Skip to main content

Malware tricks know about

There is a constant cat and mouse game between malware, security software companies and computer users, and the chance of one side winning the battle seems slim at best.

Malwarebytes revealed recently on Malwarebytes Unpacked how Vonteera, a malware previously classified as adware, operates.



While it may not be of interest to many how that particular malware operates, the methods that it uses to infect computer systems and remain on them may very well be as they are used by other malware as well.

Vonteera does a lot to stay on the system: it installs a scheduled task, a service, a browser helper object in Internet Explorer, replaces known browser shortcuts to load select sites on startup, enables a Chrome policy that enables them to install apps and extensions in the browser that cannot be uninstalled, and adds several certificates to the untrusted certificates listing.

Manipulation of browser shortcuts
Some methods are used by adware and malicious software alike. The changing of the browser shortcut for instance to load sites on start.To check your shortcuts, right-click on the shortcut and select properties. Locate the target line on the page and check the parameters in the target field. If you find a url there, it will be opened on start.
 Service installation
 Services may be loaded on start of the operating system, or when they are needed depending on their configuration.

You can check all existing services by tapping on the Windows-key, typing services.msc and hitting enter. You may get an UAC prompt which you need to accept.

The interface offers limited information only. While you can sort services by name or status, there is no option to sort them by installation date.

If malware installs a service on the system, you can find out more about it in the Windows Registry.

1.Tap on the Windows-key, type regedit.exe and hit enter.
2.Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServiceName
3.Check the ImagePath variable, as it highlights which file gets executed when the service is started.
Scheduled Tasks
Tasks can be run under certain conditions, for instance on system start or shut down, at a specific day or time, or when the computer is idle.

To check Tasks on Windows, do the following:
1.Tap on the Windows-key, type Taskschd.msc and hit enter.
2.Select Task Scheduler Library and go through the listed tasks there.

You can delete tasks with a right-click and selecting "delete" from the context menu. You may disable them as well there, or check their properties (to see when they run, what they run and so on).

Internet Explorer Browser Helper Object
Browser Helper Objects are supported only by Internet Explorer. Microsoft's new browser Edge does not support them.

These work in similar fashion to extensions, meaning that they can change and record Internet sites and traffic among other things.

To manage browser helper objects in Internet Explorer, do the following:
1.Open the Internet Explorer browser on your system.
2.Tap on the Alt-key, and select Tools > Manage add-ons from the menu bar.
Go through all listings there, especially toolbars and extensions. You can disable items with a right-click and the selection of "disable" from the context menu. A click on "more information" reveals the Class ID of the Helper Object and additional information about it.

To delete them, you need to use the Registry Editor instead. Open the Windows Registry Editor and run a search for the Class ID using the Edit > Find menu. Enter the Class ID and delete all keys that come up.

I suggest you create a backup before you run the operating just to make sure you can go back if things turn out wrong.

Chrome Policy

Google's Chrome browser and Chromium support a large list of policies which enable enterprises to configure preferences on the system Chrome is run on.

The policy ExtensionInstallForcelist adds extensions to the browser for all users on the system that these users cannot remove from it.

The apps or extensions get installed silently, without user interaction, and all permissions requested get granted automatically.

Untrusted Certificates




he malware added certificates of trusted antivirus solutions to the list of untrusted certificates on Windows.

This prevented the program from being started on the system, and it prevented the download of programs from the developer website as well (provided that the browser uses the Windows Certificate Store which Internet Explorer and Chrome do, but Firefox odes not).
1.Tap on the Windows-key, type certmgr.msc and hit enter.
2.Navigate to Untrusted Certificates and check all certs listed there.
3.A right-click enables you to remove them from the list of untrusted certificates.






















Popular posts from this blog

Digital Visual Interface (DVI)

EDIMAX BR‐6428nC

Default settings of the EDIMAX BR‐6428nC Here you find the default IP address as well as the username and password for the user interface of the EDIMAX BR‐6428nC N300 Multi-Function Wi-Fi router. This site also contains information about the preconfigured Wi-Fi settings of the device. In the bottom part of this website, you will find a manual for accessing the user interface of this router and resetting its factory settings .

Intel

How Intel Got Its Name    Intel was founded in 1968 by two ex-Fairchild Semiconductor employees, Gordon E. Moore and Robert N. Noyce. The company was originally called "N M Electronics." Legend has it, their preferred name — "Moore Noyce Electronics" — sounded too similar to "more noise," not a great brand message in that industry. "Integrated Electronics" was considered as a possible name, but was taken, so the first syllables of each word were used instead. "Intel," described by Noyce as "sort of sexy," was eventually agreed upon. The pair then purchased the "Intel" trademark from the Intelco hotel chain for just $15,000. Intel Once Made Watches  In 1972, Intel moved into the jewelry market with the acquisition of digital watch maker Microma. At the time, digital watches were considered seriously high-tech, selling for hundreds of dollars, so the move was not a surprising one. The antici...