

Guarding Your Browser's Home against Kernel-Level Invasions

Just as readers might expect of a browser hijacker that promotes a Chinese copycat domain, CEIDPageLock's distribution statistics are favoring residents of China almost, but not entirely, exclusively. Users can harden their Web browsers against the exploit kit-based infection strategies by keeping current with their software's security updates, disabling abusable features like Flash, Java, and JavaScript, and blocking advertisements and pop-ups from suspicious sources. Changing the browser's internal configuration settings has no impact on CEIDPageLock, which installs itself and maintains its persistence at the operating system level.

This threat uses invasive persistence techniques, like those of other rootkits such Uroburos, Crisis, or Zacinlo (which shares CEIDPageLock's preference for advertising promotion). Any disinfection measures may require more steps than with most threats. Victims should familiarize themselves with the Safe Mode feature and removable device-based bootup procedures. Always use anti-malware software with dedicated rootkit-removal functions for uninstalling CEIDPageLock; ordinary anti-virus software without any kernel-level disinfection features may be ineffective.

CEIDPageLock is an outlier for the amount of effort that its programmer is putting into achieving otherwise trivially-accomplished, browser-redirecting attacks. It may, however, be a sign of future business practices among rootkit authors, since there still is money to make in non-consensual Web advertising.