Common Windows Adware Found to Manipulate Certificates to Block Security Suites

Advertisement
By Manish Singh | Updated: 26 November 2015 09:31 IST

Vonteera, an adware family that pushes ads to a computer, is capable of doing much more than previously anticipated. Security firm Malwarebytes has reported that Vonteera is able to manipulate digital certificates on a computer to prevent anti-malware suites from activating and then detecting it. For this reason, Vonteera is now being classified as Trojan malware by many security firms.

A well-known adware family, Vonteera came into the spotlight in 2013. It creates a number of tasks in the Windows Task Scheduler. These tasks have been typically found to be aimed at displaying ads on the infected machine, and occasionally open a new tab on Web browsers to cater more malicious elements. Vonteera also modifies the taskbar and Start menu shortcuts for various Web browsers.

Advertisement

Now it has been discovered that Vonteera can also trick the operating system into thinking that digital certificates from security suites are untrusted. Vonteera has been found of manipulating a total of 13 certificates from different security suites to flag them as "untrusted" in the Windows certificate store. The affected anti-security suites are Avast Software, AVG Technologies CZ, Avira Operations, Baidu Online Network Technology, Bitdefender SRL, ESET, Lavasoft Limited, Malwarebytes Corporation, McAfee, Panda Security S.L, ThreatTrack Security, Trend Micro and ESS Distribution among others.

At this point, it is not clear exactly how many devices are affected with Vonteera, but Malwarebytes told Gadgets 360 that it believes the infection is widespread. "There have been numerous user concerns about this software, leading us to believe that the infection is wide spread. However the actual number of infected systems is difficult to identify considering the methods in which this software hides itself on the system."

Advertisement

The firm notes that the malware creates a service called appinf.exe (can be located from here: C:\Users{username}\AppData\Local\Hoffer\appinf.exe) to check if any of the fraudulent certificates has been deleted. In such case, it places another copy of the deleted certificate. The fraudulent certificate triggers User Account Control, a defence mechanism in Windows operating system and prevents the program - in this case anti-malware suites - from executing.

Affected users can bypass Vonteera's changes to the Windows certificate by disabling UAC, though it's not recommended as it affects system's security. As Malwarebytes points out, a user can try to manually remove the certificates from the "Untrusted certificates" store by using the Windows Certificate Manager tool (can be opened via the 'certmgr.msc' command in the Run dialog). In the left panel, users will find Untrusted certificates > Certificates. Remove the certificates that have an anti-malware vendor's name. One issue with it is that a user needs to be fast, as the malware could reinstate the fraudulent certificates.

Advertisement

Users could also try using scheduled tasks to bypass UAC prompts, using it to remove Vonteera, and manually removing the blacklisted certificates, the firm said. Here's an old blog post to guide with that in case you need any assistant.

ESET told Gadgets 360 that its security suite detects the aforementioned threat as Win32/Adware.Vonteera.P. The firm said that the detection was added to its virus signature database 12370 released on October 7, 2015.

Advertisement

Luis Corrons, PandaLabs Technical Director at Panda Security offered the following statement to Gadgets 360. "Malware is known to look for ways to disable security software whenever they can, this is just another method to avoid end users to opening their security programs. Usually malware performs this in a more advanced way, such as killing processes."

"We agree and can identify the findings from Malwarebytes blog too," Avira team told Gadgets 360. "Adware distributors using root certificates is not a new method, as we already know from the last "Superfish" issue. New in this case is the "trick" of dropping AntiMalware certificates to the untrusted container."

"From our point of view, this is a targeted attack against the AntiMalware industry, aimed specifically at those fighting for the privacy rights of their customers. In order to deliver the best protection, we are working on a detection improvement for this threat. We will also change the category from Adware to Trojan in order to counteract the way in which they are rooting against AntiMalware products. For our already affected customers, we will deliver a new RepairRoutine (AIRS) that will remove the Vonteera certificate from the root container, as well as our own from the untrusted container. All measures will be released to our customers today."

"The AVG security research lab has been aware for some time about the threat that Vonteera poses," Tony Anscombe, Senior Security Evangelist, AVG told Gadgets 360. "We detect and remove the threat as malicious, reporting it as a Trojan. This leaves the user to freely install an application that would have otherwise been blocked by the existence of the Vonteera malware."

A spokesperson for Bitdefender told us that the company is investigating the matter and needs more time to revert back.

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. HP ProBook 4 G2a Review: The Reliable New Daily Driver for Work
  2. Government Seeks Explanation From WhatsApp Over Usernames Feature
  3. Samsung Galaxy M47 5G Price in India Revealed Ahead of Amazon Prime Day
  4. Sony Alpha 7R VI Full-Frame Mirrorless Camera Debuts in India: See Price
  1. Samsung Galaxy Glasses Spotted Along With Charging Case in Leaked App Screenshots
  2. LG Launches Xboom Bounce, Xboom Grab AI Speakers With Up to 30 Hours Battery Life in India: Price, Features
  3. Apple's Hide My Email Flaw Could Reveal Users' Real Email Addresses
  4. Government Reportedly Seeks Explanation From WhatsApp Over Usernames Feature, Asks Meta to Delay Rollout
  5. Sony Announces End of Physical Game Discs for New PlayStation Titles Starting 2028
  6. Vivo Pad 5c Launched With Snapdragon 8s Gen 3 Chipset, 10,000mAh Battery: Price, Specifications
  7. Marshall Milton ANC Headphones Launched in India With Adaptive ANC, Up to 80-Hour Battery Life: Price, Features
  8. Two Xiaomi Smartphones, New Honor Handset Visit 3C Certification Database Ahead of Anticipated Debut: Report
  9. Honor 600 Elite Listed on EMVCo Database Alongside Honor 600s and 600 Lite S Models, Could Launch Soon
  10. Nothing Phone 4b RCB Edition Variant Teased; Could Launch in India in Four Storage Variants
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.