Thursday, June 16, 2016

Youndoo.com using ShellExecuteHooks to hijack your browsers



Yesterday while doing my usual malware analysis, I discovered new Youndoo.com browser hijacker being pushed by malware downloaders. It comes from the same authors of original YesSearches malware that became extremely popular along with its younger Hohosearch brother.

This malware uses ShellExecuteHooks method to load youndoo.com address as soon as you start your browser.

During the installation, malware creates following registry keys that enables them to use this technique:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"EnableShellExecuteHooks"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6710C780-E20E-4C49-A87D-321850ED3D7C}"=""

They also create random named .dll file inside C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies folder that executes this hijack.

When you try to start Google Chrome or Firefox, they apply these command line arguments:

C:\Program Files\Mozilla Firefox\firefox.exe
-profile
C:\Users\admin\AppData\Roaming\Profiles\yzzfdyu4.default
http://www.youndoo.com/?z=2357d6c127eec6a3dc76789gaz1q1q7ecqcmbw6bbb&from=wak&ui
d=531364863_198339_4E6C236A&type=hp

C:\Program Files\Google\Chrome\Application\chrome.exe
--user-data-dir=C:\Users\admin\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E10
8
http://www.youndoo.com/?z=2357d6c127eec6a3dc76789gaz1q1q7ecqcmbw6bbb&from=wak&ui
d=531364863_198339_4E6C236A&type=hp

As you can see, they use previously created fake profiles to start your browsers with youndoo.com start page. All of this is to ensure this hijack remains after you manually remove your homepage.

Firefox hijack is even more interesting. They create two fake profiles like shown on image below:



If you take a look at the command line arguments above, you'll notice they use second folder to start Firefox.

The first folder is used with different kind of hijack. We all have profiles.ini file inside C:\Users\username\AppData\Roaming\Mozilla\Firefox folder. The content of normal file looks like this:
[General]
StartWithLastProfile=1
[Profile0]
Name=default
IsRelative=1
Path=Profiles/4v91wrx7.default
Default=1
This malware changes it so when you start Firefox, it uses the fake profile from the first folder to start:
[General]
StartWithLastProfile=1
[Profile0]
Name=default
IsRelative=1
Path=Profiles/168z21qq.default

[Profile1]
Name=Firefox Default
IsRelative=1
Path=../../Profiles/n0dj6uo3.default
Default=1
The full path above is C:\Users\username\AppData\Roaming\Profiles\n0dj6uo3.default.

They also install GsearchFinder Firefox extension under each of two fake profiles.

Our latest build is capable of removing this browser hijack:



Save yourself the hassle and install Zemana AntiMalware.



No comments:

Post a Comment