Mintcast adware uses user.js settings files for persistence.Two PUPs (Potentially Unwanted Programs) are secretly turning off Safe Browsing support in Firefox to make sure they can deliver unsolicited ads and even malware if their creators ever wish to do so.
The two PUPs are Shell&Services and Mintcast 3.0.1. These are browser add-ons for Firefox, Chrome, and IE, and are generally installed without the user’s consent, packaged with other software.
These two come with a newer variant of the Mintcast adware, which, besides injecting ads inside the user’s browser while navigating legitimate websites, also secretly turns off Safe Browsing support in Firefox.
Safe Browsing is a service created and managed by Google, also implemented in Safari and Firefox. Safe Browsing is nothing more than a blacklist of website URLs from where malware infections originated in the past. The list is constantly updated by both Google and Mozilla engineers, and works in real time, keeping users safe as they navigate the Web.
Abusing the user.js settings file for browser reboot persistence
Because Firefox allows users to create a user.js file where they can store various browser settings in the form of lines of code, the Mintcast adware is abusing this feature.
If no user.js file is found in the “C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default” folder, the adware will create one that holds only three lines of code:
user_pref(“browser.safebrowsing.enabled”, false);
user_pref(“browser.safebrowsing.malware.enabled”, false);
These settings will tell the Firefox browser to stop checking the Safe Browsing blacklist while browsing the Web or when downloading files. If turned off, it will allow the adware to redirect the user to malicious pages without having the browser show any errors or warnings to the user.
Since the user.js file is executed right when the browser starts, even if the user re-enables these settings via their browser’s settings section, they’ll always remain active unless the user removes the user.js file from the aforementioned folder.
MalwareBytes reports that, in the past, other adware like Yontoo/BrowseFox and Constant Fun employed the same technique.
Source:https://news.softpedia.com/
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.
