Jump to content
DavidVC

New threat! Weknow.ac

Recommended Posts

Hello Folks,

I may have come upon a new threat (or variant on an existing threat). A customer of mine just yesterday downloaded some Malware and had a web page called weknow.ac taking over home page duties. Malwarebytes was run and removed 11 threats BUT the home page (of course) was not changed. When I tried to change it in Safari, I could not even click into the box where the URL was located. That was fixed by removing two nasty "profiles" that appeared in System Prefs. Ok, a restart later and now I can get into the URL box however when I finish typing and leave the box, the URL reverts back to the weknow.ac address! I've gone as deep as I usually do to resolve this. I've tried removing the entire Safari folder in Library, I've killed Safari Prefs, nothing changes the home page. It will always be this bad one. 

Anyone have any ideas how to resolve this?

I appreciate any help you can offer.

David

Share this post


Link to post
Share on other sites

This is caused by a variant of Crossrider described here:

https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/

The secret is to remove that config profile, according to the instructions in the article.

This is easy to do manually, but less so to do automatically on the user's behalf. There appear to be no official APIs provided by Apple for removing those profiles, so we're evaluating how to do so securely and without causing possible issues (like deleting other legitimate profiles).

Share this post


Link to post
Share on other sites

Thomas, you're always so kind to reply quickly. I'm with you on this, what's new however is the inability to change the home page despite removing all the profiles. I removed them which allowed entry into the URL field but it just keeps going back to the bad address regardless of what is typed and clicking the "set to current page" button does the same thing, weknow.ac. I visited terminal and typed sudo profiles list which returned a response that the were no profiles installed. Yet, typing a URL into the homepage section of the Safari General Prefs will not stick. Something else is at play. Is this new or something broken in my user's OS? I'm not sure but something is getting in the way without profiles. 

Any additional thoughts?

Thank you...

David

Share this post


Link to post
Share on other sites

Sounds like you may also now be running into a Safari bug, where the home page can be changed but the change doesn't stick, that can happen after the home page setting is changed by adware. There's a weird - but effective - workaround for this bug:

* In Safari, choose Preferences from the Safari menu.

* In the window that opens, click the General icon (if necessary)

* Enter your desired home page in the "Homepage" field, but DO NOT press return!

* At the top of the window, click any of the other icons (eg, Tabs, AutoFill, etc).

* You may see a prompt asking for confirmation for changing the home page. If so, confirm.

* Switch back to the General page and check to make sure the home page has been changed.

Share this post


Link to post
Share on other sites

Hello Thomas, once again thank you for your help. Unfortunately that does not work. I followed your advice to the letter and the URL does not change. 

To add something else, which again points me to believe it's still somewhere in the system, Chrome also can not be properly reset. In Settings to advanced I've chosen the Reset Settings option and even doing that, the new tab page will open up the weknow.ac!

This has got to be somewhere deeper in the system. Remember, in Safari I've trashed Safari prefs and even the Safari folder in the library and it still has weknow.ac.

Any more advise would be greatly appreciated.

Thank you,

David

Share this post


Link to post
Share on other sites

I too am suffering from the weknow hijack.  I was able to remove it in a combo manner both manually and with malwarebytes; however, I still have an issue with Chrome on my mac, it is still hijacks the search page.  Malwarebytes can't seem to get that one piece nor can I find it.  But I understand this may be a new way they are masking themselves.

 

Share this post


Link to post
Share on other sites

There are variants of this adware that make changes to Chrome's data that are non-trivial to reverse. The best way to handle that is to completely remove Chrome and all Chrome data from the computer, then reinstall. The Chrome data is primarily stored here:

~/Library/Application Support/Google/

In the Finder, choose Go to Folder from the Go menu. Then, in the window that opens, paste the above path and click the Go button. You'll need to delete the entire Chrome folder from that location. This will delete any Chrome user data, including bookmarks, so be sure to export any such data before deleting.

DavidVC had this problem, as well as some strange entries in System Preferences > Security & Privacy > Privacy > Accessibility. If you see anything unusual there, I'd be very interested in getting more information.

Share this post


Link to post
Share on other sites

So I did eventually solve my issues but I decided to go thermonuclear. I was able to determine that whatever had Chrome hostage was in the user's library folder. When I created a new user, Chrome worked normally. Armed with that, I went through the User->Library folder and I removed anything Chrome or Google. Rebooted and it was back to normal. Sadly I think we will see this again, and when I do I'll take better notes of what I remove.

Special thanks to Thomas Reed who is just an amazing dude and huge help to the Mac Community. 

Share this post


Link to post
Share on other sites

Thanks! :)

Incidentally, I do think you're right about seeing this again. This isn't the first time we've seen adware make changes to the user's Chrome profile, or even to the Chrome app itself. The Chrome folder on my Mac takes up nearly 150 MB and has almost 3,000 items inside it. Of that, my main Chrome user profile takes up more than 72 MB and over 1,700 items. Settings are spread over many different files that are completely undocumented, yet entirely editable without any special permissions. This provides numerous hiding places for adware-related settings changes, and makes it very difficult to clean up Chrome without "going nuclear." Even using Chrome's built-in feature to reset the settings doesn't work.

This is a big part of why some of Safari's settings are now hidden away in protected storage, so that they can't be changed by simply editing a file.

Share this post


Link to post
Share on other sites

Update - I removed Chrome, removed anything in our user directory that referenced google and cleaned out  ~/Library/Application Support/Google/

I reinstalled chrome and still had weknow hijack the settings 

UGH

Share this post


Link to post
Share on other sites

New Update - I again removed google chrome, cleaned the user directory and sent to the trash ~/Library/Application Support/Google/

I then did a system search of anything "google" and I sent it all to the trash.  Basically nothing on my machine had google in the name.

I rebooted and re-installed chrome and........

It appears my browser hijack by weknow has been resolved.

Share this post


Link to post
Share on other sites

I've got another! Another customer I work with has this same thing and my tricks from before have NOT solved Safari. I removed profiles but I didn't have the same items in Accessibility. At this point I'm unable to change the Safari home page on this customer's computer.

Thomas - if you want to see it, I can arrange...still trying to pull things out of the System and Library.

Share this post


Link to post
Share on other sites

Yeah, can you run that script I sent you previously on that machine, then send me the output in a direct message? Thanks!

Share this post


Link to post
Share on other sites
On 8/21/2018 at 1:30 PM, DavidVC said:

I've got another! Another customer I work with has this same thing and my tricks from before have NOT solved Safari. I removed profiles but I didn't have the same items in Accessibility. At this point I'm unable to change the Safari home page on this customer's computer.

Thomas - if you want to see it, I can arrange...still trying to pull things out of the System and Library.

Have you found a work around for this? I have been going INSANE!!! I also have a client with the weknow.ac, I successfully got rid of all the malware, but I CAN NOT change Safari back to using a normal home page. Of course I got rid of the THREE Profiles it created in System Preferences, so now I can edit the home page, but the send I press Enter after typing in a new URL in the Homepage, it goes right back to the weknow url. I have DELETED EVERYTHING having to do with Safari in the Users Library Folder and rebooted, and it STILL somehow remains. PLEASE TELL ME you found a solution to this messed up problem David and Treed?

 

Appreciate any help you guys are able to give!

Share this post


Link to post
Share on other sites

I worked it out once but I was getting desperate and just went thermonuclear in the library. I had a second one come up but the customer has vanished. I want very much to see it again in the hopes of doing a much more surgical repair. 

Share this post


Link to post
Share on other sites
On 9/6/2018 at 7:30 AM, DavidVC said:

I worked it out once but I was getting desperate and just went thermonuclear in the library. I had a second one come up but the customer has vanished. I want very much to see it again in the hopes of doing a much more surgical repair. 

So the problem is I have also gone Thermal Nuclear but have still got the problem of not being able to change the home page in Safari. I have deleted EVERYTHING having to do with Safari and Google in the User Library and even the Library, and of course got rid of the profile in preferences, and it STILL will NOT let me change the home page in Safari. When I reinstalled Google, Google was fine, works great and no weknow nonsense, but I can't get Safari working again. Any help would be greatly appreciated. This Pup has certainly evolved in sophistication, and nothing I have found online or done has helped restore Safari. 

Share this post


Link to post
Share on other sites

Thanks so much for this write-up.  My son picked up the weknow.ac related malware and it was easy to clean with MalwareBytes EXCEPT for the Chrome home page setting.

Currently using MalwareBytes Free -- would the Realtime protection in Premium have picked up the infection when he ran whatever fake installer he fell victim to?  I've taught him to be cautious, but now that he has his own laptop and admin rights, anything is possible :-)

Share this post


Link to post
Share on other sites
On 9/7/2018 at 6:29 PM, treed said:

Please see this topic:

 

Hi, I would like to confirm that the 'trick' how to change/save Safari homepage described in this article does not work (clicking on other tab...), so I think that part of the article should be deleted. Every trace of the infection deleted including the Profiles, but still it reverts back, so there must be some other component that's still active on infected computers.

Share this post


Link to post
Share on other sites

Not everything shown in the article works for every user, but I can confirm that the "trick" has worked for some (including me).

You may be running into some new variant that has not been revealed to the Malwarebytes signature staff. If that's the case, they will need to obtain some additional information from you which may be sensitive and best not shown here in a public forum. In such cases, it's best to Submit a ticket.

Share this post


Link to post
Share on other sites

A customer of mine is supposedly dropping off an infected Mac with the Safari home page issue on Thursday. Hopefully I can solve it, and if I do I will document my steps a bit better this time...

Share this post


Link to post
Share on other sites
11 hours ago, MacMedicine said:

Hi, I would like to confirm that the 'trick' how to change/save Safari homepage described in this article does not work (clicking on other tab...), so I think that part of the article should be deleted.

The fact that it does not work for you does not mean that it does not work. Different people have different experiences, due to different causes, with this kind of adware.

Share this post


Link to post
Share on other sites

I tried all the steps listen above,

Odd files in application files, unauthorised Profiles, extra extensions etc.

Safari is working fine now. No weknow.ac residue as far as i can tell.

  • Chrome, did all steps, including nuking chrome and anything with google in it.
  • Restarted comp then downloaded chrome again - didn't work.
  • So nuked it again using AppRemover (which removes all related bits that are hidden) 
  • Deleted anything related that I could find.
  • Restarted again - seemed to work

But this morning found it back again in a lesser capacity but still present. 

  1. 1. Finder > Shared - Unknown network PC was visible in my finder under 'Shared' 
    Couldn't remove it or access it. (this was there last night and only when I knew the malware was on my comp)
    Reset chrome default settings right now and also tried to access the network and it seems to have disappeared. (for now)  
  2. Chrome > Preferences -  Still came up in the 'Manage search engine' section even though google was still default. 

I'm concerned that this malware is not so benign And may have access to my computer. Is that likely?  would disconnecting from the internet and resetting admin passwords help? 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.