Home
Apps
Apps News
Common Windows Adware Found to Manipulate Certificates to Block Security Suites

Common Windows Adware Found to Manipulate Certificates to Block Security Suites

By Manish Singh | Updated: 26 November 2015 09:31 IST

Vonteera, an adware family that pushes ads to a computer, is capable of doing much more than previously anticipated. Security firm Malwarebytes has reported that Vonteera is able to manipulate digital certificates on a computer to prevent anti-malware suites from activating and then detecting it. For this reason, Vonteera is now being classified as Trojan malware by many security firms.

A well-known adware family, Vonteera came into the spotlight in 2013. It creates a number of tasks in the Windows Task Scheduler. These tasks have been typically found to be aimed at displaying ads on the infected machine, and occasionally open a new tab on Web browsers to cater more malicious elements. Vonteera also modifies the taskbar and Start menu shortcuts for various Web browsers.

Now it has been discovered that Vonteera can also trick the operating system into thinking that digital certificates from security suites are untrusted. Vonteera has been found of manipulating a total of 13 certificates from different security suites to flag them as "untrusted" in the Windows certificate store. The affected anti-security suites are Avast Software, AVG Technologies CZ, Avira Operations, Baidu Online Network Technology, Bitdefender SRL, ESET, Lavasoft Limited, Malwarebytes Corporation, McAfee, Panda Security S.L, ThreatTrack Security, Trend Micro and ESS Distribution among others.

At this point, it is not clear exactly how many devices are affected with Vonteera, but Malwarebytes told Gadgets 360 that it believes the infection is widespread. "There have been numerous user concerns about this software, leading us to believe that the infection is wide spread. However the actual number of infected systems is difficult to identify considering the methods in which this software hides itself on the system."

The firm notes that the malware creates a service called appinf.exe (can be located from here: C:\Users{username}\AppData\Local\Hoffer\appinf.exe) to check if any of the fraudulent certificates has been deleted. In such case, it places another copy of the deleted certificate. The fraudulent certificate triggers User Account Control, a defence mechanism in Windows operating system and prevents the program - in this case anti-malware suites - from executing.

Affected users can bypass Vonteera's changes to the Windows certificate by disabling UAC, though it's not recommended as it affects system's security. As Malwarebytes points out, a user can try to manually remove the certificates from the "Untrusted certificates" store by using the Windows Certificate Manager tool (can be opened via the 'certmgr.msc' command in the Run dialog). In the left panel, users will find Untrusted certificates > Certificates. Remove the certificates that have an anti-malware vendor's name. One issue with it is that a user needs to be fast, as the malware could reinstate the fraudulent certificates.

Users could also try using scheduled tasks to bypass UAC prompts, using it to remove Vonteera, and manually removing the blacklisted certificates, the firm said. Here's an old blog post to guide with that in case you need any assistant.

ESET told Gadgets 360 that its security suite detects the aforementioned threat as Win32/Adware.Vonteera.P. The firm said that the detection was added to its virus signature database 12370 released on October 7, 2015.

Luis Corrons, PandaLabs Technical Director at Panda Security offered the following statement to Gadgets 360. "Malware is known to look for ways to disable security software whenever they can, this is just another method to avoid end users to opening their security programs. Usually malware performs this in a more advanced way, such as killing processes."

"We agree and can identify the findings from Malwarebytes blog too," Avira team told Gadgets 360. "Adware distributors using root certificates is not a new method, as we already know from the last "Superfish" issue. New in this case is the "trick" of dropping AntiMalware certificates to the untrusted container."

"From our point of view, this is a targeted attack against the AntiMalware industry, aimed specifically at those fighting for the privacy rights of their customers. In order to deliver the best protection, we are working on a detection improvement for this threat. We will also change the category from Adware to Trojan in order to counteract the way in which they are rooting against AntiMalware products. For our already affected customers, we will deliver a new RepairRoutine (AIRS) that will remove the Vonteera certificate from the root container, as well as our own from the untrusted container. All measures will be released to our customers today."

"The AVG security research lab has been aware for some time about the threat that Vonteera poses," Tony Anscombe, Senior Security Evangelist, AVG told Gadgets 360. "We detect and remove the threat as malicious, reporting it as a Trojan. This leaves the user to freely install an application that would have otherwise been blocked by the existence of the Vonteera malware."

A spokesperson for Bitdefender told us that the company is investigating the matter and needs more time to revert back.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Adware, Laptops, Microsoft, Security, Vulnerability, Windows, AVG, Avast, Avira, Bitdefender, ESET, Malwarebytes, McAfee, Panda Security, Vonteera