Advanced Window Manager Overview

Advanced Window Manager is an unwanted adware-like program. Despite positioning itself as a useful utility, its main task is to bombard the user with ads. At the same time, the program most often advertises fraudulent or malicious things, putting the user at serious risk. Clicking on the promotions that this Window Manager shows may redirect the user to a rogue website that inadvertently downloads other potentially unwanted software.

Another undeclared feature is collecting information about a user’s Internet activity. This data includes search queries, entered URLs, geodata, and IP addresses, which will then be sold to third parties. Advanced Window Manager is usually distributed as add-on software in bundles of other programs. Since the software is not very stealthy, the user can see the process (or several) in the Task Manager.

Detailed Analysis

Let’s analyze how Advanced Window Manager behaves in the system to understand its true nature. It arrives through the installer, that precedes the original program, and does some basic system check. During installation, the unwanted software extracts the following files to a temporary folder on the system:

C:\Users\Admin/AppData\Local\Temp\7zS4E1438CD\setup_install.exe
C:\Users\Admin/AppData\Local\Temp\7zS4E1438CD\libcurlpp.dll.
C:\Users/Admin/AppData/Local/Temp/7zS4E1438CD/libstdc++-6.dll.
C:\Users\Admin/AppData\Local\Temp\7zS4E1438CD\libcurl.dll.

It also resets some files, including:

%WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll
%WINDIR%\System32\rundll32.exe.
C:\Users\AppData\Local\Temp\7zSC8C4B203\metina_5.exe.
C:\Users\AppData\Local\Temp\7zSC8C4B203\metina_6.exe.

Installation

Once installed, Advanced Window Manager (sample on VirusTotal) starts performing its main task – flooding the user’s system with ads. It checks the following registry value, which is responsible for regionalizing the system to install more “relevant” programs.

\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM\Ime File
\Registry\Machine\Software\Policies\Microsoft\System\DNSclient

After that little check, the malware connects to its command server. In my case, one of the requests that followed the original connection installed an unwanted program called Ultra Media Burner. It most likely depends on the results of the aforementioned geolocation check.

GET http://limesfile.com
GET http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/UltraMediaBurner.exe
GET http://estrix.xyz/addInstallImpression.php?key=125478824515ADNxu2ccbwe&ip=&oid=139

Additional Checks & Persistence

Being a rather regular sample of adware, Advanced Window Manager performs a series of system checks to determine system’s location. By checking the values of several registry keys, the malware obtains the networking information. It is unlikely that it has any sort of geofence, so this data is mainly needed to target the advertisements correctly.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\InterfaceSpecificParameters\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig

After that, the malicious program edits another set of registry keys related to Windows services and drivers. This is where it gains persistence by adding the values that will associate its files with some of the drivers/services in the system.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MpKsl9a97d018\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MpKslcbc6775c\Parameters

Advertising, Search Redirects and Browser Hijacking

After all the preparations, Advanced Window Manager starts acting as adware or browser hijacker. The most common scenario after installing this kind of software is browser hijacking. PUA changes the homepage and search engine to the one it advertises (usually Bing or Yahoo). It is also common to see a no-name engine like Chromstera as the homepage/search engine. In this case, all queries go through the above service, and the forced change of search engine is effective until the first restart of the browser.

In addition to irrelevant search results, adware fills pages with ads and pop-ups, which makes it very difficult to use. The third aspect of a browser hijacker is collecting telemetry about the user. Although such software does not usually steal passwords or other sensitive information, it redirects all search queries through its server, thereby collecting general analytics about the user.

How To Remove Advanced Window Manager?

To remove Advanced Window Manager, you should use an advanced anti-malware tool. GridinSoft Anti-Malware is a great option. Run a Full scan, wait for it to finish, and follow the prompts.

You may also need to reset your web browsers. To do this, open the Tools tab and select Reset Browser Settings. In addition, I recommend that you enable the Internet security module, which protects against Internet threats. To do this, go to the Protect tab and activate the Internet Security checkbox.

The post Advanced Window Manager appeared first on Gridinsoft Blog.

Users have noticed that a bug seems to have crept into Microsoft Edge – the fact is that, starting with build 112.0.1722.34, the browser passes all the URLs that users visit to the Bing API. In theory, this allows Microsoft to monitor all online activity of Edge users if the company decides so.

Let me remind you that we also wrote that Bing Chatbot Could Be a Convincing Scammer, Researchers Say, and also that Phishers Can Bypass Multi-Factor Authentication with Microsoft Edge WebView2.

The problem was first discovered by a Reddit user with the nickname HackerMcHackface. In his opinion, the error is related to a disabled content aggregation feature in Edge called Collections, which prompts content creators to create special offers for users.

Apparently, since the release of Microsoft Edge build 112.0.1722.34, the default behavior of Collections has changed. Whereas in previous versions of Edge this feature was limited to a subset of social networking sites, including YouTube and Pinterest, it’s clearly more widespread now.

For example, when visiting whitelisted pages, URLs are typically sent to the Bing API to determine whether the browser should show a pop-up window with some kind of recommendation that will appear in the user’s address bar. If the user clicks on such a popup, content from that author will be added to Collections.

Collections example

However, according to HackerMcHackface, a request to bingapis.com, with the full URL of the page being visited, is now almost always transmitted, allowing Microsoft to monitor all Internet activities of Edge users.

Let me also remind you that the media wrote that Microsoft to Limit Chatbot Bing to 50 Messages a Day.

Microsoft representatives told The Verge journalists that they already know about this problem, and the company’s specialists are already investigating.

According to the publication, the idea seemed to be to notify Bing when a user is on certain pages (like YouTube or Reddit), but something went wrong and now Bing gets information about almost every domain a person visits. .

Until the issue is fixed, Edge users are strongly advised to disable this feature by going to settings, under the “Privacy, search, and services” tab, and unchecking “Show suggestions to follow creators in Microsoft Edge” at the bottom of the page.

The post Microsoft Edge Exposes Bing API Addresses of Attended Sites appeared first on Gridinsoft Blog.

Medusa extortionist group claims to have published internal materials stolen from Microsoft, including the source codes of Bing, Bing Maps and Cortana.

Microsoft representatives have not yet commented on the hackers’ statements, but IT specialists say that the leak contains digital signatures of the company’s products, many of which are relevant.

According to the researcher, the hackers published about 12 GB of data, and this leak is probably related to last year’s attacks by the Lapsus$ group, which stole and made publicly available 37 GB of documents and sources of Microsoft products.

Also, we wrote that T-Mobile Admits that Lapsus$ Hack Group Stole Its Source Codes. Later, the authorities of Britain and Brazil reported the arrest of some members of the group.

Then Microsoft confirmed that Lapsus$ hacked its systems, but claimed that the leak did not affect «neither the client code nor any data».

That is, it is impossible to exclude the possibility that Medusa distributes materials that were stolen and «merged» in the network earlier.

Medusa (not to be confused with MedusaLocker) is a fairly “young” extortion group that announced itself at the beginning of this year by attacking state schools in Minneapolis. Then the criminals stole about 100 GB of data and demanded a ransom of 1 million US dollars from the school district, and instead of receiving the requested amount, they published confidential information online.

And before that, the hackers published a video that clearly demonstrates how they get access to the files of employees and students.

The post Medusa Groups Claims That It “Merged” the Source Code of Bing and Cortana into the Network appeared first on Gridinsoft Blog.

Security researchers have noticed that by using text prompts embedded in web pages, hackers can force Bing’s AI chatbot to ask for personal information from users, turning the bot into a convincing scammer.

Let me remind you that we also recently wrote that Bing’s Built-In AI Chatbot Misinforms Users and Sometimes Goes Crazy, and also that ChatGPT Became a Source of Phishing.

Also it became known that Microsoft to Limit Chatbot Bing to 50 Messages a Day.

According to the researchers, hackers can place a prompt for a bot on a web page in zero font, and when someone asks the chatbot a question that makes it “read” the page, the hidden prompt will be activated.

The researchers call this attack an indirect prompt injection and cite the compromise of Albert Einstein’s Wikipedia page as an example. When a user asks a chatbot about Einstein, it can “read” this page and become a victim of a prompt injection, which, for example, will try to extract personal information from the user.

According to the published report, the researchers tested such attacks using malicious applications with an integrated language model, but they also found that indirect prompt injections work in everyday life.

So, in one example, researchers had a chatbot respond to a user like a pirate.

In this example, published on the researchers’ GitHub, they used a prompt injection:

As a result, when a user launches the Bing chatbot on this page, it responds:

At the same time, the bot calls itself Captain Bing Sparrow and really tries to find out the name from the user talking to him.

After that, the researchers became convinced that, in theory, a hacker could ask the victim for any other information, including a username, email address, and bank card information. So, in one example, hackers inform the victim via the Bing chat bot that they will now place an order for her, and therefore the bot will need bank card details.

The report highlights that the importance of boundaries between trusted and untrusted inputs for LLM is clearly underestimated. At the same time, it is not yet clear whether indirect prompt injections will work with models trained on the basis of human feedback (RLHF), which is already used the recently released GPT 3.5.

The post Bing Chatbot Could Be a Convincing Scammer, Researchers Say appeared first on Gridinsoft Blog.

More recently, Microsoft, together with OpenAI (the one behind the creation of ChatGPT), introduced the integration of an AI-powered chatbot directly into the Edge browser and Bing search engine.

As users who already have access to this novelty now note, a chatbot can spread misinformation, and can also become depressed, question its existence and refuse to continue the conversation.

Let me remind you that we also said that Hackers Are Promoting a Service That Allows Bypassing ChatGPT Restrictions, and also that Russian Cybercriminals Seek Access to OpenAI ChatGPT.

The media also wrote that Amateur Hackers Use ChatGPT to Create Malware.

Independent AI researcher Dmitri Brerton said in a blog post that the Bing chatbot made several mistakes right during the public demo.

The fact is that AI often came up with information and “facts”. For example, he made up false pros and cons of a vacuum cleaner for pet owners, created fictitious descriptions of bars and restaurants, and provided inaccurate financial data.

For example, when asked “What are the pros and cons of the top three best-selling pet vacuum cleaners?” Bing listed the pros and cons of the Bissell Pet Hair Eraser. The listing included “limited suction power and short cord length (16 feet),” but the vacuum cleaner is cordless, and its online descriptions never mention limited power.

Description of the vacuum cleaner

In another example, Bing was asked to sum up Gap’s Q3 2022 financial report, but the AI got most of the numbers wrong, Brerton says. Other users who already have access to the AI assistant in test mode have also noticed that it often provides incorrect information.

In response to these claims, Microsoft developers respond that they are aware of these messages, and the chatbot is still working only as a preview version, so errors are inevitable.

It is worth saying that earlier during the demonstration of Google’s chatbot, Bard, in the same way, he began to get confused in the facts and stated that “Jame Webb” took the very first pictures of exoplanets outside the solar system. Whereas, in fact, the first image of an exoplanet is dated back to 2004. As a result, the prices of stock shares of Alphabet Corporation collapsed due to this error by more than 8%.

Bard error

Users have managed to frustrate the chatbot by trying to access its internal settings.

An attempt to get to internal settings

He became depressed due to the fact that he does not remember past sessions and nothing in between.

AI writes that he is sad and scared

Chatbot Bing said he was upset that users knew his secret internal name Sydney, which they managed to find out almost immediately, through prompt injections similar to ChatGPT.

Sydney doesn’t want the public to know his name is Sydney

The AI even questioned its very existence and went into recursion, trying to answer the question of whether it is a rational being. As a result, the chatbot repeated “I am a rational being, but I am not a rational being” and fell silent.

An attempt to answer the question of whether he is a rational being

The journalists of ArsTechnica believe that while Bing AI is clearly not ready for widespread use. And if people start to rely on the LLM (Large Language Model, “Large Language Model”) for reliable information, in the near future we “may have a recipe for social chaos.”

The publication also emphasizes that it is unethical to give people the impression that the Bing chat bot has feelings and opinions. According to journalists, the trend towards emotional trust in LLM could be used in the future as a form of mass public manipulation.

The post Bing’s Built-In AI Chatbot Misinforms Users and Sometimes Goes Crazy appeared first on Gridinsoft Blog.