Bing.VC Hijacks Browsers Using Legitimate Applications

Browser hijackers are a type of malware that modifies a web browser’s settings without the user’s permission. Generally a browser hijacker injects unwanted advertising into the browser. It replaces the home page or search page with its own. It also steals cookies and can install a keylogger to fetch other sensitive information. McAfee Labs has recently seen a variant of the hijacker Bing.vc.

Browser hijackers usually display the following symptoms:

  • Redirection to an unintended page.
  • Unusual pop-ups showing advertisements.
  • Browser may become unstable and exhibits frequent errors.
  • Problems accessing security-related sites (antimalware, antispyware).

Hijackers usually infect via one of three vectors:

  • Generally bundled with legitimate software applications.
  • As part of freeware.
  • Through email or a drive-by download.

Bing.vc is a malicious browser hijacker that installs itself into Internet Explorer, Firefox, and Chrome without the user’s consent.

  • Hash: d88443ff67f5c0713067e21982e31706
  • Description: * Drivers Utility Setup
  • Company: Lavians Inc.

We have come across several files from Lavians Inc. that look like legitimate applications but may pose a serious risk. We have observed that Lavians Inc. is repackaging clean applications with a browser hijacker to avoid suspicion and to increase its outreach. It usually hides in drivers utilities such as:

  • HP DESKJET F4580 Driver Utility Setup
  • DELL Inspiron 5100 Drivers Utility Setup
  • Acer Aspire ONE ZG5 Drivers Utility Setup

Intel Security advises users to not use third-party free utilities to fix driver issues. It’s always better to directly download drivers from the manufactures sites. Also carefully read the EULA/disclaimers before installing any software.

For our analysis, we examined the “DELL Latitude D810 Drivers Utility Setup” from Lavians Inc. This application installed without any problems and showed no suspicious behavior, but it hijacked our browser and changed the homepage to “hxxp://bing.vc/?r=15443&lnk=sct2” for all installed browsers and changed their default search engine to bing.vc. (This browser hijacker has nothing to do with Microsoft’s Bing search engine.)

Upon execution, Bing.vc added the following files onto our system:

  • C:Documents and SettingsAdministratorLocal SettingsApplication DataIconOverlayEx.dll
  • C:Program FilesDELL Latitude D810 Drivers UtilityDPInst.exe
  • C:Program FilesDELL Latitude D810 Drivers UtilityDriverBackUp.exe
  • C:Program FilesDELL Latitude D810 Drivers Utilitydriverlib.dll
  • C:Program FilesDELL Latitude D810 Drivers UtilityDriverUpdateUtility.exe
  • C:Program FilesDELL Latitude D810 Drivers Utilityunins000.dat
  • C:Program FilesDELL Latitude D810 Drivers Utilityunins000.exe
  • C:Program FilesDELL Latitude D810 Drivers Utilityupdate.dll
  • C:Documents and SettingsAll UsersDesktopDELL Latitude D810 Drivers Utility.lnk
  • C:Documents and SettingsAll UsersStart MenuProgramsDELL Latitude D810 Drivers UtilityDELL Latitude D810 Drivers Utility.lnk
  • C:Documents and SettingsAll UsersStart MenuProgramsDELL Latitude D810 Drivers UtilityUninstall DELL Latitude D810 Drivers Utility.lnk

All the new files were clean except for IconOverlayEx.dll (6D37DD857500184164947DD6C8DEE54A), the file responsible for redirection. When we tried to uninstall the application, it removed all other installed components except for IconOverlayEx.dll and added two registry entries:

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiers IconOverlayEx: “{E1773C0E-364D-4210-B831-72F5A359E88F}”
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionShell ExtensionsApproved{E1773C0E-364D-4210-B831-72F5A359E88F}: “Icon Overlay Shell Extension”

The shell extension handler is a well-known trick that malware uses for persistence, and it requires no administrator rights. After uninstalling the application and restarting the machine, we saw that the home page had been changed in all our without our knowledge. The malware changed the homepage after we uninstalled the application.

The following snippets illustrate the homepages changed to bing.vc:

Internet Explorer

Explorer_1

Chrome

Chrome_1

Firefox

FireFox_1

When we checked our browser properties, we saw that the targets were set for bing.vc:

Properties

When we started our browser, we saw the new homepage:

5

The FixBrowserRedirect link on the redirected home page sent us to the site hxxp://fixbrowserredirect.net/, where we learned about browser redirection and were offered the convenience of buying software to fix the redirection. How thoughtful!

6

Restoring the system

In addition to removing the registry entries and deleting IconOverlayEx.dll, users should also remove the malicious target in the properties of any installed browsers: hxxp://bing.vc/?r=15443&lnk=sct2.

7

Intel Security detects this type of browser hijacking as BingVC.

The post Bing.VC Hijacks Browsers Using Legitimate Applications appeared first on McAfee.

Linux bug leaves USA Today, other top sites vulnerable to serious hijacking attacks

(credit: Cao et al.)

Computer scientists have discovered a serious Internet vulnerability that allows attackers to terminate connections between virtually any two parties and, if the connections aren't encrypted, inject malicious code or content into the parties' communications.

The vulnerability resides in the design and implementation of RFC 5961, a relatively new Internet standard that's intended to prevent certain classes of hacking attacks. In fact, the protocol is designed in a way that it can easily open Internet users to so-called blind off-path attacks, in which hackers anywhere on the Internet can detect when any two parties are communicating over an active transmission control protocol connection. Attackers can go on to exploit the flaw to shut down the connection, inject malicious code or content into unencrypted data streams, and possibly degrade privacy guarantees provided by the Tor anonymity network.

At the 25th Usenix Security Symposium on Wednesday, researchers with the University of California at Riverside and the US Army Research Laboratory will demonstrate a proof-of-concept exploit that allows them to inject content into an otherwise legitimate USA Today page that asks viewers to enter their e-mail and passwords. The malicious, off-site JavaScript code attack is possible because the vulnerable USA Today pages aren't encrypted. Even if they were protected, attackers could still terminate the connection. Similar attacks work against a variety of other unidentified sites and services, as long as they have long-lived connections that give hackers enough time—roughly 60 seconds—to carry out the attack.

Read 8 remaining paragraphs | Comments

Copperhead OS: The startup that wants to solve Android’s woeful security

(credit: Guardian Project)

A startup on a shoestring budget is working to clean up the Android security mess, and has even demonstrated results where other "secure" Android phones have failed, raising questions about Google's willingness to address the widespread vulnerabilities that exist in the world's most popular mobile operating system.

"Copperhead is probably the most exciting thing happening in the world of Android security today," Chris Soghoian, principal technologist with the Speech, Privacy, and Technology Project at the American Civil Liberties Union, tells Ars. "But the enigma with Copperhead is why do they even exist? Why is it that a company as large as Google and with as much money as Google and with such a respected security team—why is it there's anything left for Copperhead to do?"

Copperhead OS, a two-man team based in Toronto, ships a hardened version of Android that aims to integrate Grsecurity and PaX into their distribution. Their OS also includes numerous security enhancements, including a port of OpenBSD’s malloc implementation, compiler hardening, enhanced SELinux policies, and function pointer protection in libc. Unfortunately for security nuts, Copperhead currently only supports Nexus devices.

Read 42 remaining paragraphs | Comments