Incident Response, Malware, TDR

Vonteera adware family adds new trick to arsenal

Researchers observed the Vonteera adware family using system certificates to disable both anti-malware and anti-virus software, according to a Nov. 20 Malwarebytes blog post.

The post said researchers witnessed the installer for the adware blacklisting the certificates of Avast Software, AVG Technologies, Avira, Baidu, Bitdefender, ESET, ESS Distribution, Lavasoft, Malwarebytes, McAfee, Panda Security, Trend Micro and ThreatTrack Security by automatically filing them as “Untrusted Certificates” in a user's system causing it to refuse to run or download applications from sites signed by any of the 13 certificates. 

The adware also alters shortcuts on the desktop, taskbar and in the Start-menus of Internet Explorer, Firefox, Chrome, Opera, and Safari by adding a URL in the target field that redirects victims to randomized sites, according to the report, 

Vonteera can add several scheduled tasks to user's system that show advertisements multiple times a day and more, the report said.

On chrome browsers, the malware enables PoliciesChromiumExtensionInstallForcelist which “specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled by the user,” according to the Chromium Projects Policy List

This will grant permission requests from the malware including any additional permissions requested by future versions without user interaction, the policy said.

Adam Kujawa, head of malware intelligence at Malwarebytes told via email correspondence that so far they have only witnessed Windows systems infected but say the same tricks may be employed in OS X adware.

Researchers said in the post that a user could disable user account control (UAC) in order to bypass the malware's use of certificates or use a "trick" to circumvent it. A victim could also go into the certificate manager and delete the certificates that Vonteera classified as “Untrusted” to mitigate the malware.  

Kujawa said that installing applications such as AVG, ESET engines or Malwarebytes Anti-Malware will remove the adware once the certificate problem is handled. 

Users can avoid becoming infected by the potentially unwanted program (PUP) by using "a scanner that will detect and prevent the execution of the installer executable in real-time rather than running a scan after-the fact," Kujawa said. 

"This particular PUP is also bundled with other shady software, so it's good idea to stay away from bundler installers, such as you might find on websites offering lots of downloads or at least requiring the user to install the downloader application rather than the required application," he said giving the examples of apps that say things like "Install our downloader to get this software!"

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.