Q&A Yandex Browser and some problem.

Status
Not open for further replies.

Sunshine-boy

Level 27
Verified
Apr 1, 2017
1,687
Since 2 weeks ago the Yandex protect module trying to access some domains(first image). I did a search and found them malicious.
Here:
Botnet infection? - Virus, Trojan, Spyware, and Malware Removal Logs
And also:
IP-адрес удостоверяющего центра Digicert внесен в реестр запрещенных сайтов
Today I removed it(even from the registry)but when I restarted the pc the windows still trying to reach a domain from the Yandex(second image).how is that possible?:D
Just found a topic about this problem but not a good answer from Yandex.
ЯНДЕКС шпионит за вашим компьютером через Punto Switcher 3.1.1 ?! даже после полного его удаления!! — Клуб Punto Switcher
Google Translate
1-I want a feature rich browser like Yandex.is there any?
2-Do you consider these connections as safe?
 

Attachments

  • Yan 1.PNG
    Yan 1.PNG
    31.2 KB · Views: 1,179
  • yandex.PNG
    yandex.PNG
    26.3 KB · Views: 911
D

Deleted member 65228

- so clean?
Emsisoft flags it as phishing according to VirusTotal.

Allegedly it was flagged by Bitdefender around 4 years ago but this is only rumoured according to an outdated online analysis report and thus I cannot verify if this is indeed correct.

VT report: VirusTotal

It might be a false positive, you could submit it and ask them to re-check the URL.

Is Yandex trying to access this URL when you start-up your browser? That would be strange in my opinion, and it's a North Korean website as well. Although the URL itself doesn't appear usual, the name "cafe24" is weird to me.
 

Slyguy

Level 44
Jan 27, 2017
3,328
Opera has so much hard-coded into it, from references to MyStart to Conduit and telemetry references. Which is strange because I don't recall it having any protection against unwanted Conduit toolbars or MyStart home page changes and the alike.

Opera concerns me because of this. It hits a LOT of sites, but most interestingly is the fact that it hits Ukranian Banks, even with the currency conversion crap turned off. My trust of Opera right now is almost zero, which is a shame, I used to like that as well. Yandex has been exorcised from my systems, passwords have been changed, TFA has been validated, any accounts at risk have multi-factor authentication enabled anyway. I've added all of the known Yandex redirects to Pi-Hole for blacklisting.

I think the theory from one of our top infosec guys about 'elements' within Russia perhaps using Yandex, not Yandex themselves may be a plausible theory, but again that's just a theory. It has been theorized by others that some of Kasperskys problems aren't Kaspersky himself but rather rogue elements working from within.
 

AtlBo

Level 27
Verified
Content Creator
Dec 29, 2014
1,699
Just installed Opera (Developer version):
Opera wants to reach Duckduckgo go and eBay! but why? idk:D(you can only see these connections if your firewall can do that)
Btw I think my problem isn't related to Yandex because others don't have such problem.

Could it be that Opera gets paid by DDG and eBay whenever someone uses a default link in Opera? You might find some default links (like on their new tab page,etc.) to the sites. Would be a shady way to do business for sure. Reminds me of software bundling in installers. This happens too in apps that use Facebook connections like Q360 and going back even Comodo Programs Manager has Facebook links for some silly reason...

I went over all of my apps last night in Comodo checking connections. This is exactly why I block app connections...just block them all. That is with the exception of the browser, since there is no way to discriminate between what is browser business and what is surfing business. Unfortunately, Comodo Firewall doesn't give via an alert the option to blackball a domain (or IP) that a particular application wants to contact. Wish it did, but it wouldn't help with browsers without WhoIs information on the alert like you get from ESET, like in @Sunshine-boy's pics. ESET Firewall is nice :)...
 
Last edited:

harman

Level 1
Aug 31, 2016
17
Is Yandex trying to access this URL when you start-up your browser? That would be strange in my opinion,

This is the thing I was actually concerned about.
I've seen antivirus notifications about blocking hosts or things like that, while accessing some websites, but this was the first time I saw any such notification just after starting up any browser (before any website is accessed).
 
D

Deleted member 65228

I've seen antivirus notifications about blocking hosts or things like that, while accessing some websites, but this was the first time I saw any such notification just after starting up any browser (before any website is accessed).
Browsers do tend to query on start-up sometimes, although browsers like Google Chrome have their own updater processes to handle/handle most of this. If a browser is just randomly reaching out to Ukrainian bank or strange unexpected websites unrelated to the browser itself though, that I find weird.

"카페24 호스팅센터" - at start-up? Yeah, that seems strange to me. I am not sure if this happens though, I just saw the URL after @Prorootect mentioned it.
 

Sunshine-boy

Level 27
Verified
Apr 1, 2017
1,687
Could it be that Opera gets paid by DDG and eBay whenever someone uses a default link in Opera
Hi,
Probably.That 360 Owned opera and they are Good at marketing:D
WhoIs information on the alert like you get from ESET,
It's painful! i dont use it for the browser(just sometimes for testing)!I only use interactive mode for windows services and my applications. this is how I found that Yandex protects module trying to reach some domains.
Btw you can use this extension which is very helpful.open MalwareTips so you see it has some subdomains! easily block 3rd domains. but only work on pages not browser itself.
Domain Whitelist
 

AtlBo

Level 27
Verified
Content Creator
Dec 29, 2014
1,699
Probably.That 360 Owned opera and they are Good at marketing:D

Yes, this would explain those connections.

It's painful! i dont use it for the browser(just sometimes for testing)!I only use interactive mode for windows services and my applications. this is how I found that Yandex protects module trying to reach some domains.
Btw you can use this extension which is very helpful.open MalwareTips so you see it has some subdomains! easily block 3rd domains. but only work on pages not browser itself.

Thanks for the information. I'll try to take a look at the extension. I know it will help, but not sure how far to go. All these connections happening...it's crazy...:(
 
  • Like
Reactions: Sunshine-boy

Slyguy

Level 44
Jan 27, 2017
3,328
I won't be using the Yandex Browser. I don't want it's crap injected into UI apps system-wide, no thank you.

A cat from the sky checked the injected modules and told me it was junk.

Also note, Yandex is integrated into the system enough to recognize when you plug a cell phone into your PC. Then it pops up and asks you to download their mobile version. That's a level of intrusion I am uncomfortable with, personally.
 

Faybert

Level 23
Verified
Jan 8, 2017
1,251
Just installed Opera (Developer version):
Opera wants to reach Duckduckgo go and eBay! but why? idk:D(you can only see these connections if your firewall can do that)
Btw I think my problem isn't related to Yandex because others don't have such problem.
But what does Opera have to do with this discussion? Do you work for Yandex? Relax, my friend, It looks like you're a browser fanboy.
 

Prorootect

Level 53
Verified
Nov 5, 2011
5,891
Sunshine-boy - your little extension called Domain Whitelist very bad (look on post #49) - hijacked my Extensions page with his Options popup, so I removed it quickly. I don't need this, all these other website subdomains I see in ZenMate Web Firewall (which blocks smarter only these which are bad), as well as I see them (blocked, not allowed, these bad only) in my other extensions like ContentBlockHelper, ScriptSafe, Content-aware Ad Blocker etc. etc...).

Not all subdomains are bad...
 

Sunshine-boy

Level 27
Verified
Apr 1, 2017
1,687
Opcode Thnaks for testing. but you can also disable the Hips module:)anyway i found my problem was related to a root certificate not Yandex. disable that Cert and no more strange Conection.
 
  • Like
Reactions: AtlBo

harman

Level 1
Aug 31, 2016
17
Emsisoft flags it as phishing according to VirusTotal.

Is Yandex trying to access this URL when you start-up your browser? That would be strange in my opinion, and it's a North Korean website as well. Although the URL itself doesn't appear usual, the name "cafe24" is weird to me.

After uninstalling Yandex I had Installed Firefox 58 and have been using it but your reply got me thinking that what if Emsisoft didn't classify cafe24 host as a phishing host, like other antiviruses? In that case I wouldn't be getting any alert about any such connection and I'd still be a happy Yandex user....

So today I changed one setting in Emisosft's surf protection after continuously noticing some network traffic whenever Firefox starts.

I changed the Privacy risks setting to "Alert", which was by default set to "Don't Block"
emsisoft_settings_cr.png


Then, after changing that setting when I start Firefox I get 2 alerts from Emsisoft surf protection, which I'm guessing would be related to that "privacy risks" setting that I changed from "Dont Block" to "Alert". And as you can see in the screenshot I got these notifications without having any website opened i.e. just on starting up Firefox.

Alert_1_1_cr.png

Alert_2_1_cr.png



So I'm wondering is it normal for browsers to connect with such hosts whenever browser starts up?

By the way, I didn't get any such notification on opening Palemoon, Slimjet or Chrome (with these same settings on Emsisoft).

Only, previously I had got one on Yandex (without enabling alert for privacy risks) and now on Firefox after enabling alerts for Privacy risks in Emsisoft surf Protection settings.

Any thoughts regarding the same? :unsure:
 
Last edited:
Status
Not open for further replies.
Top