Adware can Disable Security

Monday, November 30, 2015 @ 05:11 PM gHale

Adware is able to trick an operating system into untrusting digital certificates from security companies to thwart anti-malware products from blocking it.

Anti-malware firm Malwarebytes initially detected the threat as a piece of adware that installs potentially unwanted programs (PUPs), but it has now decided to classify it as a Trojan (Trojan.Vonteera) due to the modifications it makes on an infected system. Other security companies have also classified Vonteera as a piece of malware.

Down, but not Out: Blackhole Returns
Trojan Targets XP Users
Microsoft Patches Zero Day Holes
Flash Zero Days Abound

When it infects a system, Vonteera creates several tasks in the Windows Task Scheduler. These tasks display ads at regular intervals by opening new tabs in the web browser. The threat also creates a new service called “appinf.exe” and modifies desktop, taskbar and start menu shortcuts for Internet Explorer, Firefox, Chrome, Opera and Safari.

By modifying the shortcuts, Vonteera ensures whenever one of these applications launches, they load a script designed to randomize where users end up redirected when they open the browser.

In the case of Internet Explorer, the threat adds a new Browser Helper Object (BHO). If Chrome is present, it abuses the ExtensionInstallForcelist key, which specifies a list of apps and extensions installed silently and granted all the permissions they request. These apps and extensions cannot end up uninstalled by the user.

Malwarebytes started classifying Vonteera as a Trojan after researchers noticed the adware adds 13 certificates to “Untrusted Certificates” in the Windows certificate store. The certificates are for ESS Distribution, Avast, AVG Technologies, Avira, Baidu, Bitdefender, ESET, Lavasoft, Malwarebytes, McAfee, Panda Security, ThreatTrack Security and Trend Micro.

By adding them to “Untrusted Certificates,” the malware ensures applications signed with these certificates cannot end up executed. It also prevents files from downloading from websites that use these certificates.

The appinf.exe service created by Vonteera checks for the presence of these certificates and puts them back if they end up removed by the user.

Since execution of the antivirus programs end up blocked by the User Account Control (UAC) feature in Windows, users can get security products to run again by disabling UAC, although experts advise against doing this. Another option is to bypass UAC by using a Task Scheduler trick described by Malwarebytes earlier this year.

Users can also eradicate the certificates from Untrusted Certificates via the certificate management console in Windows (certmgr.msc).