Jump to content

Obtaining details on malware source


CapitalChaos

Recommended Posts

First off, apologies if there are answers to these questions elsewhere - if so, my search skills were not sufficient to find them - relevant links gladly received.

My business has a Cloud Console subscription with several endpoints deployed. Two users are repeatedly getting infected as follows (this is one example, the other is a malware variant known as Speeddial)

Adware.Yontoo    File    Malware    Quarantined    C:\USERS\USERNAME\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data
Adware.Yontoo    File    Malware    Quarantined    C:\USERS\USERNAME\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data
Adware.Yontoo    File    Malware    Quarantined    C:\USERS\USERNAME\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data
Adware.Yontoo    File    Malware    Quarantined    C:\USERS\USERNAME\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences

Malwarebytes cleans this up every time it encounters it, but it is obviously returning due to Chrome Sync being turned on. I have seen the advice about how to remove the malware, and disable sync, but unfortunately the users are either turning sync back on or are not unsyncing the right things (I have suggested the stop syncing extensions). 

I really want to drill down and find the ultimate source of these infections - the data available to me on the cloud console isn't giving me sufficiently granular information to obtain that information - what logs (or other methods) are available to me?

Link to post
Share on other sites

6 hours ago, CapitalChaos said:

I really want to drill down and find the ultimate source of these infections - the data available to me on the cloud console isn't giving me sufficiently granular information to obtain that information - what logs (or other methods) are available to me?

Maybe this info help?

https://blog.malwarebytes.com/detections/adware-yontoo/

https://blog.malwarebytes.com/puppum/2016/05/the-next-generation-yontoo-browser-hijackers/

 

 

Link to post
Share on other sites

Greetings,

You may also find the instructions in this topic to be of help (I saw you mentioned you already tried disabling sync; hopefully those instructions will keep it from coming back when sync is re-enabled).

Additionally, it might be a good idea to perform a scan with ADWCleaner just to make sure no other components are being left behind which might be resurrecting the adware.  Also, if you haven't done so already, I'd highly recommend performing a Malwarebytes scan with rootkit scanning enabled just to make sure there isn't any hidden malware reinstalling this adware as there have been many instances where PUP/adware vendors (including Yontoo as I recall) were found to be using Trojans and/or rootkits to try and keep their adware/PUPs persistent on affected endpoints, including re-downloading and reinstalling them if removed.

Link to post
Share on other sites

Many thanks for these replies.

What I was hoping to do was to be able to pin down precisely what specific application or browser component was causing the infection - I would like to be able to provide the users (who are technical) the specifics of what is causing these issues so they know what apps/behaviour should be avoided.

Link to post
Share on other sites

  • Staff

Hi @CapitalChaos,

These types of adware can install alongside a number of programs or extensions, as mentioned in the second article @pondus provided. To determine exactly what program(s), you'd need to do a bit of forensic work, perhaps using a tool such as FRST to line up install dates with detections.

https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

The 'One month (created)' And 'One month (modified)' sections of the FRST log may aid in identifying the source application or extension.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.