New Chrome and Firefox extensions block their removal to hijack browsers - Malwa...
source link: https://blog.malwarebytes.com/threat-analysis/2018/01/new-chrome-and-firefox-extensions-block-their-removal-to-hijack-browsers/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
New Chrome and Firefox extensions block their removal to hijack browsers
Posted: January 18, 2018 by Pieter Arntz
What you don't see won't hurt you, must have been the reasoning of the threat actors who created the latest batch of extensions that make these browser hijackers even more difficult to remove. The extensions redirect users away from pages where they can disable or delete them in order to drive clicks up on YouTube videos or hijack searchers.
The extensions, which have been found in both Chrome and Firefox browsers, block users from removing them by either by closing out pages with extensions/add-ons info, or sending users to a different page, such as an apps overview page, where extensions aren't listed.
In Firefox, this problem is relatively easy to circumvent, but for Chrome it takes a lot of digging—so much so that we suggest the fastest way to resolve the problem is to report it to Chrome or your favorite security solution so they (we) can take care of it. (Malwarebytes Premium and Business users are already protected from these threats by our website protection module.)
However, if you're not a Premium customer, there are still some, admittedly involved, ways to get around these murky and persistent browser hijackers by recognizing, finding, and removing the extensions. Here's what you can do.
For Chrome
First, we're going to look at the Chrome extension called Tiempo en colombia en vivo, which is pushed by the method we previously described as a forced Chrome extension. The extension is detected by Malwarebytes as Rogue.ForcedExtension.You can find the removal guide for Tiempo en colombia en vivo on our forums.
The extension keep users out of Chrome's extensions list by redirecting chrome://extensions/ to chrome://apps/?r=extensions, where the offending extension is not listed, as only the installed apps will be shown.
Blocking JavaScript in Chrome doesn't help in this case, as that setting only applies to sites and not to this (internal) page.
The clean method to disable extensions from redirecting your Chrome tabs is to start Chrome with disabled extensions. You can do this by adding the switch "--disable-extensions" to the command to run Chrome.
But doing this will not offer you the option to remove any extensions, as Chrome will behave as if it has no extensions whatsoever. So this offers us no way to remove the extension from the list as you normally would.
Renaming the file 1499654451774.js in the extensions folder does help, however, and after a restart of Chrome, we can see the extension in the list of extensions. It shows up as corrupted because we renamed their JavaScript to something else, so it can't find what it's looking for.
Tip: To escape from a Chrome site that is trying to make you stay there, you can use Ctrl+T to open a new tab. The new tab will have focus, so you can then close the offending tab by clicking the "x" that lights up in red when you hover over the tab.
For Firefox
We also found a Firefox extension that displays similar behavior to the Chrome extension. This one was pushed by ad-rotators as a manual update for Firefox.Malwarebytes detects this extension as PUP.Optional.FFHelperProtection. A full removal guide for FF Helper Protection can be found on our forums.
This extension blocks about:addons in background.js by looking for that string in the URL and closing the tab if the string is found.
This means that you can’t remove the extension manually.
Firefox, however, can be run in safe mode by holding down the Shift key while starting Firefox. Then confirm that you want to "Start in Safe Mode" in this prompt.
Firefox’ safe mode is most helpful, as you can see all the installed extensions while they are not active. Doing so allows you to manually remove the extension (and any others you might not want) in the same way you normally would. Click the "Remove" button in the extensions description field, and you’re done.
If you are kept on a Firefox tab by JavaScript(s) that keep popping up with prompts, and you are unable to close the window in the usual way, you can terminate Firefox by using Taskmanager. When you restart Firefox, it will not be able to restore the session for that tab.
How to avoid
While the extensions have been around for a few weeks, both are still in use in one form or another. In fact, the Tiempo en colombia en vivo extension was still available in the Chrome Web Store at the time of writing. Unfortunately, since both the Chrome and Firefox extensions mostly add themselves through forced installs, it's not always possible to avoid getting them. The best we can offer is to stay vigilant as you surf and use an adblocker (that could help with blocking the Firefox extension). Though we'd like add the obvious: Avoid actually downloading these extensions in web stores as well. In fact, it's a good idea to read the fine print carefully for any browser extension you download.
Domains: socialextensions.top, searchdf.biz, helperprotectionff.biz, helperprotectionext.biz, reliablesurfingext.biz
Chrome extension: gbhodkgjhojjjggokjjlbccecdhkjjgl
Firefox extensions: {eb3ebb14-6ced-4f60-9800-85c3de3680a4}.xpi, {b91fcda4-88b0-4a10-9015-9365e5340563}.xpi
Stay safe out there.
SHARE THIS ARTICLE
COMMENTS
RELATED ARTICLES
ABOUT THE AUTHOR
Pieter Arntz
Malware Intelligence Researcher
Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK