WinYahoo adware changes your Chrome secure preferences

“Potentially unwanted programs (PUPs) might not be as dangerous as malware, but can often lead to unexpected perils.

Take for example WinYahoo. Despite it’s name and the fact that, among other things, it sets Yahoo as the default search engine and homepage in installed browsers, it’s not a Yahoo product and in any way related to the company.

“Like a lot of unwanted software, WinYahoo is bundled in with a parent installer,” says Malwarebytes’ Joshua Cannell. “The referenced file we examined was a bundler for Adobe Photoshop Album Starter Edition.”

Adobe Photoshop Album Starter Edition is an old photo editing and sharing software which has been discontinued by Adobe many years ago. Nevertheless, there’s still some interest for it, and the latest version (3.2) of the software can still be downloaded for free on various download sites (it can’t be registered anymore, though, and can be used only for a certain number of times).

Obviously, on some of these download sites, the Adobe Photoshop Album Starter Edition offered for download is bundled with the WinYahoo PUP.

During the installation of the former software, and only if the installation wizard does not detect a Virtual Machine on the user’s computer, the user will be offered to set Yahoo as the default search engine and homepage on all compatible browsers (Chrome, Firefox, Internet Explorer) (click on the screenshot to enlarge it):

If they accept the offer, WinYahoo is installed, and effects the aforementioned changes. But, according to Cannell, it can also modify Google Chromes secure preferences without being detected by the browser.

“Any outside changes to the secure preferences file typically results in corrupt settings. In this case, Chrome will reset the affected settings to their default state,” he explains.

“In the Secure Preferences file, there is a section titled ‘protection’ where various user preferences are stored along with a generated hash value known as a Message Authentication Code (MAC). The MAC is used to protect the integrity of the data and therefore any changes to the MAC would raise red flags.”

WinYahoo can change Chrome security preferences because it is able to calculate new MACs.

In addition to all this, WinYahoo also installs a rogue Chrome extension by the name of Sale Charger that injects JavaScript into webpages.

“Sale Charger has the rather annoying feature of creating new tabs in web browsers with advertisements, and sometimes, even worse things. In one case, a Tech Support scam was presented,” Cannell shared. “WinYahoo also changes the preferences and installs Sale Charger into Internet Explorer, Mozilla Firefox, and Opera browsers.”

PUPs often come bundled with legitimate, helpful software, especially when it’s offered on third-party download sites. So be careful what you download, and what offers you accept – don’t speed through the installation process without understanding what you are signing up for.”




Share this