[German]Malwarebytes has released version 8.0 of its tool AdwCleaner end of November 2019. The tool, which doesn’t need to be installed, may be used for cleaning up a Windows system from Adware. Unfortunately the AdwCleaner needs administrative permissions, but is vulnerable to DLL hijacking.
What is the AdwCleaner?
The AdwCleaner is a free tool from Malwarebytes, which may be used to clean unwanted adware from Windows systems. So if after installing a software suddenly unwanted advertising is displayed or unwanted programs are available under Windows, apparently adware has struck. The AdwCleaner tool is intended to clean the system of this by-catch. The manufacturer writes about it on his website:
Destroys adware, Restores performance
The world’s most popular adware cleaner finds and removes unwanted programs and junkware so your online experience stays optimal and hassle-free.
Computer running slow? Strange messages popping up? Browser homepage changed without your permission? This could be the work of adware (and its friends), a sneaky variant of malware that is hard to find, and harder to remove. Malwarebytes AdwCleaner employs innovative technology engineered solely to detect and remove these unwanted hitchhikers. It’s the cleaner of choice for home users and technicians.
(Malwarebytes AdwCleaner 8.0, Source: ghacks.net/Malwarebytes)
Malwarebytes AdwCleaner removes unwanted browser toolbars and bundled programs that can open the door for spyware and PUPs. This puts you back in control of your browsing. AdwCleaner also targets adware, spyware, potentially unwanted programs (PUPs), and browser hijackers with technology specially engineered to remove these threats.
AdwCleaner 8.0, no support for XP and Vista
With the new version 8.0 of AdwCleaner, Malwarebytes no longer supports Windows XP and Windows Vista.
— Malwarebytes (@Malwarebytes) December 6, 2019
Martin Brinkmann points this out on ghacks.net in an article linked in the above tweet. This version of the tool was released at the end of November 2019 and can be downloaded from this Malwarebytes website. On the website you can find some additional hints about the tool.
Please note the following regarding the download: On the website there is a Free download button in the header with a blue font referring to malware bytes. The AdwCleaner can be downloaded free of charge by clicking on the green Free download button.
may want to discard the adwcleaner_8.0.0.exe file with a warning after downloading. Then click the Keep button. Then navigate to the download folder and start the .exe program.
Notes on execution
AdwCleaner does not install anything, but is only started via .exe file. However, the program requires administrator permissions in order to be able to clean up adware. But let’s come to the weak side of the tool – the place where the cat bites its tail and where I personally get a knot within my stomach. The tool is supposed to scan and clean a system for adware. But if there is malware, the AdwCleaner put the users at a real risk.
I have run the current version of AdwCleaner within my test bed. The above warning shows that the adwcleaner_8.0.0.exe is vulnerable to DLL hijacking. So as soon as a malware left certain DLL files in the download folder of the adwcleaner_8.0.0.exe (here dwmapi.dll, but a number of other DLLs are called), they would be loaded by the AdwCleaner process and then executed with administrator rights. Quite stupid – a DLL with malicious code would then be executed by the user with administrator privileges. I will inform Malwarebytes accordingly.
Addendum: A few hours after I reported the DLL hijacking issue, a developer contacted me. They are trying to fix this issue – but the first amanded builds I’ve tested, still contains some DLL hijacking issues. I’ve provided the developer with the necessary details to create their own test bed to check further builds for DLL hijacking vulnerabilities. Hope that helps.