MSRT August 2016 release adds Neobar detection

As part of our ongoing effort to provide better malware protection, the August 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detections for BrowserModifier: Win32/Neobar, unwanted software, and Win32/Rovnix, a trojan malware family.

This blog discusses BrowserModifier:Win32/Neobar and its inclusion in MSRT supports our unwanted software family detections in Windows Defender, along with other protection features in our Windows 10 protection stack.

BrowserModifier:Win32/Neobar has been classified as unwanted software because it violates the following Objective Criteria:

  • Lack of choice – the threat bypasses user consent options from the browser or operating system.
  • Lack of control – the threat could prevent or limit the user from viewing or modifying browser features or settings.

Distribution

We have seen BrowserModifier:Win32/Neobar being distributed by various software bundlers that we detect as SoftwareBundler:Win32/InstallMonster,  SoftwareBundler:Win32/ICLoader, and SoftwareBundler:Win32/Dlboost.

We have seen this threat use different application names:

  • advPlugin
  • Best YouTube Downloader
  • Best Youtube Saver
  • BonusBerry
  • Currency Converter
  • Goodshop app
  • I Like It Extension
  • Media Saver
  • OdPodarki
  • Torrent Search
  • Video Saver
  • Video Saver 2
  • VK Downloader
  • VK OK AdBlock
  • VPN TOOLBAR
  • WebBars
  • Youtube AdBlock

 

The following heatmap shows the geographical spread of Neobar-infected machines:

BrowserModifier:Win32/Neobar heatmap

Figure 1: Geographic distribution of BrowserModifier:Win32/Neobar infection from March to August 2016.

 

Installation

When BrowserModifier:Win32/Neobar is installed on your PC, it could change your default search provider. It also adds a toolbar to your browser, schedule tasks to automatically run itself, and add an uninstallation option.

We have seen this threat add a toolbar to the following browsers:

  • Internet Explorer
  • Google Chrome
  • Mozilla Firefox

Symptoms

Adds a toolbar to browser

This threat adds a toolbar to the user’s browser and automatically enable it, thus, preventing the browser to display a consent dialog for the user to choose to enable it.

Screen capture of what Neobar adds in the Toolbar

Figure 2: Manage Add-on page shows the toolbar that BrowserModifier:Win32/Neobar added in Internet Explorer.

 

neobar_2

Figure 3: Extensions page shows what BrowserModifier:Win32/Neobar added in Chrome.

 

neobar_3

Figure 4: Extensions page shows what BrowserModifier:Win32/Neobar added in Firefox.

 

Changes to default search provider

We have seen this threat change the user’s default search provider.

A screenshot of a sample setting change that Neobar does in Chrome

Figure 5: A sample setting change in Chrome.

 

After this threat has set the default search provider, it restricts the user from changing it.

A Neobar-infected machine prompts users with a message indicating that they cannot change the search provider setting that the threat configured as default.

Figure 6: A Neobar-infected machine prompts users with a message indicating that they cannot change the search provider setting that the threat configured as default.

 

Adds scheduled tasks

This threat adds scheduled tasks to automatically execute itself, and to check and download updates.

Sample scheduler entry in a Neobar-infected machine

Figure 7: Sample scheduler entry in a Neobar-infected machine

 

Adds an uninstallation option

This threat adds an uninstallation option in the Programs and Features section.

Users can use the uninstallation option to remove this software from the system.

Figure 8: Users can use the uninstallation option to remove this software from the system.

 

Prevention

To prevent this threat from disrupting your computing experience:

  • Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
  • Use Microsoft Edge to get SmartScreen protection. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.
  • Avoid browsing web sites that are known for hosting malware (such as illegal music, movies and TV, and software download sites).

Detection

 

James Patrick Dee

MMPC