Youndoo Adware hijacks Browser Homepage using DLL Hijacking

[Petrovic]

Adware vendors are constantly using new methods to inject advertisements or to hijack the home pages of computer user's browsers. Recently, Djordje Lukic, a malware researcher for Zemana, passed along a sample of a a new variant of the Youndoo Browser Hijacker that was using DLL Hijacking to hijack a browser's homepage.

 

 

To give a little background info, when both the Chrome and Firefox executables start, they attempt to load the legitimate Windows C:\Windows\System32\wtsapi32.dll file. This allows the programs to use the functions stored in this DLL.

 

The developers of Youndoo exploit this by placing a malicious version of the wtsapi32.dll Windows file in the same folder as the Firefox and Chrome browser executables.  

When an executable loads a DLL, Windows will first check the same directory the executable is in for the specified DLL files, and if found, load it from there. Since Youndoo has placed a a malicious DLL of the same name in the browser's folder, the browser will load their version of the file instead of the legitimate one. This is called DLL Hijacking.

 

Youndoo wtsapi32.dll in the Chrome Application Folder

When Chrome or Firefox loads, the functions in the Youndoo wtsapi32.dll DLL will read an URL in the the HKEY_CURRENT_USER\Software\MessageGet "hp" Registry value.  The hp, or homepage, value contains a URL that this DLL will cause the browser to automatically open.

 

Hp Registry Key

If you changed the value of hp to any other url, the browser would open to that url instead. To stop the redirect, all you have to do is simply remove the hp registry value and the browser will open to the default page. To actually remove the infection, you would need to remove the wtsapi32.dll file from your browsers folder as well as perform a scan for other installed files.

 

This is just another example of the lengths that adware programs and PUPs are going in order to hijack your computer and display advertisements. Unfortunately, though many of these programs exhibit what I feel should be considered malware behavior, many antivirus companies do not even detect them. For example, as of this writing, this malicious wtsapi32.dll file is detected by 0 out of the 55 scanners on VirusTotal.

 

The FTC and other government agencies needs to take a serious look at how adware purveyors are pushing this crap on people's computers.  Adware and PUPs are getting out of hand and something needs to be done about.

Article source

[Stanners]

Mate thank you -  info like this is pure gold!

This should have rang alarm bells on all of the scanners at Virus Total. Its like whats the point of paying for AV programs when they can't or wont pickup something of this nature. I bet 15 minutes after this become public knowledge hacking crews had a field day playing with this one.

 

Don't get me wrong hacking is fun and you learn heaps of skills  but some times you have to wonder if the companies who sell the so called 'security products' want to close the holes or do they have a vested interest in the adware companies??

 

Not sure if I am paranoid or not paranoid enough 

[pc71520]

2 hours ago, Stanners said:

Not sure if I am paranoid or not paranoid enough

Wondering about myself, too.