Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malicious Adware Uses Certificates to Disable Security Products

A piece of malicious adware dubbed “Vonteera” tricks the operating system into thinking that digital certificates from security companies are untrusted in an effort to prevent anti-malware products from blocking it.

A piece of malicious adware dubbed “Vonteera” tricks the operating system into thinking that digital certificates from security companies are untrusted in an effort to prevent anti-malware products from blocking it.

Anti-malware firm Malwarebytes initially detected the threat as a piece of adware that installs potentially unwanted programs (PUPs), but it has now decided to classify it as a Trojan (Trojan.Vonteera) due to the modifications it makes on an infected system. Other security companies have also classified Vonteera as a piece of malware.

When it infects a system, Vonteera creates several tasks in the Windows Task Scheduler. These tasks are used to display ads at regular intervals by opening new tabs in the web browser. The threat also creates a new service called “appinf.exe” and modifies desktop, taskbar and start menu shortcuts for Internet Explorer, Firefox, Chrome, Opera and Safari.

By modifying the shortcuts, Vonteera ensures that whenever one of these applications is launched, they load a script designed to randomize where users get redirected when they open the browser.

In the case of Internet Explorer, the threat adds a new Browser Helper Object (BHO). If Chrome is present, it abuses the ExtensionInstallForcelist key, which specifies a list of apps and extensions that are installed silently and granted all the permissions they request. These apps and extensions cannot be uninstalled by the user.

Malwarebytes started classifying Vonteera as a Trojan after researchers noticed that the adware adds a total of 13 certificates to “Untrusted Certificates” in the Windows certificate store. The certificates are for ESS Distribution, Avast, AVG Technologies, Avira, Baidu, Bitdefender, ESET, Lavasoft, Malwarebytes, McAfee, Panda Security, ThreatTrack Security and Trend Micro.

By adding them to “Untrusted Certificates,” the malware ensures that applications signed with these certificates cannot be executed. It also prevents files from being downloaded from websites that use these certificates.

The appinf.exe service created by Vonteera is designed to check for the presence of these certificates and puts them back if they are removed by the user.

Advertisement. Scroll to continue reading.

Since execution of the antivirus programs is blocked by the User Account Control (UAC) feature in Windows, users can get security products to run again by disabling UAC, although experts advise against doing this. Another option is to bypass UAC by using a Task Scheduler trick described by Malwarebytes earlier this year.

Alternatively, users can remove the certificates from Untrusted Certificates via the certificate management console in Windows (certmgr.msc).

Related Reading: Adware Installer Uses Old Trick to Access OS X Keychain

Related Reading: Android Adware Abuses Accessibility Service to Install Apps

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights