Monday, March 31, 2014

Windows 8, EZproxy and Secret Sauce AdWare

As of writing we've had 3 reported cases of Windows 8 not displaying content through EZproxy. Basically any proxied content doesn't display - no errors, no friendly error messages, just a blank screen. Everything else 'webby' works fine.

With 360 Link 1-Click with the helper frame you see the helper frame (it's not proxied by EZproxy) but the iframe content is blank - viewing source shows that no html has been transported to the browser.

Originally I suspected some sort of mixed content problem (we've had a lot of that this year in Chrome and Firefox) but no grey shields - or possibly a caching issue (we've had problems with expired EZproxy sessions being cached so students are denied access to content but are not prompted to start a new session. Scarily it affects all three of the main browsers (IE, Firefox and Chrome). Even connecting to the EZproxy login screen gives a blank screen.

But thanks to ranking smart guy at our IT Helpdesk Anthony Warrell we have a diagnosis and resolution. As he says:


The culprit turned out to be a piece of Ad-ware called Secret Sauce which had somehow managed to sneak past Norton 360 and find its way onto her computer. The tool I used to remove it is called ComboFix. I would not recommend providing the client with self-help instructions on how to clean their machine but have them obtain IT assistance with running ComboFix and removing the Ad-ware.
 
Instructions on using ComboFix can be found here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
Malwaretips.com says: "Some of the programs that are known to bundle Secret Sauce include 1ClickDownload, Superfish, Yontoo and FBPhotoZoom".  All three students mentioned seeing unsolicited advertisements in their browser. Malwaretips says that product images in Facebook will display a 'See Similar' button that links to the ads they earn money for clicks.

We're fortunate that ITR are willing to perform the clean for on campus students but I'm not sure how we'll help an off campus student - particularly when part of the process is restarting Windows 8 in safe mode, so RDC or similar remote operation isn't an option.

I hunted high and low for any mention of the way Secret Sauce interferes with EZproxy and came up with nothing. Anyone else at other institutions seeing this? No mention of it in OCLC's user support areas.  Are we the canary in the coalmine or is there something unique about our network environment exacerbating this?

I suspect that Secret Sauce doesn't like EZproxy rewriting URLs but I really don't know.  I have no idea how widespread Secret Sauce is but have written to OCLC asking if by any chance they've heard about it.

Obviously prevention would be the ideal solution, but how do you get people to be more suspicious of free software, especially when half the time we're advocating for open source and open access? Even something as seemingly obvious as always selecting the 'customise' option when installing software?  Even Java wants to install the Ask Toolbar.

Anyway I'm posting this for the future you who is googling 'Windows 8 EZproxy blank screens'. I hope it helps.

6 comments:

Alan @JCU Library said...

OCLC got back to me - they've had no other reports of this.

Also, I've said Windows 8 - but that's correlation - not definite causation.

Jai Parker said...

Thanks for posting this Alan, we haven't had any reports yet but I'm sure they'll roll in sooner or later.

Alan @JCU Library said...

Hi Jai

Suzy @Griffith says she's had several. But she's the only other library to let me know they've experienced it.

Cheers, Alan.

SpreignedAnkle said...

Hi -- Yes, this is definitely a thing for us. I don't think it's specific to Windows 8, though. We've been having reports like this, probably a few per week. Unfortunately, all of our students are distance students, so it's difficult to troubleshoot issues, however, we've had the same experience where the general "health" of peoples' computers has be suspect (popups, unwanted ads, etc.) The one time I was able to get my hands on a computer that was having this issue (one of my colleague's personal computer was giving her the blank screen), her was chock-full of adware/malware type stuff. After running through some basic spyware removal tools (I prefer Ad-Aware), everything worked like a dream.

Alan @JCU Library said...

Hi Mr Ankle - I just had to look up this blog post because I had the first one I've seen since April (admittedly I was overseas for 2 months). It looked like a slight variation on Secret Sauce but same behaviour.

Using the student's computer was weird - every new tab tried to open up the google search page which was immediately rewritten to a google spoofing page. I'm amazed that doesn't send warning bells to the student that something is wrong.

Will post any additional info ICT discover.

SpreignedAnkle said...

Just an update...

This has been a continuing issue for us, probably one or two per week, but almost all of them have been resolved by cleaning up the malware situation on the affected computers. We do it for them, but recommend they find someone who can.

I'm not sure what it is exactly that breaks, and it may be more than one type of malware that causes this, but anytime a student has these issues, we'll ask if they're getting weird pop-ups, ads, tabs opening, etc., and almost every time that is the case. Sometimes when they call we can even hear the ads :P.