There is a constant cat and mouse game between malware, security software companies and computer users, and the chance of one side winning the battle seems slim at best.
Malwarebytes revealed recently on Malwarebytes Unpacked how Vonteera, a malware previously classified as adware, operates.
While it may not be of interest to many how that particular malware operates, the methods that it uses to infect computer systems and remain on them may very well be as they are used by other malware as well.
Vonteera does a lot to stay on the system: it installs a scheduled task, a service, a browser helper object in Internet Explorer, replaces known browser shortcuts to load select sites on startup, enables a Chrome policy that enables them to install apps and extensions in the browser that cannot be uninstalled, and adds several certificates to the untrusted certificates listing.
Manipulation of browser shortcuts
Some methods are used by adware and malicious software alike. The changing of the browser shortcut for instance to load sites on start. We have mentioned this method back in 2014 and it seems popular as it is easy to do and highly effective.
To check your shortcuts, right-click on the shortcut and select properties. Locate the target line on the page and check the parameters in the target field. If you find a url there, it will be opened on start.
Services may be loaded on start of the operating system, or when they are needed depending on their configuration.
You can check all existing services by tapping on the Windows-key, typing services.msc and hitting enter. You may get an UAC prompt which you need to accept.
The interface offers limited information only. While you can sort services by name or status, there is no option to sort them by installation date.
If malware installs a service on the system, you can find out more about it in the Windows Registry.
Tasks can be run under certain conditions, for instance on system start or shut down, at a specific day or time, or when the computer is idle.
To check Tasks on Windows, do the following:
You can delete tasks with a right-click and selecting "delete" from the context menu. You may disable them as well there, or check their properties (to see when they run, what they run and so on).
Internet Explorer Browser Helper Object
Browser Helper Objects are supported only by Internet Explorer. Microsoft's new browser Edge does not support them.
These work in similar fashion to extensions, meaning that they can change and record Internet sites and traffic among other things.
To manage browser helper objects in Internet Explorer, do the following:
Go through all listings there, especially toolbars and extensions. You can disable items with a right-click and the selection of "disable" from the context menu. A click on "more information" reveals the Class ID of the Helper Object and additional information about it.
To delete them, you need to use the Registry Editor instead. Open the Windows Registry Editor and run a search for the Class ID using the Edit > Find menu. Enter the Class ID and delete all keys that come up.
I suggest you create a backup before you run the operating just to make sure you can go back if things turn out wrong.
Google's Chrome browser and Chromium support a large list of policies which enable enterprises to configure preferences on the system Chrome is run on.
The policy ExtensionInstallForcelist adds extensions to the browser for all users on the system that these users cannot remove from it.
The apps or extensions get installed silently, without user interaction, and all permissions requested get granted automatically.
The malware added certificates of trusted antivirus solutions to the list of untrusted certificates on Windows.
This prevented the program from being started on the system, and it prevented the download of programs from the developer website as well (provided that the browser uses the Windows Certificate Store which Internet Explorer and Chrome do, but Firefox odes not).
Now You: Know of other tricks malware uses?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.