Opera Browser Strangeness

Discussion in 'General Security Discussions' started by Slyguy, Dec 19, 2017.

  1. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,094
    4,388
    Fortinet Engineer
    USA
    Other OS
    Every time Opera is launched it goes to the following sites and downloads files;

    Ukrainian National Bank (LOL)
    bank.gov.ua

    European Central Bank
    www.ecb.europa.eu

    There doesn't seem to be a way of disabling these in my testing. Opera has become an incredibly 'chatty' little thing lately, not sure I am too happy about that. Although I don't use it, I continue to test it in the event I decide to use it. Also the privacy implications of both of those sites knowing every person using Opera and when they use them seems like a needless reduction of user privacy,
     
  2. upnorth

    upnorth Level 11

    Jul 27, 2015
    520
    2,760
    Sweden
    Those Ukrainian ladies seams greedy! :giggle:

    Had my fair share of oddness with Opera over the years and only way to solve it was reinstall it. Also tested Opera Beta from time to time but that been worse IMO.
     
    Andytay70 and Deletedmessiah like this.
  3. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,565
    3,802
    0wN3D by my cat!
    #3 Prorootect, Dec 20, 2017
    Last edited: Dec 20, 2017
    Sunshine-boy likes this.
  4. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,171
    5,189
    IRAN
    Windows 10
    ESET
    What is google encrypted? didn't know about it! isn't Google already encrypted with ECDHE_ECDSA with X25519, and CHACHA20_POLY1305?
     
  5. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,565
    3,802
    0wN3D by my cat!
    #5 Prorootect, Dec 20, 2017
    Last edited: Dec 20, 2017
  6. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,094
    4,388
    Fortinet Engineer
    USA
    Other OS
    #7 Slyguy, Dec 20, 2017
    Last edited: Dec 20, 2017
    You all are misunderstanding. This isn't a request for malware removal advice or posting about a hijacked browser. This is about Opera doing strange things - by default - immediately after installation on a fresh windows test bed at the lab.

    This is on a test machine within 10 seconds of installing Opera, and 10 minutes of the Windows install being active. Opera is apparently hard coded to go to those sites. Browser hijacks are easy to find and remove, that's not what these are. I'm pretty shocked that apparently only one other guy has noticed Opera dialing out to random entities and downloaded files, aren't people minding their networks?

    Opera 49 attempts to access bank.gov.ua
     
  7. upnorth

    upnorth Level 11

    Jul 27, 2015
    520
    2,760
    Sweden
    Same thing with Beta, Dev and Neon?
     
    Deletedmessiah likes this.
  8. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,565
    3,802
    0wN3D by my cat!
    #9 Prorootect, Dec 20, 2017
    Last edited: Dec 20, 2017
    Glad to see you've found the solution to your problem...

    My Opera is
    Version: 36.0.2130.80

    .. and NO problems.

    EDIT:
    Disable Currency Converter Popup in Opera: Disable Currency Converter Popup in Opera - on winaero.com:
    "As you may already know, the team behind Opera released a new version of their browser, Opera 42. One of its new features is a built-in currency converter popup. Some users find it useful, but others find it very annoying. If you don't like the currency converter feature, here is how to disable it." ...
    ... On Settings/User interface: "Untick the option On text selection convert currency to:."
     
    upnorth likes this.
  9. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,171
    5,189
    IRAN
    Windows 10
    ESET
    Why are they doing this?Yandex and ugly Trovi(but don't have it anymore in the last beta)! Mozilla and Mr robot, opera and such domains!wtf bastards:D
     
  10. upnorth

    upnorth Level 11

    Jul 27, 2015
    520
    2,760
    Sweden
    #11 upnorth, Dec 20, 2017
    Last edited: Dec 20, 2017
    I don't think thats it @Prorootect but I could be wrong. Seams to me @Slyguy found out that Opera is calling out to some odd site/s and also download files.

    Quote : " Opera 49.0.2725.39 "

    Source : Opera 49 attempts to access bank.gov.ua

    Same issue in the latest stable version 49.0.2725.64? I'm curious if this also happens on the Beta, Dev and Neon version? Btw exactly what files are downloaded and where do they end up?

    ...

    Did a little search and seams this " issue " was also found by another user about 2 months ago in the Dev version. Quote : " Just interesting: how did you make that choice of banks to get info from: the ECB and bank .gov.ua? Seeing my browser trying to reach a Ukrainian bank website was so unusual I even thought I had contracted a malware. Coinmarket .com added to that suspicion. I hope web requests from Russian-locale browsers converging at a UA bank are not going to be considered as The Russian Hackers' trick. ;) "

    Source : Opera Developer update with Chromecast support - Opera Desktop
     
    Deletedmessiah and Prorootect like this.
  11. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,094
    4,388
    Fortinet Engineer
    USA
    Other OS
    We've found this up to the current release version on all platforms (including Linux). I haven't tested the beta/dev/neon versions for them yet. Further testing will be done today with an update. We're testing all browsers in an isolated lab environment with active SIEM and PCAP logging. Opera is throwing up some interesting things for sure.
     
    Deletedmessiah and upnorth like this.
  12. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,094
    4,388
    Fortinet Engineer
    USA
    Other OS
    We don't use Opera and it isn't on our recommended list for clients, but we do a quarterly audit of browser activity by pointing a SIEM to them for a week. So this appeared between now and last quarter, so 2 months ago is probably about right when they sneaked it into the code.
     
    Deletedmessiah likes this.
  13. upnorth

    upnorth Level 11

    Jul 27, 2015
    520
    2,760
    Sweden
    Can guess but if you don't mind me asking...who's we?
     
  14. Tsiehshi

    Tsiehshi Level 1

    Nov 11, 2017
    43
    118
    Somewhere
    Fortinet?
     
    Deletedmessiah and upnorth like this.
  15. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,311
    Caille
    Windows 10
    I can confirm that Opera is reaching out to the following domains every time it is started up in-memory.

    1. www.ecb.europa.eu
    2. bank.gov.ua

    [​IMG]

    This was leaked in an analysis environment via an API call to getaddrinfo (Ws2_32.DLL), the API calls relating to networking with this are performed by opera_browser.dll (loaded within opera.exe). This module is loaded in the address space of every opera.exe process instance, and the network operation occurs within the routine OperaDllMain.

    Anyway I think I know why it references bank.gov.ua:

    Code:
    https://bank.gov.ua/NBUStatService/v1/statdirectory/exchange?json
    
    Therefore, the actual URL is as follows.
    Code:
    https://bank.gov.ua/NBUStatService/v1/statdirectory/exchange.json
    
    Therefore, it appears that currency data is being downloaded. I know that this is related because of a network receive operation on my call stack after the use of the bank.gov.ua reference. I do not however know about the #1 connection, nor why this currency data is useful for Opera.
     
  16. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,565
    3,802
    0wN3D by my cat!
    Have you readed my EDIT in this post #9 above, please? Opera Browser Strangeness
    All is in this quote:

    "EDIT:
    Disable Currency Converter Popup in Opera: Disable Currency Converter Popup in Opera - on winaero.com:
    "As you may already know, the team behind Opera released a new version of their browser, Opera 42. One of its new features is a built-in currency converter popup. Some users find it useful, but others find it very annoying. If you don't like the currency converter feature, here is how to disable it." ...
    ... On Settings/User interface: "Untick the option On text selection convert currency to:." "
     
    upnorth and Sunshine-boy like this.
  17. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,094
    4,388
    Fortinet Engineer
    USA
    Other OS
    Disabling this doesn't impact the background activity related to Ukrainian Bank and such. Same on as it is off.
     
  18. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,171
    5,189
    IRAN
    Windows 10
    ESET
    Whats the relation between Opera Software, Qihoo 360 and Ukraine?
    P.s I wanted to use opera as a Gf for Yandex lol! but will not bother -_-
     
    upnorth and Deletedmessiah like this.
  19. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,311
    Caille
    Windows 10
    @Sunshine-boy When I took a look at Opera, I found all sorts of things hard-coded in and being referenced. Lists of DLLs related to API hooking, services like MyStart, there were even references to Yandex and Baidu. I'd imagine the list of DLLs could be related to some sort of self-protection mechanism if there exists one, but I do not know about the others. This is all from within the opera_browser.dll component, it's huge. I also found references to things implying data collection.

    The JSON file hosted at the government bank domain was also hard-coded into Opera. While I cannot verify what all the references to many different things I found actually represents in the software, it does feel sort of fishy to me - although you should take this with a grain of salt, because regardless of the references, it could mean anything in the actual code-base for Opera. Personally I would not trust them, but that is just me.
     
Loading...
Similar Threads Forum Date
Update New year, new browser. Opera 50 introduces anti-Bitcoin mining tool Browsers and Extensions Jan 4, 2018
Cryptojacking Script Continues to Operate After Users Close Their Browser Security News Nov 29, 2017
Q&A Opera Browser question Browsers and Extensions Apr 26, 2017