Yandex browser discussion (Split Thread)

[ForgottenSeer 58943]

That was a quick U-turn.

I've been using Chrome since 2010 and have not had a single issue about not trusting Google. Likewise with Microsoft and Apple, these giants have nothing to hide, well mostly nothing.

Watch video: Why Enthusiast Brands will Betray You
-https://www.youtube.com/watch?v=FJgTKx-rg18

I've always been cautious about enthusiast brands. It's been confirmed some of those de-googled Chromium builds are backdoored and/or redirectors.

Yandex is clean, fast and exceedingly sexy for a browser but 100% untrustworthy now IMO. Similar to Opera, I do not trust Opera at all anymore either after my last tests with them and it backend pinging phishing domains on a fresh install. But Yandex, still connecting to Yandex domains even without Yandex on the system is hilarious and bordering on malware activity.

I still feel dirty from Yandex and feel like I need to format machines that were tainted by it. But after going over everything they appear to have been removed properly (with some manual work)

 

[Sunshine-boy]

Hi,
ForgottenSeer 58943 what is your browser now? chrome?
What I tried: completely reset the internet settings with complete internet repair and also removed Yandex keys from the registry but the bits service resolve Yandex domains lol(Thanks to Eset firewall).
ЯНДЕКС шпионит за вашим компьютером через Punto Switcher 3.1.1 ?! даже после полного его удаления!! — Клуб Punto Switcher
This issue exists since years ago!

 

[ForgottenSeer 58943]

I've resolved to use Chrome, then do some extra work to lock it down and reduce telemetry. Chrome just works.. Everywhere.

1) I found most 'forks' to have their own problems, own security holes, or even their own redirects. Which I trust WAY less than Google.
2) I found most non-Chrome products to have issues. Vivaldi gathers it's own telemetry and is slow. Firefox doesn't work with multiple extensions correctly. Opera has it's own telemetry, pulls up phishing sites on launch and hits Ukrainian banks. Yandex, well..

Tired of playing musical browsers. So are people in the house. Chromebooks use Chrome, everyone is used to it, it works everywhere, and has no issues that I know of. It's not perfect, but it's what seems to eliminate the games I need to play constantly monitoring forks and fixing crap. So I disable a lot in flags, turn off a bunch of stuff and use the command line of: -disable-background-networking --disable-component-extensions-with-background-pages --dns-prefetch-disable --no-pings --disable-logging

Then leave it at that..

 

[TairikuOkami]

18.2.0.234 Beta
(Chrome/63.0.3239.132)

Download Yandex Browser (beta)

 

[Deleted member 65228]

If you would put documents in ProgramFiles, ransomware should not be able to touch them.

Unless the ransomware is elevated.

told me the App data is not a safe place for the browser!but why? Idk the reason

It's because you can access the directory (and also perform modifications to it) without administrator rights.

However, that neither means that storing under Program Files (or other protected directories) is always 100% safe because to do that it would mean a component has additional privileges which could be potentially abused for privilege escalation exploitation should the component have unknown vulnerabilities which are then found and can be abused.

Therefore, if data is stored in a protected directory and your system becomes infected with non-elevated malicious software, then the data within the protected directory is likely safe.

It's in the best interest for a web-browser not to have administrator rights, because it assists to reduce damage in the case of exploitation. Standard rights + built-in security mechanisms such as sandbox containment all work together to make the browser secure, and sensitive content stored on-disk is usually encrypted/locked (but like everything it isn't going to be full-proof).

 

[TairikuOkami]

Unless the ransomware is elevated.

Luckily ransomware uses SYSTEM rights (SeDebugPrivilege), deny SYSTEM and ransomware is harmless.

 

[Deleted member 65228]

Luckily ransomware uses SYSTEM rights (SeTcbPrivilege), deny SYSTEM and ransomware is harmless.

Ransomware cannot spawn under the NT Authority Account (aka. SYSTEM) post Windows XP without a zero-day exploit unless it already has administrative rights to register a Windows Service which will then steal the SYSTEM token (e.g. NtOpenProcessToken, NtDuplicateToken) from an existent SYSTEM process and then spawns the process containing the ransomware payload using the stolen token (e.g. via CreateProcessAsUser), although that wouldn't make much sense other than to display a UI from a SYSTEM process given that it could just contain the payload within the initial Windows Service -> that is unless of course an exploit is deployed to abuse a vulnerability in a component in another software's package on the environment for privilege escalation, then it'd make perfect sense.

You used to be able to steal the SYSTEM token and spawn a process with it outside of already being in session 0 back in Windows 2000 and Windows XP days, but that all changed with the introduction to administrative rights/User Account Control among many other changes introduced into Windows Vista.

On that note, standard rights is more than enough to do damage with a file encryption payload in most scenarios, because average users tend to keep their data in average locations, such as: Documents, Photos, Music, Downloads and Desktop, or on removable media left plugged into the machine.

Standard rights processes can neither adjust their privileges via NtAdjustTokenPrivileges.

 

[TairikuOkami]

Ransomware always tries to get the highest privileges (and that is its weakness), since the user can have a limited access, but SYSTEM does not.

https://youtu.be/hZKLEw-Our4?t=5m23s

 

[Deleted member 65228]

Ransomware always tries to get the highest privileges

No, it depends on the ransomware.

The video you linked to is about the NotPetya variant. The dropped perfc.dat file is actually a Portable Executable (*.dll to be precise) and the payload contained within this module will check it's current privileges and will attempt to enable others -> rundll32.exe executes the module's code.

This doesn't mean all ransomware will attempt to enable as many privileges as it can though.

 

[TairikuOkami]

No, it depends on the ransomware.

Well, the good ones do (BadRabbit, NotPetya, WannaCry, etc), the bad one can be easily blocked and are not even worth mentioning.

 

[Deleted member 65228]

On that note, NotPetya has support for credential theft, use of PsExec (from SysInternals), and exploitation with EternalBlue and EternalRomance (leaked government exploits, the vulnerabilities exploited have since been patched now of course).

On top of all of that, the MBR destruction was just nasty of them.

 

[Andy Ful]

Ransomware always tries to get the highest privileges (and that is its weakness), since the user can have a limited access, but SYSTEM does not.

https://youtu.be/hZKLEw-Our4?t=5m23s

Most dangerous ransomware will try to get the highest possible privileges, but as in the case of NotPetya, they will continue to work as standard user if elevation would fail.

 

[BearHug]

Remove Yandex cuz I don't trust it Anymore (high telemetry also the windows try to reach Yandex domains even after I uninstalled it).Not recommended anymore.
BB Yandex LLC.

What do you mean by Yandex domains?

 

[yitworths]

I do use Yandex browser on a daily basis. & I haven't come across this kinda issues ever.Btw, i've disabled its auto-update service & some other features.I do update it manually. i keep using it because of its security features.Yandex collaborates with Sophos & kaspersky. That's dope. I do use it for all of my online transactions & never find anything suspicious. One thing which nags me is whenever I launch Yandex it asks for usage statistics permission as I've disabled it. In case of telemetry, I don't believe any browser is trustworthy. I do use opera,firefox most of the time, chrome only for youtube ( when logged in). I do check Vivaldi time to time. One thing I'm convinced of is that they do use different tactics to gather same kinda infos.

 

[TairikuOkami]

Just updated the browser and this showed. It might be a useless info for most, but it is a nice touch, considering everything.

Link in the picture: Sending data to the server by the browser

Everything is nicely described, some features act the same way, like sending data (like Cortana search). I am impressed.

 

[TairikuOkami]

I have just noticed, that Yandex company is sure proud to be Russian. :emoji_v:



On the side note, dnscrypt.nl has been updated to dnscrypt v2 and stopped working within Yandex, so I assume, that Yandex still uses version 1.


If it continues this way, there will be no DNS servers left, half of them already do not work (DoH sure does not).

 

[LDogg]

Is this browser any good? I'd be worried of data harvesting from this browser though. On the outset it does look quite the browser.

~LDogg

 

[LDogg]

Bit worrying when looking on their site.

~LDogg

 

[military]

You can read the agreement. In General, yes, the situation is similar to Google, the data is sent at least to improve your personal search results.
I am from Russia, we are also worried about the safety of our data, but this browser (and the company) was not seen in something bad.
They use very interesting protection technologies: Protect: protecting the browser against malware

 

[LDogg]

You can read the agreement. In General, yes, the situation is similar to Google, the data is sent at least to improve your personal search results.
I am from Russia, we are also worried about the safety of our data, but this browser (and the company) was not seen in something bad.
They use very interesting protection technologies: Protect: protecting the browser against malware

Makes for an interesting read.

~LDogg