Trojan.mutabaha.1 bypasses UAC and sets fake Chrome.

in techreview •  8 years ago  (edited)

https://xakep.ru/2016/08/30/trojan-mutabaha-1/

The specialists of " Doctor Web " warns about the discovery of the Trojan.Mutabaha.1. Malware does not just attack the user's browser, but sets on the infected computer 's own assembly Chrome browser, replacing the original.

The main feature of malware is its ability to bypass the security mechanism User Accounts Control (UAC). The researchers write that the first information about the UAC bypass technology was published online August 15, 2016, and after only three days of viral lab discovered the first example of malware (Trojan.Mutabaha.1.), who used this method.

The first thing after the infection on the computer runs the malware dropper, which increases their privileges on the system by modifying the registry branch HKCU\ Software\ Classes\mscfile\shell\open\command. Then malware saves to disk and launches setup_52.3.2743.82_1471853250.exe application and maintains and runs the .bat- files designed for the removal of the dropper. When everything is ready, malware communicates with the management server and receives the configuration file, in which the address to download a fake version of the browser. Fake browser is installed in the folder C:\Program Files\Outfire and recorded in the registry.

En build Google Chrome, created by hackers, it has Outfire name. In addition to the registration in the registry, the browser also runs several system services and creates a task in Scheduler to download and install its own updates. Outfire replaces the currently installed browser Google Chrome: modify existing shortcuts (or delete them and create new ones), as well as copies of the new browser is an existing user profile. Since attackers use Chrome standard icons , the victim may not notice the change.

Having dealt with the main objective, Trojan.Mutabaha.1 looking in the system other fake browsers. Their names Trojan generates, testing combinations of the values ​​of the two lists-dictionaries, offering a total of 56 options. If the system detects a competitor, Trojan.Mutabaha.1 stops its operation, removes its entries from the Task Scheduler, and from the registry.

Why do they need a fake browser? The starting page of the browser can not be changed and it uses add-on (it can not be disabled) that replaces all the ads on user to browse the pages. This is a proven and well-known way to monetize. In addition, Outfire uses its own default search provider, but it is still possible to change the settings.

ultratech

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!