Q&A Yandex Browser and some problem.

Status
Not open for further replies.

Sunshine-boy

Level 27
Verified
Apr 1, 2017
1,686
Since 2 weeks ago the Yandex protect module trying to access some domains(first image). I did a search and found them malicious.
Here:
Botnet infection? - Virus, Trojan, Spyware, and Malware Removal Logs
And also:
IP-адрес удостоверяющего центра Digicert внесен в реестр запрещенных сайтов
Today I removed it(even from the registry)but when I restarted the pc the windows still trying to reach a domain from the Yandex(second image).how is that possible?:D
Just found a topic about this problem but not a good answer from Yandex.
ЯНДЕКС шпионит за вашим компьютером через Punto Switcher 3.1.1 ?! даже после полного его удаления!! — Клуб Punto Switcher
Google Translate
1-I want a feature rich browser like Yandex.is there any?
2-Do you consider these connections as safe?
 

Attachments

  • Yan 1.PNG
    Yan 1.PNG
    31.2 KB · Views: 1,138
  • yandex.PNG
    yandex.PNG
    26.3 KB · Views: 870
5

509322


I just picked Chrome because it is essentially Yandex's father.

Here is H-A result of the Chrome.exe that I just ran. The results are public.

As you can see Chrome generates malicious and suspicious activities in the Hybrid-Analysis sandbox. The H-A sandbox flags Chrome.exe as potentially Ransomeware. It does not say Chrome.exe is ransomware. There are other red and yellow flags. However, Chrome is whitelisted.

Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'chrome.exe'

In similar fashion...

the Yandex.exe analysis shows the multiscan AV results as clean. It can be considered a false positive and someone should report it to Yandex so Yandex can get Yandex.exe properly whitelisted with Hybrid-Analysis.
 

Evjl's Rain

Level 46
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,541
I don't see anything bad there ,do you?

Hybrid Analysis is largely useless unless you can interpret the results.. For example it says 'Malicious activity' because VT flagged one URL Yandex as suspicious with 1 out of 66 scanners.. It says it is suspicious that Yandex Updater can 'delete itself', well that's what updaters do, they update, then delete their old process. Lots of stuff is nonsense in that HA report. Specifically, the fact that Yandex is a browser and an Antivirus to some extent, it's probably going to flag a lot of potentials on HA, as would almost any program that does more than a couple things.

It does not look so different from current Chrome, Chrome and Chrome based browser tend to behave that way, a bit intrusive but that's how they work.
I can see it connected to many IPs which are connected by malwares too. So many IPs with 59, 50, 40/62 on VT
Contacts 24 domains and 26 hosts -> too many

I also uploaded slimjet, which also connects to various IPs but much fewer than yandex. "red" IPs are also much less and the highest detection is 12/65
Contacts 10 domains and 8 hosts
 
5

509322

I can see it connected to many IPs which are connected by malwares too. So many IPs with 59, 50, 40/62 on VT
Contacts 24 domains and 26 hosts -> too many

I also uploaded slimjet, which also connects to various IPs but much fewer than yandex. "red" IPs are also much less and the highest detection is 12/65
Contacts 10 domains and 8 hosts

Are the addresses actively serving malware ? or are they rated for what - adware, annoyances, nuisances, other stuff ?

A lot of people are using Yandex, so if those IPs are actively serving malware, then the infection rate is going to be high and people are going to report infections or weird behaviors. I am talking about people here on the forums that pay attention.
 

Evjl's Rain

Level 46
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,541
Are the addresses actively serving malware ? or are they rated for what - adware, annoyances, nuisances, other stuff ?

A lot of people are using Yandex, so if those IPs are actively serving malware, then the infection rate is going to be high and people are going to report infections or weird behaviors. I am talking about people here on the forums that pay attention.
I found out those IPs belong to Yandex Search Engine Spider, Yandex DNS requests or Yandex CDN
maybe they are not malicious but so many malwares with high detection ratios (>50) also connect to these IPs
I don't have any experience with H-A
I uploaded firefox installer and got similar results to yandex but its IPs don't seem to be as bad as yandex's

slimjet's result seems to be more benign with its IPs
Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'sjtsetup_x86.exe'

your chrome analysis. Did you upload the chrome.exe only? I think it's better to upload the full installer so it won't malfunction. I'm waiting for chrome_x64 installer result. It's taking ages
 

Telos

Level 21
Verified
Content Creator
Jan 29, 2017
1,044
I installed Yandex over the past weekend. I had hoped for a clean install, but Yandex decided on its own (unless I missed this) to suck in my Chrome bookmarks. That was exactly what I DIDN'T want to happen. So we began our relationship on a bad footing. And nothing improved from there. Along the way, I tried Yandex search. Woefully inadequate and occasionally redirected to Bing.

This thread moved me to what I intended to do later... and uninstall. With the help of IOBit I cleaned out Yandex and rebooted. Out of curiosity, I called upon my old friend Everything to see if remnants remained. I found Yandex in all 3 AppData folders (this is one of the few progs that uses "Local Low"). But then I found Yandex's presence in my Chrome install... hidden extensions? So it seems that a full registry search is in order to see what remains behind. Gosh, I feel so thoroughly dirty now !!!
 

Slyguy

Level 44
Jan 27, 2017
3,328
I installed Yandex over the past weekend. I had hoped for a clean install, but Yandex decided on its own (unless I missed this) to suck in my Chrome bookmarks. That was exactly what I DIDN'T want to happen. So we began our relationship on a bad footing. And nothing improved from there. Along the way, I tried Yandex search. Woefully inadequate and occasionally redirected to Bing.

This thread moved me to what I intended to do later... and uninstall. With the help of IOBit I cleaned out Yandex and rebooted. Out of curiosity, I called upon my old friend Everything to see if remnants remained. I found Yandex in all 3 AppData folders (this is one of the few progs that uses "Local Low"). But then I found Yandex's presence in my Chrome install... hidden extensions? So it seems that a full registry search is in order to see what remains behind. Gosh, I feel so thoroughly dirty now !!!

Not sure about Yandex, I use Yandex Beta, a different beast. But Yandex Beta asks if you want to import from other browsers. Yandex search? Never used that or Bing, I switch it straight away to my preferential search. What do you mean hidden extensions?
 

Slyguy

Level 44
Jan 27, 2017
3,328
Are the addresses actively serving malware ? or are they rated for what - adware, annoyances, nuisances, other stuff ?

A lot of people are using Yandex, so if those IPs are actively serving malware, then the infection rate is going to be high and people are going to report infections or weird behaviors. I am talking about people here on the forums that pay attention.

This is an important point. Also, since anything Yandex does is passed through my sandboxes, IPS, AV and Fortiguard validations, something would come up. Fortinet is pretty picky about such matters and my appliance is set to maximum detection. There was a flag on a CDN, I sent that to the labs and it came back as a false positive and was removed. Also their Bing Redirect is flagged, but I don't use Bing so the affiliate redirect doesn't trigger.

In fact my appliances have been incredibly quite since Yandex was deployed. Here's the last 3 days and to be honest, that's pretty light for a home pushing as much web traffic as this one. It was quite a bit noisier running other browsers. If Yandex was up to no good I really think 'something' would have triggered by now, if not for me, then for people on these forums that also use it (and pay attention).

6xGNy.png
 

Sunshine-boy

Level 27
Verified
Apr 1, 2017
1,686
Slyguy thanks for your comments and answers! if you say safe then its safe. I also had no problem with Yandex in 2 years. maybe there is smth inside my windows :)if there is no 93.184.220.29 in your tests that means its safe.
 
  • Like
Reactions: Prorootect

Telos

Level 21
Verified
Content Creator
Jan 29, 2017
1,044
Not sure about Yandex, I use Yandex Beta, a different beast. But Yandex Beta asks if you want to import from other browsers. Yandex search? Never used that or Bing, I switch it straight away to my preferential search. What do you mean hidden extensions?
There were 4 Yandex files in my Chrome profile (after uninstall... who knows what was there originally). Two of which were in the extensions folder (I've never installed anything Yandex related to Chrome), and the other two were js files (I don't recall the specific location). I didn't bother to examine these files, as I was irked to find this stuff intermingled with my Chrom install. I just deleted them outright. And later... 2 remaining Yandex registry keys (so much for IOBit Uninstaller's thoroughness).

I had hoped to find a portable Yandex, but I never located a trusted source.
 
  • Like
Reactions: Prorootect

Slyguy

Level 44
Jan 27, 2017
3,328
Well I nixed Yandex on my network.

Another breach attempt today, this time on my credit card. As usual, I have multiple layers of protection on all accounts but someone was savvy and got fairly far which triggered Chase to cancel the card, call me, then Fed-Ex a new card overnight. Since Yandex was installed we're now up to a half dozen breach attempts and one successful compromise. (my sons Origin account, by a Russia, ironically enough) These have the indicators of being an internal compromise and the only common denominator is Yandex in this case as ALL of this started when Yandex was deployed to the last remaining Windows computers here.

I cannot prove Yandex was the culprit but I traced all of the attempts back to within 48 hours of Yandex being installed. I talked to one of our top cybersecurity engineers at work and he suggested that Yandex themselves may not be up to nefarious activities but Russian insiders or hackers have compromised some aspect of the Yandex infrastructure, update channels or telemetry/logging servers. THAT seems plausible here.

Uninstall went without issue except a strange anomaly. My SIEM detected a momentary 'disconnect' on my NIC while Yandex was uninstalling. That's potentially a concern as there shouldn't be any reason Yandex would have to tamper with the NIC or TCP stack. Aside from that it seems to have uninstalled cleanly except leaving a remnant ADWCleaner flagged as a PUA pinned to Windows Media Player.

I can't prove Yandex has done anything bad but usually when these types of things happen you examine a common denominator and that common denominator is Yandex. Despite Yandex passing all security scans, lab analysis, sandboxing and Fortinet Evaluation, I still don't feel confident with it anymore. Sadly, it's the slickest, fastest and best featured browser I have found.

Good spotting by people more paranoid than me here. (y)

As an added precaution, I put all of the Yandex domains tied to it's browser in my Pi-Hole blocking any potential activity to all known domains. I will continue to monitor the last remaining Windows systems for anomalies related to Yandex POST INSTALL.
 

Slyguy

Level 44
Jan 27, 2017
3,328
Help us understand how this could occur. Do you store your logins on the browser, or do you suspect your login info was being intercepted by a keylogger? Did you visit the half-dozen targeted sites within your first 48 hours of use? This is quite alarming.

Absolutely no logins stored in the browser, I use a password manager and change the master password every 30 days. System was freshly formatted (DBAN+Install) at the time Yandex went on the system. EXTENSIVE security protocols in place across the board (check my security config in security config section). System tests clean. I suspect intercept. No incidents similar to this prior to Yandex going live on our remaining Windows systems.

Again, I have NO evidence of this. It should be categorized as unsubstantiated. Yandex has been fully removed and blocked on the Pi-Hole. If any further breach attempts happen then we can probably rule out Yandex and I will begin to suspect another software I have installed. If there are no further anomalies then I will assume it was Yandex. But keep in mind the threat-surface on this machine is incredibly small and there isn't any nefarious activity on PCAP and Wireshark and SIEM doesn't report any anomalies.

Draw your own conclusions, run your own tests, and be observant. I can't tell you for sure of anything right now other than suspicions and coincidences.
 

harman

Level 1
Aug 31, 2016
17
I just logged in to post that I had a similar experience with Yandex, earlier this month.

It so happened that, a few days back, when I opened yandex browser, I immediately got a notification from Emsisoft surf protection that - " Surf Protection detected suspicious host "hostinfo.cafe24.com"...... and - "hostinfo.cafe24.com is a known phishing host and was blocked."

I had opened a known safe site when that notification popped... so I just ignored the message.

A few hours later when I again opened the browser, the same notification about "hostinfo.cafe24.com" popped, but this time even before opening any website...so I got concerned ...and then closed and reopened the browser again...and again the same notification, without even opening any website. so I scanned my computer with Emsisoft and then zemana but no malware was detected. That day I didn't use yandex again but the next day when I opened Yandex the problem was gone...and i didn't encounter any such notifications till now.

I had almost forgotten about that experience but after reading the posts in this thread I grew suspicious about Yandex .....and I finally uninstalled it (even though I really loved the browser) :cautious:
 
D

Deleted member 65228

The usage of AppInit_DLLs is understandable since it is being used for automatic injection of their DLL (when a process spawns it will query the registry key name and call LoadLibraryA/W for each entry automatically) however this will only affect processes which have user32.dll loaded and this means it will only affect program's which have a User Interface.

The samples which have been seen at Hybrid-Analysis and are linked to IPs owned by YANDEX LLC. are flagged by some security software vendors because they host downloads to installers which bundle software, and Yandex Browser is included as a bundled package option.

That day I didn't use yandex again but the next day when I opened Yandex the problem was gone...and i didn't encounter any such notifications till now.
This is what intrigues me.

Usually when your browser is compromised, the threat will remain persistent until it is cleaned from the environment. However, in this scenario you claim that you did not encounter unexpected automatic redirection's to malicious hosts after the first encounter which was mitigated by Emsisoft Anti-Malware... Which implies that there was not an active infection on your system from a third-party attacker and that it really was due to Yandex.

Did you have the self-protection module from Yandex enabled as well? I could never get it installed on my analysis environment's, it would never show up as an option... If you had that enabled then it's even more suspicious considering that would mitigate many attacks on their browser product and normal malware authors would struggle and would not have the knowledge/experience to surpass it.
 

harman

Level 1
Aug 31, 2016
17
Did you have the self-protection module from Yandex enabled as well? I could never get it installed on my analysis environment's, it would never show up as an option... If you had that enabled then it's even more suspicious considering that would mitigate many attacks on their browser product and normal malware authors would struggle and would not have the knowledge/experience to surpass it.

I'm sorry, I don't remember about the self-protection module in Yandex.... and now I've already uninstalled it so cannot check.

one more thing- uninstalling Yandex was also a bit of pain in the neck. I had read in this thread that someone used Iobit uninstaller and still found leftovers from yandex. So i used Revo instead but the application installer didn't even start, despite trying multiple times. When I checked the task manager, it showed Yandex setup sucking 96-97% cpu. I looked at its file location and it was in appdata folder instead of program files.

Anyways I assumed there maybe some conflicts going on with Emsisoft or comodo with yandex's setup so I went in the safe mode and then it uninstalled smoothly using Revo... though it still left a Yandex folder in start menu with a broken shortcut/exe (not sure) for yandex (which I later deleted).
 
D

Deleted member 65228

I'm sorry, I don't remember about the self-protection module in Yandex.... and now I've already uninstalled it so cannot check.
Don't worry, you've done nothing wrong.

The other thing that intrigues me is Win32 malware targeting Yandex specifically (or doesn't constantly abuse it's persistence to control the browser - and as you noted it only happened once upon launching the browser), because I am yet to find a sample in the wild which targets Yandex in such ways. Most browser hijackers are targeting a specific browser, and will have to have support manually added to support other browsers - the same applies with banking malware usually as well.

It's definitely all interesting but it would be unfair of us to point the finger at Yandex for the current moment as well, therefore simply just don't use it if it isn't trusted for the time being. If they are up to something shady then it will eventually be exposed, and I doubt they would last very long doing something shady before being exposed - they use AppInit_DLLs so master-mind criminal potential is off the table haha. :p

On the other hand though, limiting your self-protection to UI-based applications only is also interesting. Given what others have said regarding password theft.
 

Prorootect

Level 53
Verified
Nov 5, 2011
5,891
Last edited:
  • Like
Reactions: harman and AtlBo

Sunshine-boy

Level 27
Verified
Apr 1, 2017
1,686
arguments
Just installed Opera (Developer version):
Opera wants to reach Duckduckgo go and eBay! but why? idk:D(you can only see these connections if your firewall can do that)
Btw I think my problem isn't related to Yandex because others don't have such problem.
 

Attachments

  • opera.PNG
    opera.PNG
    24.7 KB · Views: 557
  • Opera 2.PNG
    Opera 2.PNG
    24.3 KB · Views: 696
Status
Not open for further replies.
Top