In yet another example of how one shouldn’t trust a software program simply because it’s been digitally signed, a MultiPlug adware module has been uncovered that installs a fake Evernote browser extension, and proceeds to inundate the user with junk ads and unwanted, untargeted 'marketing' offers.
MultiPlug is a junkware virus that installs potentially unwanted programs (PUPs) and sometimes malware on victims's PCs. In this case, “A quick look shows the PUP is digitally signed by ‘Open Source Developer, Sergei Ivanovich Drozdov,’ although the certificate has since been revoked by the issuer,” explained Josh Cannell, a researcher at Malwarebytes, in an analysis.
The extension, which the user may or may not notice has been installed, uses a content script to run in the context of the web pages a user browses. And, that content script is guaranteed to be loaded into every web page visited using the extension manifest. The end result is that when visiting webpages, users will get a series of annoying advertisements, all leading to potentially more unwanted programs and offers.
“On the surface, it may seem like the pop ups and advertisements are coming from the websites themselves, but are in fact from the fake Evernote web extension,” Cannell said.
Upon execution, the PUP silently installs a web extension for the Google Chrome, Torch and Comodo Dragon browsers, in the normal extension folders. Overall, the set-up is geared to very effectively masquerade as the real thing and avoid detection. The faux extension takes the form of three obfuscated JavaScript files and one HTML file.
“For Google Chrome, the installation of the web extension is achieved by updating the ‘preferences’ file, which is a json-formatted file used to configure Chrome user preferences,” Cannell explained. “The extension that’s installed is called Evernote Web, just like the real extension from Evernote.com. When taking a look at the Chrome extensions page, we can see the extension installed there with the ID ‘lbfehkoinhhcknnbdgnnmjhiladcgbol,’ just like the real Evernote Web extension.”
Clicking 'visit website' also directs the user to the chrome web store page for the actual Evernote Web extension.
“Chrome believes the real extension is installed, as verified by the Launch App button,” the researcher said. “When clicking this button with the fake extension installed, nothing happens, whereas normally the user is met with an Evernote log-in screen.”
Junkware and spam ads are unfortunately continuing to live on in the world of the internet because of unscrupulous folks who will serve them out in return for pay-per-click compensation. Fortunately, removing the extension in this case is a simple task.
“For Chrome users, simply visit the extensions page and click the picture of a garbage can, and you’re done,” Cannell said. “You also might want to run a free scan using your antivirus or anti-malware programs to make sure there wasn’t anything else added while you had the extension.”