Archive for the ‘Fynloski’ Category

MSRT March 2016 – Vonteera

March 9th, 2016 No comments

As part of our ongoing effort to provide better malware protection, the March release of the Microsoft Malicious Software Removal Tool (MSRT) will include detections for Vonteera – a family of browser modifiers, and Fynloski – a family of backdoor trojans. In this blog, we’ll focus on the Vonteera family of browser modifiers.


We first detected BrowserModifier:Win32/Vonteera in August 2013, and the numbers have been pretty big; during the past six months, we’ve had over eight million detections. Encounters have been distributed among the following countries and regions:

Vonteera distribution numbers

We classify Vonteera as unwanted software because it violates the following objective criteria:

  • Lack of choice – the threat circumvents user consent dialogs from the browser or operating system. It installs, reinstalls, or removes software without your permission, interaction, or consent.
  • Lack of control – the threat prevents or limits you from viewing or modifying browser features or settings.
  • Installation and removal – the threat fails to use standard install/uninstall features, such as Add/Remove Programs.

Vonteera is usually distributed by software bundlers that offer free applications or games.

Once installed on your PC, it modifies your homepage and changes your search provider.

It uses Group Policy to install a plug-in into the following browsers in an effort to make it difficult to remove:

  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox

This makes it more difficult to change the browser settings and remove the added Vonteera plug-in through the Manage Add-ons settings.

Search policy message

More recent versions of Vonteera began adding legitimate certificates that belong to a number of security and antimalware products to the untrusted certificates list that the Windows operating system maintains, which forces Windows to not trust legitimate security and antimalware products. This means that if Vonteera is present on your PC, you might not be able to run your security software.

It also runs a service, so even if you try to delete these certificates from the untrusted list, Vonteera just adds them back to this list, so you still might not be able to run your security software.​


Our malware encyclopedia entry for Win32/Vonteera has more details about this malware family.

By adding Vonteera to the MSRT we hope to have a bigger impact and reach more affected machines and help remove this unwanted software. However, as with all threats, prevention is the best protection.

Stay protected

To help stay protected from this and other threats we recommend running up-to-date real-time security software such as Windows Defender for Windows 8.1 and Windows 10.

We also recommend you:

For more tips on preventing malware infections, including ransomware infections, see:

Are you beta testing malware?

January 7th, 2012 No comments

This post is part one of two.

Popular games are often used by malware writers as social engineering bait as documented in previous blogs (“Dota Players Own3d” and “Keeping Kerrigan From Infection“). So, with a watchful eye for anything related to games used as an infection vector, we came across a couple of interesting files:

These files noted as being available through different torrent/file sharing websites.

The first file we found refers to Defense of the Ancients (DotA) 2, which is an update for the popular custom scenario map DotA for Warcraft III : The Frozen Throne. The second refers to Diablo III. Although the official release date for both games is still in 2012, beta versions are available for testers. However, the curiosity for these games seems to lead to other dangers, like in the wilderness of Diablo II (released in 2000 – more than a decade ago!). We played the previous versions of both Diablo and DotA, with and against each other (during our free time of course 🙂 ).

The “fun” begins once the Pontoeb malware is executed. Pontoeb gathers power through obtaining information from the infected system, which it then sends back to a remote attacker. The information is gathered through a WMI query that retrieves data such as SerialNumber, SystemDrive, Operating system and processor architecture. But its ultimate goal is to morph the infected system into a zombie. It installs a backdoor where an attacker connects to in order to control the infected system and execute certain commands (for example, download a file, update itself, visit a website, and perform HTTP, SYN, and UDP flooding). A detailed description of what the malware does can be found in its encyclopedia description.

The second sample, Fynloski, which mimics the Diablo icon, is a remote access tool (RAT) that is used for malicious purposes, as outlined by our colleague Daniel here.

Figure 1: icon used by Fynloski

It’s basically a backdoor trojan that gains access to almost all the resources and information in your computer; for example, it can log keystrokes, download and run arbitrary files, and disable security settings. More details about Fynloski are available in its encyclopedia description. But what really got our attention was the obfuscation technique that it uses, which we will discuss in our next post.

If you’re running Microsoft Security Essentials, you’re protected against these threats like you would be in Diablo if you have a Blade Barrier. And of course, if you want to continue enjoying your video games in a secure environment, please visit the official DotA and Diablo websites for the actual beta versions.

As always, enjoy playing and be vigilant! GG (Good Game) everyone!

Andrei && Francis

SHA1s used in this post:
803fbc9388203458060f354b0fd3ffe68c506275 – Backdoor:MSIL/Pontoeb.J
a3ca4151c31181a3b948b7cd6a1ef97754fcce22 – Backdoor:Win32/Fynloski.A