Q&A Yandex Browser and some problem.

Status
Not open for further replies.

Sunshine-boy

Level 27
Verified
Apr 1, 2017
1,687
Since 2 weeks ago the Yandex protect module trying to access some domains(first image). I did a search and found them malicious.
Here:
Botnet infection? - Virus, Trojan, Spyware, and Malware Removal Logs
And also:
IP-адрес удостоверяющего центра Digicert внесен в реестр запрещенных сайтов
Today I removed it(even from the registry)but when I restarted the pc the windows still trying to reach a domain from the Yandex(second image).how is that possible?:D
Just found a topic about this problem but not a good answer from Yandex.
ЯНДЕКС шпионит за вашим компьютером через Punto Switcher 3.1.1 ?! даже после полного его удаления!! — Клуб Punto Switcher
Google Translate
1-I want a feature rich browser like Yandex.is there any?
2-Do you consider these connections as safe?
 

Attachments

  • Yan 1.PNG
    Yan 1.PNG
    31.2 KB · Views: 1,179
  • yandex.PNG
    yandex.PNG
    26.3 KB · Views: 911

Prorootect

Level 53
Verified
Nov 5, 2011
5,891
From your first link:
"I called my ISP. This time i got to a nice person, I described the situation, he checked my router and said there is no signs of attacks or other suspicious behavior, ..."

Well Sunshine-boy, I think you're clean.
Svchost.exe, BITS service are normal, safe, OK.
- but why you have enabled this BITS, I have disabled it a long time ago...
Disable max that you can, services and startup entries.
Use ContentBlockHelper extension.

- Nothing, I think...but in reality, I don't know Yandex, I never trusted it...


 
  • Like
Reactions: Sunshine-boy

Sunshine-boy

Level 27
Verified
Apr 1, 2017
1,687
No need to call ISP (i have dynamic IP also my isp is idiot they host warez website and not gonna help me in this situation hahaha ). also, my router has no problem because my brother doesn't have such problem on his pc.
That service is necessary for the windows update and ..didn't see someone recommend disabling this service. it may break the windows mechanics.
 
Last edited:

Slyguy

Level 44
Jan 27, 2017
3,328
Yandex doesn't have my full trust (nothing does really)

But the fact that Yandex is the fastest, cleanest, and most compatible browser I have found makes me continue to use them despite not fully trusting them. I just can't find another browser I like nearly as much.

However, we've had THREE suspicious events in the last couple weeks that are causing me to wonder. Someone tried to breach my credit union account, far enough in to prove they had my password. Since my password is 26 characters, generated, and only stored in password manager it is suspicious. My wife had someone try to breach her ADP payroll account, far enough in to indicate they had her password but failed secondary authentications. Prior to that, my son had his Origin Account hijacked. Someone had the password and nailed it. Working with Origin support and escalation we traced it back to Russia. It could be coincidence, maybe not?

Sunshine, you may have task scheduler events running to try and update yandex, which is why it keeps doing that. I will check tonight when I get home to see what it is doing after full removal. Now you've made me even more suspicious with Yandex..

93.184.220.29 is an NSA Equation Group COLO, your Yandex is going there?!?!
 

Slyguy

Level 44
Jan 27, 2017
3,328
Slyguy, I have more and more encouragement - to NOT download Yandex, after your posting...

So far I have not been able to pin anything on Yandex, and I have tried. It just doesn't seem to be doing anything nefarious. Also, since switching to Yandex there has been a considerable absence of hacking attempts on my network including a variety of attempts to exploit browsers and XSS. When we used Chrome we were subjected to very regular attacks, it's rather refreshing to see virtually no attacks leveraged against us under Yandex.

I monitored it a bit today in the lab and found no nefarious activity. However I also DID NOT find it going to locations Sunshine-Boy has found it going to. Since he is in Iran, and a major target of the NSA, it's possible he has a compromise elsewhere or they compromised Yandex. Perhaps those are quantum redirects? Either way, I found nothing pointing to the IP's he is showing...

Remember, NSA/CIA, (and others) are adept at masking activities behind legitimate programs and/or services. I've found Xfinity Pineapple local attack attempts, cleverly masked as normal Xfinity free connections. We've seen attacks masked as things ranging from Trend Micro to Notepad++. So it's quite possible Yandex (or ANY BROWSER) is a tool in their toolbox. Ccleaner shows how they use common programs as attack vectors into systems and the NSA has bragged about using 'Steam' to backdoor..
 

Prorootect

Level 53
Verified
Nov 5, 2011
5,891
The old fox is very quiet, turning attention... but it goes straight into the poultry house. And then it is less cautious.

Using ContenBlockHelper, in ContentBlockHelper, sometimes I have seen Yandex's temptation to reach me, without having Yandex!
 

Sunshine-boy

Level 27
Verified
Apr 1, 2017
1,687
Same for me I like Yandex features!fast and has a lot of features like Ai adblocker which I want it! I could see it blocked the coin miner on the Windscribe website(test yourself Mine for Upgrades - Windscribe)

Someone tried to breach my credit union account, far enough in to prove they had my password. Since my password is 26 characters
It can be related but I'm not sure.
I'm not a fanboy you know what? Yandex has -130 negative scores on a Russian warez website!there is a reason for that(i always ignored it) till today.. I'm not Kaspersky engineer to find out the safety level of Yandex:/
Origin Account hijacked.
Bad for your cute boy:D
There is nothing in the task scheduler from Yandex! it's Fully clean. nothing from Yandex even in the registry..
See:
Code:
Task: {16655E5A-A1A5-47D6-8EE6-8F5C91A87BF6} - System32\Tasks\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe [2018-01-05] (NVIDIA Corporation)
Task: {3B8A7554-A8E4-4928-99A3-CC85D461C816} - System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [2018-01-05] (NVIDIA Corporation)
Task: {5DE9DB8A-A64E-4AE8-8DB5-AD1569D8BBDF} - System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmMon.exe [2018-01-05] (NVIDIA Corporation)
Task: {7C38E241-B7DC-4269-BF51-F9DB5982A898} - System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe [2018-01-05] (NVIDIA Corporation)
Task: {9767983B-2347-474A-B3EB-CEEB8B0C4082} - System32\Tasks\OO DiskImage {96919585-ee22-4c7e-bf4f-5841003c11c7} => C:\Program Files\OO Software\DiskImage\oodiag.exe [2017-11-28] (O&O Software GmbH)
Task: {9D55ECE6-9830-46F7-BAA2-E027326DB022} - System32\Tasks\NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe [2018-01-05] (NVIDIA Corporation)
Task: {A058A419-2BE1-4661-89A6-33315C623208} - System32\Tasks\Kerish Doctor => C:\Program Files (x86)\Kerish Doctor\KerishDoctor.exe [2018-01-11] (Kerish Products)
Task: {BAD08CFF-07D5-44B7-A4CA-3BC2842EF8C6} - System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [2018-01-05] (NVIDIA Corporation)
Task: {DC444B82-B3F0-47C4-9158-86A7920568E0} - System32\Tasks\CreateExplorerShellUnelevatedTask => C:\Windows\Explorer.exe /NOUACCHECK
Task: {FC809398-8F2D-4478-945B-442AF5AECA24} - System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NvNode\nvnodejslauncher.exe [2018-01-05] (NVIDIA Corporation)
Task: {FDD3DB3A-6572-44C4-865E-9E4422B07E59} - System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [2018-01-05] (NVIDIA Corporation)


Now you've made me even more suspicious with Yandex
:DI'm happy because you need some paranoia.
Anyway, I'm gonna stick with Firefox 58 and Edge!although I don't like the garbage Mozilla foundation but I have better privacy with them:giggle:
 

Slyguy

Level 44
Jan 27, 2017
3,328
After removal if Yandex is still sending data this is concerning. Either a remnant somewhere, or they are legitimately involved with shady practices.

The problem is, everyone in the home really likes Yandex and I DO NOT want to have to roll out a replacement. (and we ALL hate Firefox) Even though we are down to only 4 Windows machines, it's still a hassle. Also the replacements are less than acceptable to most people as everyone likes Yandex in the house. If I cannot fully exorcise it from the systems I will have to perform a format of each machine, that adds even more hassle..

But three breach attempts in 2 weeks is.. Incredibly suspicious. The Origin account was recovered within 3 hours, the hacker made a mistake that caused me to discover my sons account was breached.. A quick call to EA solved it in 2 minutes. The other accounts that were 'attempted' to be breached have multi-factor authentication that can't really be broken, but caused some hassles as we had to reset PW's and stuff.

My home is a constant target of harassment, hacking and tailored access operations so nothing surprises me. I am also not quick to point fingers at Yandex since we've had a lot of 'strangeness' over the years long before Yandex arrived. All of our notebooks are now Chromebooks so threat surface keeps dropping by the week. Also I've made significant hardening improvements to the network over the last couple of weeks. I can't really blame or prove anything is related to Yandex..

That's a CDN but according to some also an IP shared by Equation. But the problem is, the link is casual and unsubstantiated and intel groups share a LOT of public access. CIA used to use Knology servers for example.. Plausible deniability using 'common' shared CDN resources. Again, this doesn't prove much against Yandex. Nothing is substantiated against them.
 

Slyguy

Level 44
Jan 27, 2017
3,328
Yandex is actually fairly quiet for a browser. Firefox you open that thing up and it goes to 22 domains.. Yandex goes to 4.

Sunshine, you could install Hacker Deterrant and see activity on your system. Currently, my systems are totally silent when not in use other than Windows doing normal update/validations. I've been very pleased with my systems lately but having those three incidents has caused me to launch an investigation as to the potential cause.
 

Sunshine-boy

Level 27
Verified
Apr 1, 2017
1,687
I forgot to say that it can be also about Windscribe VPN! because before that I didn't have such problem with yandex (im using it for 2 years).but this: ЯНДЕКС шпионит за вашим компьютером через Punto Switcher 3.1.1 ?! даже после полного его удаления!! — Клуб Punto Switcher remain!is it safe or no?:D
Think I'm lying about that CDN but the second story remains!Hacker Deterrant installs 2 root certificates (I tried it before but don't trust it)!
 
Last edited:

Slyguy

Level 44
Jan 27, 2017
3,328
I forgot to say that it can be also about Windscribe VPN! because before that I didn't have such problem with yandex (im using it for 2 years).but this: ЯНДЕКС шпионит за вашим компьютером через Punto Switcher 3.1.1 ?! даже после полного его удаления!! — Клуб Punto Switcher remain!is it safe or no?:D
Think I'm lying about that CDN but the second story remains!Hacker Deterrant installs 2 root certificates (I tried it before but don't trust it)!

Well to satiate my curiosity..

I took the latest version of Yandex and put it through a FortiSandbox. No nefarious activity, normal domains it hits. I installed it on a machine, left it for about a half hour, then uninstalled it, and it was a clean uninstall. It even removed the App_Init DLL injection from the registry. Not satisfied, I took a personal machine I haul around to work and uninstalled it, it came off cleanly leaving virtually no remnants and surely no background activity. Still not satisfied, I started a network capture on Yandex, and found nothing out of the ordinary.

I shall continue to use it. Either your installation got hijacked or something else is tampering with it perhaps? No idea. But I cannot duplicate the problem.
 

Slyguy

Level 44
Jan 27, 2017
3,328

I don't see anything bad there ,do you?

Hybrid Analysis is largely useless unless you can interpret the results.. For example it says 'Malicious activity' because VT flagged one URL Yandex as suspicious with 1 out of 66 scanners.. It says it is suspicious that Yandex Updater can 'delete itself', well that's what updaters do, they update, then delete their old process. Lots of stuff is nonsense in that HA report. Specifically, the fact that Yandex is a browser and an Antivirus to some extent, it's probably going to flag a lot of potentials on HA, as would almost any program that does more than a couple things.
 

darko999

Level 17
Verified
Oct 2, 2014
806

Slyguy

Level 44
Jan 27, 2017
3,328
It does not look so different from current Chrome, Chrome and Chrome based browser tend to behave that way, a bit intrusive but people got used to that.

Agreed, it looks like a lot of things and if you read closer, it's all appearing benign. For example HA flagged it for;

Loads the task scheduler COM API
details
"service_update.exe" loaded module "%WINDIR%\System32\taskschd.dll" at 71A70000
source
Loaded Module
relevance
5/10

Well yeah.. It creates tasks to update itself so it's going to load taskschd.dll... Big deal eh?

Still, I am 'guarded' about it and open to interpretations of nefarious purpose. It's a browser, it's not all that critical to drop it. Although people around my home will hate me for it. Everyone really likes Yandex.
 
Last edited:
Status
Not open for further replies.
Top