Bing.VC Hijacks Browsers Using Legitimate Applications

August 10, 2016

Browser hijackers are a type of malware that modifies a web browser’s settings without the user’s permission. Generally a browser hijacker injects unwanted advertising into the browser. It replaces the home page or search page with its own. It also steals cookies and can install a keylogger to fetch other sensitive information. McAfee Labs has recently seen a variant of the hijacker Bing.vc.

Browser hijackers usually display the following symptoms:

  • Redirection to an unintended page.
  • Unusual pop-ups showing advertisements.
  • Browser may become unstable and exhibits frequent errors.
  • Problems accessing security-related sites (antimalware, antispyware).

Hijackers usually infect via one of three vectors:

  • Generally bundled with legitimate software applications.
  • As part of freeware.
  • Through email or a drive-by download.

Bing.vc is a malicious browser hijacker that installs itself into Internet Explorer, Firefox, and Chrome without the user’s consent.

  • Hash: d88443ff67f5c0713067e21982e31706
  • Description: * Drivers Utility Setup
  • Company: Lavians Inc.

We have come across several files from Lavians Inc. that look like legitimate applications but may pose a serious risk. We have observed that Lavians Inc. is repackaging clean applications with a browser hijacker to avoid suspicion and to increase its outreach. It usually hides in drivers utilities such as:

  • HP DESKJET F4580 Driver Utility Setup
  • DELL Inspiron 5100 Drivers Utility Setup
  • Acer Aspire ONE ZG5 Drivers Utility Setup

Intel Security advises users to not use third-party free utilities to fix driver issues. It’s always better to directly download drivers from the manufactures sites. Also carefully read the EULA/disclaimers before installing any software.

For our analysis, we examined the “DELL Latitude D810 Drivers Utility Setup” from Lavians Inc. This application installed without any problems and showed no suspicious behavior, but it hijacked our browser and changed the homepage to “hxxp://bing.vc/?r=15443&lnk=sct2” for all installed browsers and changed their default search engine to bing.vc. (This browser hijacker has nothing to do with Microsoft’s Bing search engine.)

Upon execution, Bing.vc added the following files onto our system:

  • C:Documents and SettingsAdministratorLocal SettingsApplication DataIconOverlayEx.dll
  • C:Program FilesDELL Latitude D810 Drivers UtilityDPInst.exe
  • C:Program FilesDELL Latitude D810 Drivers UtilityDriverBackUp.exe
  • C:Program FilesDELL Latitude D810 Drivers Utilitydriverlib.dll
  • C:Program FilesDELL Latitude D810 Drivers UtilityDriverUpdateUtility.exe
  • C:Program FilesDELL Latitude D810 Drivers Utilityunins000.dat
  • C:Program FilesDELL Latitude D810 Drivers Utilityunins000.exe
  • C:Program FilesDELL Latitude D810 Drivers Utilityupdate.dll
  • C:Documents and SettingsAll UsersDesktopDELL Latitude D810 Drivers Utility.lnk
  • C:Documents and SettingsAll UsersStart MenuProgramsDELL Latitude D810 Drivers UtilityDELL Latitude D810 Drivers Utility.lnk
  • C:Documents and SettingsAll UsersStart MenuProgramsDELL Latitude D810 Drivers UtilityUninstall DELL Latitude D810 Drivers Utility.lnk

All the new files were clean except for IconOverlayEx.dll (6D37DD857500184164947DD6C8DEE54A), the file responsible for redirection. When we tried to uninstall the application, it removed all other installed components except for IconOverlayEx.dll and added two registry entries:

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiers IconOverlayEx: “{E1773C0E-364D-4210-B831-72F5A359E88F}”
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionShell ExtensionsApproved{E1773C0E-364D-4210-B831-72F5A359E88F}: “Icon Overlay Shell Extension”

The shell extension handler is a well-known trick that malware uses for persistence, and it requires no administrator rights. After uninstalling the application and restarting the machine, we saw that the home page had been changed in all our without our knowledge. The malware changed the homepage after we uninstalled the application.

The following snippets illustrate the homepages changed to bing.vc:

Internet Explorer

Explorer_1

Chrome

Chrome_1

Firefox

FireFox_1

When we checked our browser properties, we saw that the targets were set for bing.vc:

Properties

When we started our browser, we saw the new homepage:

5

The FixBrowserRedirect link on the redirected home page sent us to the site hxxp://fixbrowserredirect.net/, where we learned about browser redirection and were offered the convenience of buying software to fix the redirection. How thoughtful!

6

Restoring the system

In addition to removing the registry entries and deleting IconOverlayEx.dll, users should also remove the malicious target in the properties of any installed browsers: hxxp://bing.vc/?r=15443&lnk=sct2.

7

Intel Security detects this type of browser hijacking as BingVC.

The post Bing.VC Hijacks Browsers Using Legitimate Applications appeared first on McAfee.