MSRT November 2016: Unwanted software has nowhere to hide in this month’s release

We came across a browser modifier that sports rootkit capabilities. Not only does the threat, detected as BrowserModifier:Win32/Soctuseer, cross the line that separates legitimate software from unwanted, it also takes staying under the radar to the next level.

Rootkit capabilities, which make it difficult to detect and remove applications, are usually associated with malware. Yet Soctuseer uses rootkit capabilities to conceal its presence on a computer, ultimately making it difficult for affected users to control their device and browsing experience.

Apart from hiding its presence, Soctuseer installs itself without using your browser’s supported extensibility model for installation. And, once installed and running, it takes away the control you should have about how it operates. You can’t enable or disable it from your browser settings. The result is that you can be served webpage content that is modified without your consent.

No matter how it attempts to hide, though, most Soctuseer installations and system modifications will be uncovered and removed by the Microsoft Malicious Software Removal Tool (MSRT). We’re adding detections for BrowserModifier:Win32/Soctuseer in this month’s MSRT release, helping to lessen interference to your browsing experience.

More than a million machines infected

Just like most browser modifiers, Soctuseer is distributed by software bundlers. We have seen Soctuseer brought along by other unwanted software that we detect as SoftwareBundler:Win32/InstallMonster and SoftwareBundler:Win32/Techrelinst.

Since September 2016, we have seen over 1.2 million infected machines, 40% of which are in the US, Indonesia, and India.

Figure 1: Map showing location of observed Soctuseer infections. The United States, Indonesia and India account for 40% of infections.

Ads for discounted products tailored to your search activities

Soctuseer’s main objective is to display advertisements while you browse the internet. It pops up ads based on searches you make on specific websites. For example, if you were searching for “laptop” on your favorite online retailer, Soctuseer pops up ads for other sites offering laptops, supposedly at discounted rates. The ads have the attribute name “Social2Search”.

Figure 2: Social2Search ads for “red shoes” on Microsoft Edge

Figure 3: Social2Search ads for a “laptop” on Internet Explorer

Soctuseer uses the following methods to display ads:

• Installing a NetFilter driver
• Injecting a DLL directly to the browser’s process

Both methods meet the evaluation criteria that Microsoft Malware Protection Center (MMPC) uses for identifying unwanted software. MMPC categorizes as unwanted software any program that changes the browsing experience without using the browsers’ supported extensibility models. The Microsoft browser extension policy states: “Programs should use the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. These supported extension mechanisms are designed to ensure that users are able to customize and extend their browser with software of their choice, while maintaining safe and uninterrupted use of their browser and PC.”

System changes made by Soctuseer are reversed by MSRT

Folder and files

Soctuseer creates a random 32-digit hexadecimal subfolder under the Program Files folder. It then adds all its files in the subfolder. All the files follow the same 32-digit hexadecimal format.

Figure 4: Folder and files created by Soctuseer follow the same 32-digit hexadecimal format

Rootkit

Some Soctuseer versions have rootkit capabilities, which is not very common in browser modifiers. These versions install a driver that limits access to its files. Only the following processes, which are related to certain system files, web browsers, and its own uninstaller, can access its files, effectively hiding Soctuseer’s files from any other process not on this list:

Figure 5: Only the processes on this list have access to Soctuseer’s files

To demonstrate this, the following screenshot shows two command prompt windows. The window on the left is the normal cmd.exe, while the one on the right shows what happens when you rename cmd.exe to one of the process names above (for example, browser.exe):

Figure 6: Modifying the file name of a command prompt to one of the process names above allows you to access the folder and list the files inside it

Service

Soctuseer creates a service that automatically executes at system startup. The service uses a randomly generated name in 32-digit hexadecimal format, but always uses “Enhances experience when browsing the web” as the description:

Figure 7: Soctuseer’s service name also uses the 32-digit hexadecimal format

Scheduled Task

Some versions of Soctuseer also install an updater component that runs in a scheduled task. The updater is a PowerShell script that checks and downloads updates, if available. It also uses the same 32-digit hexadecimal format for the task name. The task file is located in the Windows folder (usually C:Windows),

In this example, the scheduled task runs every 20 minutes:

Figure 8: Soctuseer also creates a Scheduled Task to download updates

Start Menu shortcuts

Soctuseer adds various shortcuts to the user’s Start Menu.

Figure 9: Example of shortcuts created by Soctuseer in Start Menu

Uninstall entry

Interestingly, Soctuseer adds an uninstall entry using the name “Social2Search”.

Figure 10: Soctuseer’s uninstall entry with the name “Search2Search”

Prevention, detection, and recovery

To help stay protected:

• Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
• Use Microsoft Edge. It can:
  • Help warn you about sites that are known to be hosting exploits
  • Help protect you from socially-engineered attacks such as phishing and malware downloads
  • Automatically detect bad changes and protects settings
• Use the Settings app to reset to Microsoft recommended defaults if your default apps were changed.
  • Launch the Settings app.
  • Navigate to the Default apps page.
    • From Home go to System > Default apps.
    • Click Reset.
• Avoid browsing web sites that are likely to host malware (such as illegal music, movies and TV, and pirated software download sites)
• Ensure your antimalware protection (such as Windows Defender and Microsoft Malicious Software Removal Tool) is up-to-date.
  • If you are using Windows Defender, you can check your exclusion settings to see whether the malware added some entries in an attempt to exclude folders from being scanned.
    • To check and remove excluded items in Windows Defender:
      1. Navigate to Settings > Update & security > Windows Defender > Add an exclusion.
      2. Go through the lists under Files and File locations, select the excluded item that you want to remove, and click Remove.
      3. Click OK to confirm.
• Use cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10. Go to All settings > Update & security > Windows Defender and make sure that your Cloud-based Protection settings is turned On.

Related information

See How Microsoft antimalware products identify malware: unwanted software and malicious software for the objective criteria details.

For additional information about what Browser Extensibility Models are, and why we require programs to use them, see the following pages:

• A brief discourse on Changing browsing experience
• Keeping Browsing Experience in Users’ Hands, an Update… 
• Internet Explorer Browser Extensions

James Patrick Dee

MMPC

https://blogs.technet.microsoft.com/mmpc/feed/