News Stay informed about the latest enterprise technology news and product updates.

Dastardly Driver Download Delivers Browser Hijack(s)

This weekend, I installed a HighPoint RocketU 1144C on my production PC, in search of solutions to a USB 3 drive access problem. There’s a PLX PCIe 8609 DMA controller on that board, apparently associated with managing the PCI channels that this 4x device uses. And although the drivers shipped with the board got it up and running no problem, the PLX chipset showed up as an known “Base System Device” in my Device Manager after the install until I went out and found the necessary driver on the HighPoint site, courtesy of some partial pointers on the ASUS Republic Of Gamers (ROG) website that alluded to this issue along with the tell-tale Device ID string PCI\VEN_10B5&DEV_8609 &SUBSYS_860910B5&REV_BA.

The first time I installed the driver I got an error message from Windows saying it was a known problem, with the yellow warning sign in Device Manager showing it as disabled. If only I’d rebooted, I would have seen this message go away. Instead I kept searching for a newer driver, which proved my undoing. Norton Internet Security 2015 (NIS) didn’t squawk when I downloaded a file named Plx_pcie_8609_dma, though it most assuredly should have. The sole contents of said ZIP file is the file eponymously named Plx_pcie_8609_dma _controller_driver.exe, and NIS didn’t squawk about it either while I installed it, though strange things started happening immediately thereafter.

Here’s the litany: In IE, Firefox and Chrome (those malefactors are thorough, I have to give them that) I started getting warning about SSL certificates with no revocation data (never a good sign) and advertising started popping up all over the place. After reading about Lenovo’s recent Superfish debacle quite a bit recently, I had a pretty good idea that an SSL hijack had occurred, along with some serious adware injections. A full system scan from Norton turned up nothing amiss, though I found mysterious new directories in my Program Files (x86) directory, new startup processes linked to same, and the usual symptoms of a successful malware exploit on my machine. Sigh. A quick return to my most recent Restore Point (dated yesterday) took care of all the symptoms, after which I was able to delete the unwanted folders that had popped up on my system/boot drive, and the files that lived in them.

I’m usually pretty careful about where I download files from, and NIS usually steers me clear of stuff I don’t really want on my PC anyway. But for some reason, this dastardly download got past my own common sense (the first line of defense) and my security suite (my second line) to deposit unwanted software of a decidedly unfriendly sort on my machine. I realize that adware isn’t necessarily malware, but if it represents something I don’t want on my machine, and makes it difficult for me to remove itself from the runtime environment, it’s bad enough for me to make it go away, no matter what lengths I must go to see it gone. And so it was with this stuff, whatever it happened to be.

The moral of the story is: don’t let your desires to find the right driver or other piece of software overrule your common-sense understanding of what’s safe to access online. I’m not sure why NIS didn’t squawk about the website from whence the download came — subsequent reputation research shows it questionable at best, and downright nasty at worst — but I should have known from the URL that the website was suspect. Please learn from my recent mistake, and stick to known good driver resources, like vendor sites, the driver download and tools suppliers (DriverAgent, Driver Detective, RadarSync, and so forth), and that great French national treasure, Station Drivers, instead. Now that it’s all fixed, all I can say is “Ouch!”