Adware Sneakily Turns Off Firefox Safe Browsing

Exterminator

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
48,602
8,380
USA
Content source
http://news.softpedia.com/news/adware-sneakily-turns-off-firefox-safe-browsing-498105.shtml
Mintcast adware uses user.js settings files for persistence
Two PUPs (Potentially Unwanted Programs) are secretly turning off Safe Browsing support in Firefox, to make sure they can deliver unsolicited ads, and even malware if their creators ever wished to do so.

The two PUPs are Shell&Services and Mintcast 3.0.1. These are browser add-ons for Firefox, Chrome, and IE, and are generally installed without the user's consent, packaged with other software.

These two come with a newer variant of the Mintcast adware, which besides injecting ads inside the user's browser while navigating legitimate websites, it also secretly turns off Safe Browsing support in Firefox.

Safe Browsing is a service created and managed by Google, also implemented in Safari and Firefox. Safe Browsing is nothing more than a blacklist of website URLs from where malware infections have originated in the past. The list is constantly updated by both Google and Mozilla engineers, and works in real-time, keeping users safe as they navigate the Web.

Abusing the user.js settings file for browser reboot persistence
Because Firefox allows users to create a user.js file where they can store various browser settings in the form of lines of code, the Mintcast adware is abusing this feature.

If no user.js file is found in the "C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default" folder, the adware will create one, that holds only three lines of code:

Code: 
user_pref(“browser.safebrowsing.downloads.enabled”, false);
user_pref(“browser.safebrowsing.enabled”, false);
user_pref(“browser.safebrowsing.malware.enabled”, false);

These settings will tell the Firefox browser to stop checking the Safe Browsing blacklist while browsing the Web or when downloading files. If turned off, it will allow the adware to redirect the user to malicious pages without having the browser show any errors or warnings to the user.

Since the user.js file is executed right when the browser starts, even if the user re-enables these settings via his browser's settings section, they'll always remain active unless the user removes the user.js file from the aforementioned folder.

MalwareBytes reports that in the past, other adware like Yontoo/BrowseFox and Constant Fun have also employed the same technique.
Click to expand...
 
  • Like
Reactions: Solarquest, harlan4096, Kantry123 and 3 others
You must log in or register to reply here.

You may also like...