Malicious Adware Uses Certificates to Disable Security Products

A piece of malicious adware dubbed “Vonteera” tricks the operating system into thinking that digital certificates from security companies are untrusted in an effort to prevent anti-malware products from blocking it.

Anti-malware firm Malwarebytes initially detected the threat as a piece of adware that installs potentially unwanted programs (PUPs), but it has now decided to classify it as a Trojan (Trojan.Vonteera) due to the modifications it makes on an infected system. Other security companies have also classified Vonteera as a piece of malware.

When it infects a system, Vonteera creates several tasks in the Windows Task Scheduler. These tasks are used to display ads at regular intervals by opening new tabs in the web browser. The threat also creates a new service called “appinf.exe” and modifies desktop, taskbar and start menu shortcuts for Internet Explorer, Firefox, Chrome, Opera and Safari.

By modifying the shortcuts, Vonteera ensures that whenever one of these applications is launched, they load a script designed to randomize where users get redirected when they open the browser.

In the case of Internet Explorer, the threat adds a new Browser Helper Object (BHO). If Chrome is present, it abuses the ExtensionInstallForcelist key, which specifies a list of apps and extensions that are installed silently and granted all the permissions they request. These apps and extensions cannot be uninstalled by the user.

Malwarebytes started classifying Vonteera as a Trojan after researchers noticed that the adware adds a total of 13 certificates to “Untrusted Certificates” in the Windows certificate store. The certificates are for ESS Distribution, Avast, AVG Technologies, Avira, Baidu, Bitdefender, ESET, Lavasoft, Malwarebytes, McAfee, Panda Security, ThreatTrack Security and Trend Micro.

By adding them to “Untrusted Certificates,” the malware ensures that applications signed with these certificates cannot be executed. It also prevents files from being downloaded from websites that use these certificates.

The appinf.exe service created by Vonteera is designed to check for the presence of these certificates and puts them back if they are removed by the user.

Since execution of the antivirus programs is blocked by the User Account Control (UAC) feature in Windows, users can get security products to run again by disabling UAC, although experts advise against doing this. Another option is to bypass UAC by using a Task Scheduler trick described by Malwarebytes earlier this year.

Alternatively, users can remove the certificates from Untrusted Certificates via the certificate management console in Windows (certmgr.msc).

Related Reading: Adware Installer Uses Old Trick to Access OS X Keychain

Related Reading: Android Adware Abuses Accessibility Service to Install Apps