Members
  • Total Members: 12816
  • Latest: t114563
Stats
  • Total Posts: 28525
  • Total Topics: 8240
  • Online Today: 833
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Bing.VC Hijacks Browsers Using Legitimate Applications  (Read 179 times)

0 Members and 1 Guest are viewing this topic.

Pez

  • SCF VIP Member
  • *****
  • Posts: 723
  • KARMA: 116
  • Gender: Male
  • Pez
Bing.VC Hijacks Browsers Using Legitimate Applications
« on: 23. September 2016., 15:30:30 »
Bing.VC Hijacks Browsers Using Legitimate Applications

Browser hijackers are a type of malware that modifies a web browser’s settings without the user’s permission. Generally a browser hijacker injects unwanted advertising into the browser. It replaces the home page or search page with its own. It also steals cookies and can install a keylogger to fetch other sensitive information. McAfee Labs has recently seen a variant of the hijacker Bing.vc.

Browser hijackers usually display the following symptoms:

• Redirection to an unintended page.

• Unusual pop-ups showing advertisements.

• Browser may become unstable and exhibits frequent errors.

• Problems accessing security-related sites (antimalware, antispyware).



Hijackers usually infect via one of three vectors:

• Generally bundled with legitimate software applications.

• As part of freeware.

• Through email or a drive-by download.



Bing.vc is a malicious browser hijacker that installs itself into Internet Explorer, Firefox, and Chrome without the user’s consent.

• Hash: d88443ff67f5c0713067e21982e31706

• Description: * Drivers Utility Setup

• Company: Lavians Inc.



We have come across several files from Lavians Inc. that look like legitimate applications but may pose a serious risk. We have observed that Lavians Inc. is repackaging clean applications with a browser hijacker to avoid suspicion and to increase its outreach. It usually hides in drivers utilities such as:

• HP DESKJET F4580 Driver Utility Setup

• DELL Inspiron 5100 Drivers Utility Setup

• Acer Aspire ONE ZG5 Drivers Utility Setup



Intel Security advises users to not use third-party free utilities to fix driver issues. It’s always better to directly download drivers from the manufactures sites. Also carefully read the EULA/disclaimers before installing any software.

For our analysis, we examined the “DELL Latitude D810 Drivers Utility Setup” from Lavians Inc. This application installed without any problems and showed no suspicious behavior, but it hijacked our browser and changed the homepage to “hxxp://bing.vc/?r=15443&lnk=sct2” for all installed browsers and changed their default search engine to bing.vc. (This browser hijacker has nothing to do with Microsoft’s Bing search engine.)

Upon execution, Bing.vc added the following files onto our system:

• C:\Documents and Settings\Administrator\Local Settings\Application Data\IconOverlayEx.dll

• C:\Program Files\DELL Latitude D810 Drivers Utility\DPInst.exe

• C:\Program Files\DELL Latitude D810 Drivers Utility\DriverBackUp.exe

• C:\Program Files\DELL Latitude D810 Drivers Utility\driverlib.dll

• C:\Program Files\DELL Latitude D810 Drivers Utility\DriverUpdateUtility.exe

• C:\Program Files\DELL Latitude D810 Drivers Utility\unins000.dat

• C:\Program Files\DELL Latitude D810 Drivers Utility\unins000.exe

• C:\Program Files\DELL Latitude D810 Drivers Utility\update.dll

• C:\Documents and Settings\All Users\Desktop\DELL Latitude D810 Drivers Utility.lnk

• C:\Documents and Settings\All Users\Start Menu\Programs\DELL Latitude D810 Drivers Utility\DELL Latitude D810 Drivers Utility.lnk

• C:\Documents and Settings\All Users\Start Menu\Programs\DELL Latitude D810 Drivers Utility\Uninstall DELL Latitude D810 Drivers Utility.lnk



All the new files were clean except for IconOverlayEx.dll (6D37DD857500184164947DD6C8DEE54A), the file responsible for redirection. When we tried to uninstall the application, it removed all other installed components except for IconOverlayEx.dll and added two registry entries:

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ IconOverlayEx\: “{E1773C0E-364D-4210-B831-72F5A359E88F}”

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E1773C0E-364D-4210-B831-72F5A359E88F}: “Icon Overlay Shell Extension”



The shell extension handler is a well-known trick that malware uses for persistence, and it requires no administrator rights. After uninstalling the application and restarting the machine, we saw that the home page had been changed in all the installed browsers without our knowledge. The malware changed the homepage after we uninstalled the application.

The following snippets illustrate the homepages changed to bing.vc:

Internet Explorer




Chrome




Firefox




When we checked our browser properties, we saw that the targets were set for bing.vc:



When we started our browser, we saw the new homepage:



The FixBrowserRedirect link on the redirected home page sent us to the site hxxp://fixbrowserredirect.net/, where we learned about browser redirection and were offered the convenience of buying software to fix the redirection. How thoughtful!



Restoring the system

In addition to removing the registry entries and deleting IconOverlayEx.dll, users should also remove the malicious target in the properties of any installed browsers: hxxp://bing.vc/?r=15443&lnk=sct2.



Intel Security detects this type of browser hijacking as BingVC.


Original article: By Santosh Revankar on Aug 10, 2016
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker's Computer Forum - SCforum.info

Bing.VC Hijacks Browsers Using Legitimate Applications
« on: 23. September 2016., 15:30:30 »




 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising