HijackRemote Assessment

From CastleCopsWiki

Jump to: navigation, search
Caution The article below is currently in beta and has not been reviewed for factual errors.

HijackRemote is a malware removal service which features increased automation and even includes the ability for helpers to take control of the victim's computer with the advertised intention of providing quick and pain-free debugging assistance. Judging from a Four Star review by softpedia, it seems to offer an impressive service:

"If there’s something wrong with your system, the log will pick it up and it’ll tell you if you can keep or get rid of it. It’s a fast, working and absolutely great program for power users. HijackRemote not only makes it accessible to novices, but it even gives help and detailed accounts to the mediocre-advanced users. It's also great to have someone else do all the work." - SoftPedia

This type of review will undoubtedly lead many folks to HijackRemote. And why not? Most people find it a nuisance having to spend time downloading and running utilities ... then needing to spend more time poring through log files, manually weeding out the malware. What a pain-free alternative right? This is a great idea surely.

But wait ... the reviewer mentioned something somewhat glossed over:

"This is where HijackThis Remote [sic] Client comes in. It’s the added ability to dial directly into a database of knowledgeable people who know systems. I sent my log file and HijackThis log file to the right people and I ended up waiting about a full day for the results to actually get back to me. It’s supposed to sit quietly until the report has been looked through and examined (if you try exiting the program without this being complete, you get a message letting you know that you won’t be receiving the reply from a pro)." - SoftPedia

So they can access my computer for a whole day while I'm off going about my business?? .... so who are these people? Will it sit quietly? Could they not use it to poke into my system and actually issue commands? Can I trust them to just check for malware?


Hmmm .... perhaps this does deserve closer examination. A CastleCops First Responder, wng_z3r0 decided to investigate and posted his blow-by-blow findings.

In summary, wng_z3r0 deliberately infected a machine and sought help. Just over 24 hours later, he received a report with an explanation. He allowed HijackRemote to continue, rebooted and upon reboot, the computer was declared malware-free. He confirmed such was actually not the case. He states:

"Wow. It doesn't know anything for sure, and it proclaims the computer free. What I find most disturbing is the fact that there is no chance at a dialog. It's a one shot and you're done kind of thing. I can guarantee you that some malware infections are impossible to clean without getting more info about them, or trying to figure out what the infection is in the first place." - wng_z3r0

His report then explores the poor quality of diagnosis:

"Lack of humans at the admin level-To apply you didn't have to be approved by a human. This is unacceptable. How is one supposed to keep out untrained helpers when all they have to do is answer 6 questions that can be found in 2 minutes of Google searching? I would be afraid to put my computer in the hands of someone like that." - wng_z3r0


Heh? Don't they train and qualify helpers? Let's have a look at the HijackRemote Quiz questions used to qualify a HijackRemote helper.

!! Many people that come to CastleCops ask for help with cleaning malware, could answer that quiz! It sure doesn't seem overly difficult to become a HijackRemote "expert".


It's not looking good is it. OK, but this could be an example of "learning pains". It's such a different concept that it might need some time to work out the kinks, perhaps?

Well, let's look at an even more disturbing aspect. A malware expert who frequents CastleCops as Security Expert, Subratam, wrote about HijackRemote ownership in his blog. He connects HijackRemote site ownership information originally discovered by Suzi, another CastleCops Security Expert to two sites known to distribute spyware and concludes:

"All three domains are registered with the same info, so the Hijackremote site is owned by someone who is installing adware/indirectly/directly related in distributing adwares." - Subratam

Subratam adds that Merijn, the person who developed the Hijackthis logging program, is having second thoughts about having his name and product being associated with this site.


So here's what we know so far:

  1. A utility of unknown veracity is allowed to freely examine an unattended computer for a day or so.
  2. A trial run failed to weed out malware a properly trained trained helper would have spotted.
  3. HijackRemote helpers do not have to pass any sort of rigorous training.
  4. Finding allow for no interaction with the helper.
  5. The site is owned by known spyware perpetrators.

This is a disturbing picture. Based on what we know so far, CastleCops cannot endorse the HijackRemote malware removal methodology. While it is understood that cleaning malware can be a difficult and painful process, HijackRemote could well exacerbate a victim's situation. Not only could the victim be left with a false sense of security that pre-existing malware was removed, but it is possible that even more insidious malware has been put in place. Indeed any valuable information residing on the computer may be directly compromised by allowing the HijackRemote client to be present for an extended period of time! ... while unattended!!

All victims of malware infestation are advised to avoid the HijackRemote site.

Retrieved from "http://wiki.castlecops.com/HijackRemote_Assessment"
Personal tools