Browser Hijack Malware Advances

Friday, August 12, 2016 @ 02:08 PM gHale


A new version of the Bing.vc browser-hijacking malware is going out via applications distributed by Lavians Inc., researchers said.

Security companies have been aware of the Bing.vc malware for over a year, and they have added support to remove the threat.

RELATED STORIES
Black Hat: IT-OT Learning Curve
Network Monitoring: Keeping an Eye on IIoT
Network Monitoring Partnership
The Wireless Edge

Bing.vc is a malicious browser hijacker that installs itself into Internet Explorer, Firefox, and Chrome without the user’s consent.
• Hash: d88443ff67f5c0713067e21982e31706
• Description: * Drivers Utility Setup
• Company: Lavians Inc.

New versions of the Bing.vc malware, however, are bundling with legitimate-looking products, said researchers at Intel McAfee in a posting. The security vendor said Lavians Inc. may be the culprit behind this.

“We have come across several files from Lavians Inc. that look like legitimate applications but may pose a serious risk,” said Intel’s Santosh Revankar. “We have observed that Lavians Inc. is repackaging clean applications with a browser hijacker to avoid suspicion and to increase its outreach.”

Intel said most of the infected files hide as driver utilities, using names such as HP DESKJET F4580 Driver Utility Setup, DELL Inspiron 5100 Drivers Utility Setup, or Acer Aspire ONE ZG5 Drivers Utility Setup.

When users install these files, they’ll get the legitimate application, but also Bing.vc, hidden inside a file called IconOverlayEx.dll.

Bing.vc will install into Chrome, Firefox, and Internet Explorer, and it will take over the site’s homepage and insert ads into visited websites. The page to which this browser hijacker will redirect all users is Bing.vc, hence the malware’s name.

This website has nothing to do with Microsoft’s Bing service.

Intel McAfee researchers said a link on this hijacked homepage leads users to a site that tries to sell them an expensive utility to fix their browser hijacking problem.

Users who notice something strange and move to uninstall the original driver utility they installed will find all files will be removed, except for IconOverlayEx.dll, which will remain on the infected system.

During the uninstall routine, Bing.vc will alter the user’s PC registry keys and add two new entries that will load the DLL on every boot-up.

By doing so, even after uninstalling the original infected files, Bing.vc remains on the system.

Users who want to get rid of this infection have to remove the registry keys by hand or use an automated PC clean-up utility that usually comes with antivirus software.

The shortcuts for each browser also need to be cleaned by deleting the URL at the end of the application target parameter.