Browsing the browsers

Posted on by

This a weird post; it doesn’t give many answers and it pretty much focuses on describing results of a simple task of data hoarding…

When people think of a ‘browser’ they usually think of a software like Chrome, Safari, Firefox, Opera, Brave, Vivaldi, maybe Edge, and some older people maybe think of Internet Explorer (rip) and Netscape (totes rip). And if we ask malware authors, they will probably expand this list to include many chrome-based browsers that ‘appeared on the market’ in recent years. And if we look at some of the actual Microsoft code, we will find out that they consider many Web control hosting apps to be browsers as well.

For example, at the time of Internet Explorer dominance, many applications were utilizing IE’s web control (IWebBrowser) to deliver a flashy, HTML-based GUI. At some stage in early 2000s it was so ‘fad’ and prevalent that eventually every major software company was using it, and most of users… hated it. And here we are, in 2024, with web controls still all over the place – f.ex. including most of the Electron apps (ignored in this post).

I have outlined some of the process names associated with browsers in this old post, and today I will expand on it a bit.

How? By building a more robust list of processes that kinda meet the ‘is this a browser process?’ condition:

  • 360chrome.exe
  • 360se.exe
  • authhost.exe
  • avant.exe
  • brave.exe
  • browser.exe
  • browser_broker.exe
  • chrome.exe
  • citrio.exe
  • coolnovo.exe
  • coowon.exe
  • cyberfox.exe
  • DCIScanner
  • deepnet.exe
  • dooble.exe
  • epic.exe
  • explorer.exe
  • FAKEVIRTUALSURFACETESTAPP.EXE
  • firefox.exe
  • FirstLogonAnim.exe
  • IEUTLAUNCH.EXE
  • iexplore.exe
  • iridium.exe
  • jshost.exe
  • k-meleon.exe
  • LOADER42.EXE
  • maxthon.exe
  • MicrosoftEdge.exe
  • MicrosoftEdgeBCHost.exe
  • MicrosoftEdgeCP.exe
  • MicrosoftEdgeDevtools.exe
  • MicrosoftEdgeSH.exe
  • midori.exe
  • msedge.exe
  • msedge_proxy.exe
  • msedge_pwa_launcher.exe
  • MSFEEDSSYNC.EXE
  • MSHTMPAD.EXE
  • MSOOBE.EXE
  • mustang.exe
  • NETPLWIZ.EXE
  • opera.exe
  • orbitum.exe
  • palemoon.exe
  • pickerhost.exe
  • qqbrowser.exe
  • qupzilla.exe
  • RESTOREOPTIN.EXE
  • safari.exe
  • seamonkey.exe
  • sleipnir.exe
  • sogueexplorer.exe
  • superbird.exe
  • SYSPREP.EXE
  • TE.EXE
  • Te.ProcessHost.exe
  • tor.exe
  • torch.exe
  • USERACCOUNTBROKER.EXE
  • vivaldi.exe
  • Windows.WARP.JITService.exe
  • WWAHOST.EXE

But… we know this is not everything…

Over last few years we have seen a number of randomly-named Chrome-based browser clones appearing ‘on the market’ and Threat Actors did take a notice.

Many infostealers actively look for user profiles associated with these browser paths:

  • \360Chrome\Chrome\
  • \7Star\7Star\
  • \8pecxstudios\Cyberfox\
  • \Amigo\
  • \BraveSoftware\Brave-Browser\
  • \CatalinaGroup\Citrio\
  • \CentBrowser\
  • \Chedot\
  • \Chromium\
  • \CocCoc\Browser\
  • \Comodo\Dragon\
  • \Comodo\IceDragon\
  • \Coowon\Coowon\
  • \CryptoTab Browser\
  • \Elements Browser\
  • \Epic Privacy Browser\
  • \Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
  • \Flock\Browser\
  • \Google\Chrome\
  • \Google Chrome Canary\
  • \Chrome SxS\
  • \Iridium\
  • \K-Meleon\
  • \Kometa\
  • \liebao\
  • \MapleStudio\ChromePlus\
  • \Microsoft\Edge\
  • \Moonchild Productions\Pale Moon\
  • \Mozilla\Firefox\
  • \Mozilla\icecat\
  • \Mozilla\SeaMonkey\
  • \NETGATE Technologies\BlackHawk\
  • \Opera Software\Opera Stable\
  • \Orbitum\
  • \Postbox\
  • \QIP Surf\
  • \Sputnik\Sputnik\
  • \Tencent\QQBrowser\
  • \Torch\
  • \uCozMedia\Uran\
  • \Vivaldi\
  • \Waterfox\
  • \Yandex\YandexBrowser\

I believe this is a very comprehensive list, but I bet I missed some entries. If you notice anything missing, please let me know and I will add it.

The bottom line: there are so many browsers or web control-hosting apps out there today that it makes sense to build a list of keywords that reference them, so we can detect info stealers’ quickly – in their code, data and/or in the telemetry they generate…

Portability of old Windows programs…

Posted on by

Many people believe that native Windows programs are so deeply integrated with OS that there is no way to move them between these different OS versions. And it’s fair to say that at first this belief was reinforced by that good ol’ fashioned System File Protection (SFP) service, only to be later replaced by the Trusted Installer.

The new Windows 11 Notepad app can be very annoying, plus the news about Notepad AI integration are kinda worrying, so many people revert to Registry hacks to bring the ‘old Notepad‘ back. There are more ways than one to address this problem, and this post will focus on one of them, one that is less known…

You may not be aware, but the old Windows XP Notepad still works on Windows 11. Secondly, the same can be said about Windows 10 Notepad.

You can literally copy c:\WINDOWS\NOTEPAD.EXE from Windows XP or Windows 10 to Windows 11 and it will work like a charm. For later versions of Windows, the Notepad.exe requires language resource files to be copied as well, so you may want to copy the following files:

  • c:\Windows\notepad.exe
  • c:\Windows\en-US\notepad.exe.mui

Once you bring these old versions of Notepad to Windows 11 you can just store them in any directory you want. They are — believe or not — fully portable.

The very same can be said about Windows Calculator. While the Win10 Calculator was the first one pushing the Windows App agenda, the Windows XP Calculator can still run on Windows 11 w/o any issue:

Just copy the c:\WINDOWS\System32\calc.exe from Windows XP to Windows 11 and it will just run.

The portability of old Windows programs cannot be underestimated. With all the changes to the Windows ecosystem, with all these embedded-by-default program manifests, with all the push towards Windows Apps, ad-centric ecosystem, we still have a small window of opportunity to preserve the software that was just good at doing one thing – user-friendly programs that worked: offline, ad-, and telemetry-free.