Maybe you shouldn't use LinkedIn

New Chrome and Firefox extensions block their removal to hijack browsers

What you don’t see won’t hurt you, must have been the reasoning of the threat actors who created the latest batch of extensions that make these browser hijackers even more difficult to remove. The extensions redirect users away from pages where they can disable or delete them in order to drive clicks up on YouTube videos or hijack searchers.

The extensions, which have been found in both Chrome and Firefox browsers, block users from removing them by either by closing out pages with extensions/add-ons info, or sending users to a different page, such as an apps overview page, where extensions aren’t listed.

In Firefox, this problem is relatively easy to circumvent, but for Chrome it takes a lot of digging—so much so that we suggest the fastest way to resolve the problem is to report it to Chrome or your favorite security solution so they (we) can take care of it. (Malwarebytes Premium and Business users are already protected from these threats by our website protection module.)

However, if you’re not a Premium customer, there are still some, admittedly involved, ways to get around these murky and persistent browser hijackers by recognizing, finding, and removing the extensions. Here’s what you can do.

For Chrome

First, we’re going to look at the Chrome extension called Tiempo en colombia en vivo, which is pushed by the method we previously described as a forced Chrome extension. The extension is detected by Malwarebytes as Rogue.ForcedExtension.

You can find the removal guide for Tiempo en colombia en vivo on our forums.

The extension keep users out of Chrome’s extensions list by redirecting chrome://extensions/ to chrome://apps/?r=extensions, where the offending extension is not listed, as only the installed apps will be shown.

chrome apps

Blocking JavaScript in Chrome doesn’t help in this case, as that setting only applies to sites and not to this (internal) page.

blocked Javascript

 

The clean method to disable extensions from redirecting your Chrome tabs is to start Chrome with disabled extensions. You can do this by adding the switch “–disable-extensions” to the command to run Chrome.

run chrome without extensions

But doing this will not offer you the option to remove any extensions, as Chrome will behave as if it has no extensions whatsoever. So this offers us no way to remove the extension from the list as you normally would.

no extensions in Chrome

Renaming the file 1499654451774.js in the extensions folder does help, however, and after a restart of Chrome, we can see the extension in the list of extensions. It shows up as corrupted because we renamed their JavaScript to something else, so it can’t find what it’s looking for.

corrupted extension

Tip: To escape from a Chrome site that is trying to make you stay there, you can use Ctrl+T to open a new tab. The new tab will have focus, so you can then close the offending tab by clicking the “x” that lights up in red when you hover over the tab.

Chrome close tab

For Firefox

We also found a Firefox extension that displays similar behavior to the Chrome extension. This one was pushed by ad-rotators as a manual update for Firefox.
misleading site

Malwarebytes detects this extension as PUP.Optional.FFHelperProtection. A full removal guide for FF Helper Protection can be found on our forums.

This extension blocks about:addons in background.js by looking for that string in the URL and closing the tab if the string is found.

js code addons block

This means that you can’t remove the extension manually.

Firefox, however, can be run in safe mode by holding down the Shift key while starting Firefox. Then confirm that you want to “Start in Safe Mode” in this prompt.

Firefox in safe mode

Firefox’ safe mode is most helpful, as you can see all the installed extensions while they are not active. Doing so allows you to manually remove the extension (and any others you might not want) in the same way you normally would. Click the “Remove” button in the extensions description field, and you’re done.

Firefox extension in safe mode

If you are kept on a Firefox tab by JavaScript(s) that keep popping up with prompts, and you are unable to close the window in the usual way, you can terminate Firefox by using Taskmanager. When you restart Firefox, it will not be able to restore the session for that tab.

How to avoid

While the extensions have been around for a few weeks, both are still in use in one form or another. In fact, the Tiempo en colombia en vivo extension was still available in the Chrome Web Store at the time of writing. Unfortunately, since both the Chrome and Firefox extensions mostly add themselves through forced installs, it’s not always possible to avoid getting them. The best we can offer is to stay vigilant as you surf and use an adblocker (that could help with blocking the Firefox extension). Though we’d like add the obvious: Avoid actually downloading these extensions in web stores as well. In fact, it’s a good idea to read the fine print carefully for any browser extension you download.

IOCs

Domains: socialextensions.top, searchdf.biz, helperprotectionff.biz, helperprotectionext.biz, reliablesurfingext.biz

Chrome extension: gbhodkgjhojjjggokjjlbccecdhkjjgl

Firefox extensions: {eb3ebb14-6ced-4f60-9800-85c3de3680a4}.xpi, {b91fcda4-88b0-4a10-9015-9365e5340563}.xpi

Stay safe out there.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.