Friday, August 14, 2020

Chrome malware: Managed by your organization

I think my son installed a "managed by your organization" chrome malware extension when he was trying to find Flash. This one showed in Chrome as ""

The obsolete Federal government website required for his US census enumerator job probably directed him to get Flash. I wouldn't be shocked if he got the malware directly from the Federal site. US government web sites are notoriously insecure. [1]

This class of malware now works by installing an unsigned profile on the user's Mac that activates Chrome's "managed by your organization" mode. It locks the home page and search page so traffic is routed through the malware's server and it prevents a Chrome reset. (It may do other things as well of course.)  For some reason it locked him into Bing, which was a dead giveaway. Smarter malware wouldn't have changed the default search engine.

Once upon a time a quick Google search would have explained how to remove the malware. This is 2020 though, so Google's search results on this topic are mostly garbage. I found one result on a garbage site, however, that must have been partly based on a real site. That clued me to the profile. Once I deleted it then I could do a full Chrome reset. Once I knew the fix I found this guide, which covered the territory. (I can't tell who manages the site, I hope they make money by malware app referrals rather than anything more ominous.)

Before I did this I followed advice from a trusted source and installed the free (but suspiciously marketed) Malwarebyte antiviral. It found nothing. I'll try running one or two more antivirals (AVG, Sophos). Malwarebyte is an easy uninstall, so points for them.

[1] I am the solo family geek, my digital-age children seem to prefer the 18th century. My theory is the latest generation has the same take on computers that, at the same age, I had on automobile engines. It should just work, and if it doesn't work an old person might understand it.

No comments: