New Chrome and Firefox extensions block their removal to hijack browsers
Credit to Author: Pieter Arntz| Date: Thu, 18 Jan 2018 16:00:00 +0000
What you don’t see won’t hurt you, must have been the reasoning of the threat actors who created the latest batch of extensions that make these browser hijackers even more difficult to remove. The extensions redirect users away from pages where they can disable or delete them in order to drive clicks up on YouTube videos or hijack searchers.
The extensions, which have been found in both Chrome and Firefox browsers, block users from removing them by either by closing out pages with extensions/add-ons info, or sending users to a different page, such as an apps overview page, where extensions aren’t listed.
In Firefox, this problem is relatively easy to circumvent, but for Chrome it takes a lot of digging—so much so that we suggest the fastest way to resolve the problem is to report it to Chrome or your favorite security solution so they (we) can take care of it. (Malwarebytes Premium and Business users are already protected from these threats by our website protection module.)
However, if you’re not a Premium customer, there are still some, admittedly involved, ways to get around these murky and persistent browser hijackers by recognizing, finding, and removing the extensions. Here’s what you can do.
For Chrome
First, we’re going to look at the Chrome extension called Tiempo en colombia en vivo, which is pushed by the method we previously described as a forced Chrome extension. The extension is detected by Malwarebytes as Rogue.ForcedExtension.
You can find the removal guide for Tiempo en colombia en vivo on our forums.
The extension keep users out of Chrome’s extensions list by redirecting chrome://extensions/ to chrome://apps/?r=extensions, where the offending extension is not listed, as only the installed apps will be shown.
Blocking JavaScript in Chrome doesn’t help in this case, as that setting only applies to sites and not to this (internal) page.
The clean method to disable extensions from redirecting your Chrome tabs is to start Chrome with disabled extensions. You can do this by adding the switch “–disable-extensions” to the command to run Chrome.
But doing this will not offer you the option to remove any extensions, as Chrome will behave as if it has no extensions whatsoever. So this offers us no way to remove the extension from the list as you normally would.
Renaming the file 1499654451774.js in the extensions folder does help, however, and after a restart of Chrome, we can see the extension in the list of extensions. It shows up as corrupted because we renamed their JavaScript to something else, so it can’t find what it’s looking for.
Tip: To escape from a Chrome site that is trying to make you stay there, you can use Ctrl+T to open a new tab. The new tab will have focus, so you can then close the offending tab by clicking the “x” that lights up in red when you hover over the tab.
For Firefox
We also found a Firefox extension that displays similar behavior to the Chrome extension. This one was pushed by ad-rotators as a manual update for Firefox.
Malwarebytes detects this extension as PUP.Optional.FFHelperProtection. A full removal guide for FF Helper Protection can be found on our forums.
This extension blocks about:addons in background.js by looking for that string in the URL and closing the tab if the string is found.
This means that you can’t remove the extension manually.
Firefox, however, can be run in safe mode by holding down the Shift key while starting Firefox. Then confirm that you want to “Start in Safe Mode” in this prompt.
Firefox’ safe mode is most helpful, as you can see all the installed extensions while they are not active. Doing so allows you to manually remove the extension (and any others you might not want) in the same way you normally would. Click the “Remove” button in the extensions description field, and you’re done.
If you are kept on a Firefox tab by JavaScript(s) that keep popping up with prompts, and you are unable to close the window in the usual way, you can terminate Firefox by using Taskmanager. When you restart Firefox, it will not be able to restore the session for that tab.
How to avoid
While the extensions have been around for a few weeks, both are still in use in one form or another. In fact, the Tiempo en colombia en vivo extension was still available in the Chrome Web Store at the time of writing. Unfortunately, since both the Chrome and Firefox extensions mostly add themselves through forced installs, it’s not always possible to avoid getting them. The best we can offer is to stay vigilant as you surf and use an adblocker (that could help with blocking the Firefox extension). Though we’d like add the obvious: Avoid actually downloading these extensions in web stores as well. In fact, it’s a good idea to read the fine print carefully for any browser extension you download.
IOCs
Domains: socialextensions.top, searchdf.biz, helperprotectionff.biz, helperprotectionext.biz, reliablesurfingext.biz
Chrome extension: gbhodkgjhojjjggokjjlbccecdhkjjgl
Firefox extensions: {eb3ebb14-6ced-4f60-9800-85c3de3680a4}.xpi, {b91fcda4-88b0-4a10-9015-9365e5340563}.xpi
Stay safe out there.
The post New Chrome and Firefox extensions block their removal to hijack browsers appeared first on Malwarebytes Labs.