{"id":6330,"date":"2017-01-23T15:50:23","date_gmt":"2017-01-23T23:50:23","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-168\/"},"modified":"2017-01-23T15:50:23","modified_gmt":"2017-01-23T23:50:23","slug":"news-168","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-168\/","title":{"rendered":"MSRT August 2016 release adds Neobar detection"},"content":{"rendered":"<p>As part of our ongoing effort to provide better malware protection, the August 2016 release of the <a href=\"http:\/\/www.microsoft.com\/en-us\/download\/malicious-software-removal-tool-details.aspx\">Microsoft Malicious Software Removal Tool<\/a> (MSRT) includes detections for <a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=BrowserModifier:Win32\/Neobar\">BrowserModifier: Win32\/Neobar<\/a>, unwanted software, and <a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Rovnix\">Win32\/Rovnix<\/a>, a trojan malware family.<\/p>\n<p>This blog discusses BrowserModifier:Win32\/Neobar and its inclusion in MSRT supports our unwanted software family detections in Windows Defender, along with other protection features in our Windows 10 protection stack.<\/p>\n<p>BrowserModifier:Win32\/Neobar has been classified as unwanted software because it violates the following <a href=\"https:\/\/www.microsoft.com\/security\/portal\/mmpc\/shared\/objectivecriteria.aspx\">Objective Criteria<\/a>:<\/p>\n<ul>\n<li><strong>Lack of choice<\/strong> \u2013 the threat bypasses user consent options from the browser or operating system.<\/li>\n<li><strong>Lack of control<\/strong> \u2013 the threat could prevent or limit the user from viewing or modifying browser features or settings.<\/li>\n<\/ul>\n<h2>Distribution<\/h2>\n<p>We have seen BrowserModifier:Win32\/Neobar being distributed by various software bundlers that we detect as <a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=SoftwareBundler:Win32\/InstallMonster\">SoftwareBundler:Win32\/InstallMonster<\/a><u>,<\/u><strong>\u00a0<\/strong> <a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=SoftwareBundler:Win32\/ICLoader\">SoftwareBundler:Win32\/ICLoader<\/a>, and <a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=SoftwareBundler:Win32\/Dlboost\">SoftwareBundler:Win32\/Dlboost<\/a>.<\/p>\n<p>We have seen this threat use different application names:<\/p>\n<ul>\n<li><em>advPlugin<\/em><\/li>\n<li><em>Best YouTube Downloader<\/em><\/li>\n<li><em>Best Youtube Saver<\/em><\/li>\n<li><em>BonusBerry<\/em><\/li>\n<li><em>Currency Converter<\/em><\/li>\n<li><em>Goodshop app<\/em><\/li>\n<li><em>I Like It Extension<\/em><\/li>\n<li><em>Media Saver<\/em><\/li>\n<li><em>OdPodarki<\/em><\/li>\n<li><em>Torrent Search<\/em><\/li>\n<li><em>Video Saver<\/em><\/li>\n<li><em>Video Saver 2<\/em><\/li>\n<li><em>VK Downloader<\/em><\/li>\n<li><em>VK OK AdBlock<\/em><\/li>\n<li><em>VPN TOOLBAR<\/em><\/li>\n<li><em>WebBars<\/em><\/li>\n<li><em>Youtube AdBlock<\/em><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>The following heatmap shows the geographical spread of Neobar-infected machines:<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/heatmap.png\"><img loading=\"lazy\" decoding=\"async\" width=\"708\" height=\"477\" class=\"size-full wp-image-8595 alignnone\" alt=\"BrowserModifier:Win32\/Neobar heatmap\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/heatmap.png\" \/><br \/> <\/a><\/p>\n<p><em>Figure 1: Geographic distribution of BrowserModifier:Win32\/Neobar infection from March to August 2016.<\/em><\/p>\n<p>&nbsp;<\/p>\n<h2>Installation<\/h2>\n<p>When BrowserModifier:Win32\/Neobar is installed on your PC, it could change your default search provider. It also adds a toolbar to your browser, schedule tasks to automatically run itself, and add an uninstallation option.<\/p>\n<p>We have seen this threat add a toolbar to the following browsers:<\/p>\n<ul>\n<li>Internet Explorer<\/li>\n<li>Google Chrome<\/li>\n<li>Mozilla Firefox<\/li>\n<\/ul>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/ie_toolbar_tsearch.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1153\" height=\"157\" class=\"alignnone size-full wp-image-8695\" alt=\"Screenshot of Neobar toolbar in Internet Explorer\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/ie_toolbar_tsearch.png\" \/><\/a><\/p>\n<p><em>Figure 2: Neobar toolbar in Internet Explorer<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/chrome_toolbar_tsearch.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1048\" height=\"172\" class=\"alignnone size-full wp-image-8696\" alt=\"Screenshot of Neobar toolbar in Google Chrome\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/chrome_toolbar_tsearch.png\" \/><\/a><\/p>\n<p><em>Figure 3: Neobar toolbar in Google Chrome<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/firefox_toolbar_tsearch.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1159\" height=\"167\" class=\"alignnone size-full wp-image-8705\" alt=\"Screenshot of Neobar toolbar in Mozilla Firefox\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/firefox_toolbar_tsearch.png\" \/><\/a><\/p>\n<p><em>Figure 4: Neobar toolbar in Mozilla Firefox<\/em><\/p>\n<p>&nbsp;<\/p>\n<h2>Symptoms<\/h2>\n<h3>Adds a toolbar to browser<\/h3>\n<p>This\u00a0threat adds a toolbar to the user&#8217;s browser and automatically enable it, thus, preventing the browser to display a consent dialog for the user to choose to enable it.<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/neobar_1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"640\" class=\"size-full wp-image-8605 alignnone\" alt=\"Screen capture of what Neobar adds in the Toolbar\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/neobar_1.png\" \/><\/a><\/p>\n<p><em>Figure 5: Manage Add-on page shows the toolbar that BrowserModifier:Win32\/Neobar added in Internet Explorer.<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/neobar_2.png\"><img loading=\"lazy\" decoding=\"async\" width=\"972\" height=\"411\" class=\"size-full wp-image-8615 alignnone\" alt=\"neobar_2\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/neobar_2.png\" \/><\/a><\/p>\n<p><em>Figure 6: Extensions page shows what BrowserModifier:Win32\/Neobar added in Chrome.<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/neobar_3.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1198\" height=\"327\" class=\"size-full wp-image-8625 alignnone\" alt=\"neobar_3\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/neobar_3.png\" \/><\/a><\/p>\n<p><em>Figure 7: Extensions page shows what BrowserModifier:Win32\/Neobar added in Firefox.<\/em><\/p>\n<p>&nbsp;<\/p>\n<h3>Changes to default search provider<\/h3>\n<p>We have seen this threat change the user&#8217;s default search provider.<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/neobar_4.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1050\" height=\"800\" class=\"size-full wp-image-8645 alignnone\" alt=\"A screenshot of a sample setting change that Neobar does in Chrome\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/neobar_4.png\" \/><\/a><\/p>\n<p><em>Figure 8: A sample setting change in Chrome.<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>After this threat has set the default search provider, it restricts the user from changing it.<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/neobar_51.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"640\" class=\"alignnone size-full wp-image-8655\" alt=\"A Neobar-infected machine prompts users with a message indicating that they cannot change the search provider setting that the threat configured as default.\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/neobar_51.png\" \/><\/a><\/p>\n<p><em>Figure 9: A Neobar-infected machine prompts users with a message indicating that they cannot change the search provider setting that the threat configured as default.<\/em><\/p>\n<p>&nbsp;<\/p>\n<h3>Adds scheduled tasks<\/h3>\n<p>This threat adds scheduled tasks to automatically execute itself, and to check and download\u00a0updates.<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/neobar_6.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1368\" height=\"701\" class=\"size-full wp-image-8665 alignnone\" alt=\"Sample scheduler entry in a Neobar-infected machine\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/neobar_6.png\" \/><\/a><\/p>\n<p><em>Figure 10: Sample scheduler entry in a Neobar-infected machine<\/em><\/p>\n<p>&nbsp;<\/p>\n<h3>Adds an uninstallation option<\/h3>\n<p>This threat adds an uninstallation option in the <strong>Programs and Features<\/strong> section.<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/neobar_7.png\"><img loading=\"lazy\" decoding=\"async\" width=\"980\" height=\"543\" class=\"size-full wp-image-8675 alignnone\" alt=\"Users can use the uninstallation option to remove this software from the system.\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/08\/neobar_7.png\" \/><\/a><\/p>\n<p><em>Figure 11: Users can use the uninstallation option to remove this software from the system.<\/em><\/p>\n<p>&nbsp;<\/p>\n<h2>Prevention<\/h2>\n<p>To prevent this threat from disrupting your computing experience:<\/p>\n<ul>\n<li>Keep your Windows Operating System and antivirus <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/portal\/mmpc\/help\/updatefaqs.aspx\">up-to-date<\/a> and, if you haven\u2019t already, upgrade to <a href=\"https:\/\/www.microsoft.com\/en-us\/windows\/windows-10-upgrade\">Windows 10<\/a>.<\/li>\n<li><a href=\"https:\/\/blogs.windows.com\/msedgedev\/2015\/12\/16\/smartscreen-drive-by-improvements\/\">Use Microsoft Edge to get SmartScreen protection<\/a>. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.<\/li>\n<li>Avoid browsing web sites that are known for hosting malware (such as illegal music, movies and TV, and software download sites).<\/li>\n<\/ul>\n<h2>Detection<\/h2>\n<ul>\n<li>Ensure your antimalware protection (such as <a href=\"http:\/\/windows.microsoft.com\/en-us\/windows\/using-defender#1TC=windows-10\">Windows Defender<\/a> and <a href=\"http:\/\/www.microsoft.com\/en-us\/download\/malicious-software-removal-tool-details.aspx\">Microsoft Malicious Software Removal Tool<\/a>) is up-to-date.<\/li>\n<li>Enable <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2015\/01\/14\/maps-in-the-cloud-how-can-it-help-your-enterprise\/\">Microsoft Active Protection Service (MAPS)<\/a> to get the latest cloud-based unwanted software detection and blocking.<\/li>\n<\/ul>\n<p><em>\u00a0<\/em><\/p>\n<p><em>James Patrick Dee<\/em><\/p>\n<p><em>MMPC<\/em><\/p>\n<p><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/08\/09\/msrt-august-2016-release-adds-neobar-detection\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As part of our ongoing effort to provide better malware protection, the August 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detections for BrowserModifier: Win32\/Neobar, unwanted software, and Win32\/Rovnix, a trojan malware family. This blog discusses BrowserModifier:Win32\/Neobar and its inclusion in MSRT supports our unwanted software family detections in Windows Defender, along&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[10760,10858,10932,10933,10785,10786,10934,10767,10935,10936,10768],"class_list":["post-6330","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-antimalware-research-for-it-pros-and-enthusiasts","tag-browser-modifier","tag-browser-modifier-objective-criteria-violation","tag-browsermodifierwin32neobar","tag-microsoft-malicious-software-removal-tool","tag-msrt","tag-neobar","tag-objective-criteria","tag-softwarebundlerwin32dlboost","tag-softwarebundlerwin32installmonster","tag-unwanted-software"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6330","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6330"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6330\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6330"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}