Opera Browser Strangeness

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,630
OS
Other OS
#1
Every time Opera is launched it goes to the following sites and downloads files;

Ukrainian National Bank (LOL)
bank.gov.ua

European Central Bank
www.ecb.europa.eu

There doesn't seem to be a way of disabling these in my testing. Opera has become an incredibly 'chatty' little thing lately, not sure I am too happy about that. Although I don't use it, I continue to test it in the event I decide to use it. Also the privacy implications of both of those sites knowing every person using Opera and when they use them seems like a needless reduction of user privacy,
 

upnorth

Level 24
Verified
Joined
Jul 27, 2015
Messages
1,342
#2
Those Ukrainian ladies seams greedy! :giggle:

Had my fair share of oddness with Opera over the years and only way to solve it was reinstall it. Also tested Opera Beta from time to time but that been worse IMO.
 

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,630
OS
Other OS
#7
In Opera Settings I've notched "Open a specific page or set of pages" - click on Set pages - I've put google encrypted only: Google

EDIT:
Here you have interesting for you fix solution: https://tehnoblog.org/how-to-remove-delta-homes-com-google-chrome-internet-explorer-fix/
You all are misunderstanding. This isn't a request for malware removal advice or posting about a hijacked browser. This is about Opera doing strange things - by default - immediately after installation on a fresh windows test bed at the lab.

This is on a test machine within 10 seconds of installing Opera, and 10 minutes of the Windows install being active. Opera is apparently hard coded to go to those sites. Browser hijacks are easy to find and remove, that's not what these are. I'm pretty shocked that apparently only one other guy has noticed Opera dialing out to random entities and downloaded files, aren't people minding their networks?

Opera 49 attempts to access bank.gov.ua
 
Last edited:

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#9
Glad to see you've found the solution to your problem...

My Opera is
Version: 36.0.2130.80

.. and NO problems.

EDIT:
Disable Currency Converter Popup in Opera: Disable Currency Converter Popup in Opera - on winaero.com:
"As you may already know, the team behind Opera released a new version of their browser, Opera 42. One of its new features is a built-in currency converter popup. Some users find it useful, but others find it very annoying. If you don't like the currency converter feature, here is how to disable it." ...
... On Settings/User interface: "Untick the option On text selection convert currency to:."
 
Last edited:
Likes: upnorth

upnorth

Level 24
Verified
Joined
Jul 27, 2015
Messages
1,342
#11
I don't think thats it @Prorootect but I could be wrong. Seams to me @Slyguy found out that Opera is calling out to some odd site/s and also download files.

Quote : " Opera 49.0.2725.39 "

Source : Opera 49 attempts to access bank.gov.ua

Same issue in the latest stable version 49.0.2725.64? I'm curious if this also happens on the Beta, Dev and Neon version? Btw exactly what files are downloaded and where do they end up?

...

Did a little search and seams this " issue " was also found by another user about 2 months ago in the Dev version. Quote : " Just interesting: how did you make that choice of banks to get info from: the ECB and bank .gov.ua? Seeing my browser trying to reach a Ukrainian bank website was so unusual I even thought I had contracted a malware. Coinmarket .com added to that suspicion. I hope web requests from Russian-locale browsers converging at a UA bank are not going to be considered as The Russian Hackers' trick. ;) "

Source : Opera Developer update with Chromecast support - Opera Desktop
 
Last edited:

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,630
OS
Other OS
#12
I don't think thats it @Prorootect but I could be wrong. Seams to me @Slyguy found out that Opera is calling out to some odd site/s and also download files.

Quote : " Opera 49.0.2725.39 "

Source : Opera 49 attempts to access bank.gov.ua

Same issue in the latest stable version 49.0.2725.64? I'm curious if this also happens on the Beta, Dev and Neon version? Btw exactly what files are downloaded and where do they end up?
We've found this up to the current release version on all platforms (including Linux). I haven't tested the beta/dev/neon versions for them yet. Further testing will be done today with an update. We're testing all browsers in an isolated lab environment with active SIEM and PCAP logging. Opera is throwing up some interesting things for sure.
 

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,630
OS
Other OS
#13
I don't think thats it @Prorootect but I could be wrong. Seams to me @Slyguy found out that Opera is calling out to some odd site/s and also download files.
Did a little search and seams this " issue " was also found by another user about 2 months ago in the Dev version. Quote : " Just interesting: how did you make that choice of banks to get info from: the ECB and bank .gov.ua? Seeing my browser trying to reach a Ukrainian bank website was so unusual I even thought I had contracted a malware.
We don't use Opera and it isn't on our recommended list for clients, but we do a quarterly audit of browser activity by pointing a SIEM to them for a week. So this appeared between now and last quarter, so 2 months ago is probably about right when they sneaked it into the code.
 
D

Deleted member 65228

Guest
#16
I can confirm that Opera is reaching out to the following domains every time it is started up in-memory.

1. www.ecb.europa.eu
2. bank.gov.ua



This was leaked in an analysis environment via an API call to getaddrinfo (Ws2_32.DLL), the API calls relating to networking with this are performed by opera_browser.dll (loaded within opera.exe). This module is loaded in the address space of every opera.exe process instance, and the network operation occurs within the routine OperaDllMain.

Anyway I think I know why it references bank.gov.ua:

Code:
https://bank.gov.ua/NBUStatService/v1/statdirectory/exchange?json
Therefore, the actual URL is as follows.
Code:
https://bank.gov.ua/NBUStatService/v1/statdirectory/exchange.json
Therefore, it appears that currency data is being downloaded. I know that this is related because of a network receive operation on my call stack after the use of the bank.gov.ua reference. I do not however know about the #1 connection, nor why this currency data is useful for Opera.
 

Prorootect

Level 53
Verified
Joined
Nov 5, 2011
Messages
4,225
#17
Have you readed my EDIT in this post #9 above, please? Opera Browser Strangeness
All is in this quote:

"EDIT:
Disable Currency Converter Popup in Opera: Disable Currency Converter Popup in Opera - on winaero.com:
"As you may already know, the team behind Opera released a new version of their browser, Opera 42. One of its new features is a built-in currency converter popup. Some users find it useful, but others find it very annoying. If you don't like the currency converter feature, here is how to disable it." ...
... On Settings/User interface: "Untick the option On text selection convert currency to:." "
 

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,630
OS
Other OS
#18
Have you readed my EDIT in this post #9 above, please? Opera Browser Strangeness
All is in this quote:

"EDIT:
Disable Currency Converter Popup in Opera: Disable Currency Converter Popup in Opera - on winaero.com:
"As you may already know, the team behind Opera released a new version of their browser, Opera 42. One of its new features is a built-in currency converter popup. Some users find it useful, but others find it very annoying. If you don't like the currency converter feature, here is how to disable it." ...
... On Settings/User interface: "Untick the option On text selection convert currency to:." "
Disabling this doesn't impact the background activity related to Ukrainian Bank and such. Same on as it is off.
 
D

Deleted member 65228

Guest
#20
@Sunshine-boy When I took a look at Opera, I found all sorts of things hard-coded in and being referenced. Lists of DLLs related to API hooking, services like MyStart, there were even references to Yandex and Baidu. I'd imagine the list of DLLs could be related to some sort of self-protection mechanism if there exists one, but I do not know about the others. This is all from within the opera_browser.dll component, it's huge. I also found references to things implying data collection.

The JSON file hosted at the government bank domain was also hard-coded into Opera. While I cannot verify what all the references to many different things I found actually represents in the software, it does feel sort of fishy to me - although you should take this with a grain of salt, because regardless of the references, it could mean anything in the actual code-base for Opera. Personally I would not trust them, but that is just me.