Users of the Google Chrome web browser are now threatened by a new Trojan. Dubbed Mutabaha, the Trojans makes victims` browsers look strange and shows them pages they would never ordinarily visit.
Dr. Web security researchers explain that a previously installed dropper is the Mutabaha Trojan`s actual downloader. According to them, this dropper communicates with a C&C server, which instructs it to download and launch the Trojan on the victim`s PC and then delete itself.
When running, Mutabaha takes the form of Outfire, a special build of Google Chrome.
“During installation, it registers itself in the Windows system registry, launches several system services, and creates tasks in the Windows Task Manager in order to load and install its updates. In addition, Outfire modifies the installed Google Chrome browser by removing or creating new shortcuts and copying current Chrome user account information into the new browser.” – Dr. Web researchers explain.
Thus, when a user tries to start Chrome via the usual shortcut, they are actually running Outfire posing as Chrome.
“Once the installation is complete, the fake browser displays a home page which cannot be changed in the browser’s settings. In addition, it has a fixed extension designed to replace advertisements in browsed webpages and uses its own search engine, set by default—however, it can be changed in the application’s settings.” – the researchers also noted.
Moreover, two interesting things that Mutabaha does very much attract researchers` attention. The first one is that the Trojan scans the infected PC for other phony browsers and if it finds any, it removes them. The second thing is that Mutabaha relies on a recently documented technique to bypass Windows’ User Account Control (UAC).