Adware Sneakily Turns Off Firefox Safe Browsing

Share this…

Mintcast adware uses user.js settings files for persistence.Two PUPs (Potentially Unwanted Programs) are secretly turning off Safe Browsing support in Firefox to make sure they can deliver unsolicited ads and even malware if their creators ever wish to do so.

The two PUPs are Shell&Services and Mintcast 3.0.1. These are browser add-ons for Firefox, Chrome, and IE, and are generally installed without the user’s consent, packaged with other software.

These two come with a newer variant of the Mintcast adware, which, besides injecting ads inside the user’s browser while navigating legitimate websites, also secretly turns off Safe Browsing support in Firefox.

Adware Sneakily Turns Off Firefox Safe Browsing

Safe Browsing is a service created and managed by Google, also implemented in Safari and Firefox. Safe Browsing is nothing more than a blacklist of website URLs from where malware infections originated in the past. The list is constantly updated by both Google and Mozilla engineers, and works in real time, keeping users safe as they navigate the Web.

Abusing the user.js settings file for browser reboot persistence

Because Firefox allows users to create a user.js file where they can store various browser settings in the form of lines of code, the Mintcast adware is abusing this feature.

If no user.js file is found in the “C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default” folder, the adware will create one that holds only three lines of code:

user_pref(“browser.safebrowsing.downloads.enabled”, false);
user_pref(“browser.safebrowsing.enabled”, false);
user_pref(“browser.safebrowsing.malware.enabled”, false);

These settings will tell the Firefox browser to stop checking the Safe Browsing blacklist while browsing the Web or when downloading files. If turned off, it will allow the adware to redirect the user to malicious pages without having the browser show any errors or warnings to the user.

Since the user.js file is executed right when the browser starts, even if the user re-enables these settings via their browser’s settings section, they’ll always remain active unless the user removes the user.js file from the aforementioned folder.

MalwareBytes reports that, in the past, other adware like Yontoo/BrowseFox and Constant Fun employed the same technique.