In the June release of the Microsoft Malicious Software Removal Tool (MSRT), we’re adding Xiazai, a widespread family of browser modifiers that we have blocked and removed from millions of computers since 2015.
Xiazai is a software bundler that can sneak in additional changes. Xiazai does not install itself or make autostart registry entries, but the impact of its changes can persist long after Xiazai itself is gone. MSRT will remove Xiazai but it will also restore system settings.
Xiazai’s extra changes affect browsing experience. On top of offering bundled applications during installation, as software bundlers would do, it can modify browsers’ home page so that the browser always opens to a specific website. It can also change browser shortcuts on the desktop and taskbar so that when the browser is launched using these modified shortcuts, it opens the said website.
This behavior is classified unwanted based on our evaluation criteria. At Microsoft, we work to protect customers’ choice and control of their devices, computing, and browsing experiences. Xiazai violates this by setting the browser to always open a specific website when launched. Even if the user reverts the home page, the browser will continue to open the said website when launched from the taskbar or desktop. This system change takes away control from the user.
Xiazai is a very prolific threat. We have observed it on more than two million machines since October 2015. It’s also still very active. This year, we blocked some 30K infections on average every month.
Xiazai: Sneaky browser modifier
Xiazai can be downloaded from the Internet as an installer for legitimate software, for example, Adobe Photoshop. When run, it offers to download and install Photoshop, as well as several bundled applications, which are selected by default. There is nothing outright malicious at this point, as the user can opt out of installing the bundled applications.
If the user proceeds, Xiazai downloads the legitimate installer. The installation window asks the user whether to install Photoshop right away or later. And then things get very dodgy.
More bundled applications are offered, again selected by default. There’s also an option to modify browser settings and browser shortcuts, also selected off by default.
One of two things can happen at this point:
- If the user chooses to install right away, Photoshop is installed, together with the selected bundled applications (six extra applications in total, if the user does not un-select anything), and the browser changes.
- If the user chooses to install later, Photoshop is not installed, but the bundled applications are still installed right away and browser settings and shortcuts are modified.
In the second scenario, the user is never again prompted about Photoshop. To actually install the said application, the user has to manually run the downloaded installer. And this is how the true intent of Xiazai is revealed.
Xiazai forces the browser to always open a specific website when launched. There are two ways by which Xiazai does this. First, it modifies the default home page in the browser settings.
Second, it modifies shortcut files on the desktop and on the taskbar to add a URL parameter. With this change, even if the user restores the browser settings, the browser still opens the website when launched from the desktop or taskbar.
Prevention, detection, and recovery
You may encounter Xiazai when searching for installers on third-party sites, but you may get more than what you bargained for. It’s a software bundler that does what you’d expect it to do, which is to install legitimate software. However, it also comes with additional, mostly also legitimate, software that you might not need or want. It also modifies your browsing experience in ways that are unexpected, unwanted, and hard to diagnose.
To stay away from Xiazai, get applications only from official app stores or official vendor websites. Use Microsoft Edge. It uses Windows Defender SmartScreen (also used by Internet Explorer) to block known malicious websites and malicious downloads.
Get the latest protection from Microsoft. Keep your Windows operating system and antivirus, such as Windows Defender Antivirus and Microsoft Malicious Software Removal Tool (MSRT), up-to-date. If you haven’t already, upgrade to Windows 10.
Block Xiazai and other threats, including new, never-before-seen variants, in real-time. Instant protection from Windows Defender Antivirus cloud protection service is turned on by default. To check that Real-time protection and Cloud-based protection settings are turned On, launch the Windows Defender Security Center, then go to Settings > Virus & threat protection settings.
For enterprises, use Device Guard, which can lock down devices and provide kernel-level virtualization-based security. By allowing only trusted applications to run, Device Guard protects devices from Xiazai and other threats.
Use Windows Defender Advanced Threat Protection to get alerts about suspicious activities, including the download of malware, so you can detect, investigate, and respond to attacks in enterprise networks.
James Patrick Dee, Eric Avena
Microsoft Malware Protection Center