Adware program Vonteera blocks security products with simple Windows UAC trick

Discussion in 'malware problems & news' started by ronjor, Nov 23, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,763
    Location:
    Texas
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    Smart way to block AV installation using UAC. Some other malware used SRP for similar purpose.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes quite a simple trick, luckily I don't rely on UAC.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    It's probably a registry key that should be protected, but apparently not a lot of HIPS do monitor this.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I figured it out.

    The blacklisted certificates are from Avast Software, AVG Technologies, Avira, Baidu, Bitdefender, ESET, ESS Distribution, Lavasoft, Malwarebytes, McAfee, Panda Security, Trend Micro and ThreatTrack Security.

    The malware author is using the code signing certs. the above vendors used to sign their software. I don't believe HIPS monitors these cert. registry keys by default. I have moved a root cert. to the untrusted area using certmgr.msc and never received a HIPS alert from Eset.

    Of course there is a UAC bypass modification component to this since those cert. storage keys require full admin/system privileges.
     
    Last edited: Nov 26, 2015
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Can you post the registry keys? And I believe Zemana Free and Pro are both monitoring this.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    They are stored under this key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\AuthRoot\Certificates

    However I also have a ton of certs installed under this Eset generated key and at this point don't know why Eset does this: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Services\S-1-5-18\SystemCertificates\ESET_EndCertStore\Certificates. Appears they do some type of cert. pinning when SSL protocol scanning is enabled.

    I believe all Zemana does is verify that the certs. are valid and chain backwards to the issuing CA.
     
    Last edited: Nov 25, 2015
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Yeah, I missed this one: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates. Also, this adware doesn't bypass UAC but rather changes the type of alert you receive from UAC.

    However, if the file is signed with a certificate that was blacklisted, UAC will simply block the file from running and a red warning will be displayed.
    The only way around this would be to temporarily disable UAC and then install the vendor's software or delete the bogus untrusted publishers certs..

    The adware also only affects installs of security software from the mentioned vendors. It has no impact on existing installed software. Appears the primary purpose of the certificate manipulation is to block vendor's special removal software for adware of this type.
     
    Last edited: Nov 26, 2015
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Zemana SSL Intrusion Prevention:
    • Protects SSL (https) data pre-encryption.
    • Prevents Man-in-the-Browser (MitB) and HTML injection attacks.
    • Monitors the Trusted Root CA Store for fake root certificate installations.
    Note there is no MITM protection.

    Yes, it monitors the Trusted Root CA Store i.e. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates but this adware isn't modifying that. It is installing the vendors code signing certs. into the Untrusted Cert. store i.e. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates

    Zemana only protects unencrypted data. So if malware is received via an encrypted web site, you've had it.

    Finally, I think we have previously resolved that Zemana AKL doesn't protect against browser memory based injection.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes good point, this malware is modifying another reg key that is not related to what Zemana is monitoring. But can you elaborate on these 3 points? I didn't understand it.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    MITM

    Two types; local and external.

    Local MITM malware will establish a local host proxy server i.e. 127.0.0.x based to capture outbound encrypted SSL traffic and unencrypt it using a root CA cert. it installed or a compromised existing root CA cert. e.g. recent Dell debacle. From what I can determine, all ZAL prevents is the installation of the malware root CA cert..

    External MITM is almost impossible to prevent. SSL traffic is captured by an external rouge server connection. Only software that I know that can prevent this is software that is installed both locally and at the receiving bank server to create a secure VPN tunnel between each. I believe Trusteer Rapport is the only software that does this.

    Zemana Only Protects Unencrypted Traffic

    ZAL doesn't scan encrypted traffic for malware . To do so, it would have to install it's own root CA cert.. A HTTPS website downloads encrypted malware to establish a backdoor on your PC.

    Zemana AKL doesn't protect against browser memory based injection

    Discussed in the "Fileless Malware" thread. From what has been discussed to date, ZAL only prevents disk based .dll injection into a protected process.

     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    OK I see, that stuff is indeed out of ZA's scope. It's designed to block banking trojans that inject code into the browser. Same goes for SpyShelter. You're basically talking about exploits, it won't stop that, and it's also no AV.
     
Loading...