PUPs with Rootkit

We discovered numerous cases of installing PUPs that contain a rootkit component to protect its files, registry keys and processes in a system. This component is used defend itself from removal by competing PUPs and automated PUP removal tools.

We are going to consider two PUPs that utilize the same rootkit to protect its files and registry keys:
LinkeyDeals and KingTranslateMediaBar.

The LinkeyDeals extension looks as follows.

It modifies home page and search engine settings to ‘default-search.net’ in Internet Explorer, Mozilla Firefox and Chrome.
If we scan the system after LinkeyDeals installation with anti-rootkit tool GMER we can see the following modifications made by the rootkit.

The following strings were found in driver’s body that point to the created device name in the kernel:

Using the driver, the PUP can control operations within a system registry by installing the registry notifier.
The PUP installs the following kernel-mode hooks to control running processes:

ZwOpenProcess
ZwOpenThread

Using the driver ‘smdmfmgrc2.cfg’ the PUP attaches its filter-device object to the Volume Device Object (VDO) of the file system driver (\FileSystem\Ntfs).

The driver’s name for Linkey Deals:

"%Program Files%\Settings Manager\smdmf\smdmfmgrc2.cfg"

As a result it blocks deletion and modification of some of its files, registry keys and processes.

On a positive note, the standard Uninstaller can be used to remove the Linkey PUP together with rootkit component with no ill effects. A reboot is needed to remove attached device.

However, the PUP leaves its home page and search engine in users Internet browsers. It is up to the user to restore their browser settings.

The second PUP, KingTranslateMediaBar, uses a rootkit with similar functionality but under another name:

"%Program Files%\Music App\Datamngr\setmgrc2.cfg"

This time we have ‘search.ask.com’ as start page and default search engine.

In Chrome:

In Internet Explorer:

As in previous case, the PUP can be uninstalled via “Control Panel->Programs and Features”.

Removing Music Search App for Internet Explorer:

Removing Music Search App for Mozilla Firefox:

Removing Music Search App for Chrome:

Again, the user needs to restore settings in affected Internet browsers.
The PUP could not install the rootkit component in Windows 7 and 8 versions.
Finally, we do not recommend installing any PUP that can modify your Internet browser settings as it may lead to unstable operation of the affected Internet browser(s).

Read also:
Lavasoft Security Bulletin - September 2014: Top Threats.
Lavasoft Security Bulletin - September 2014: Bot Review.

  • Back to articles


    • Share this post:    Twitter Facebook

    Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
    © 2024 Lavasoft. All rights reserved.
    Terms Of Use |   Privacy Policy


    x

    Our best antivirus yet!

    Fresh new look. Faster scanning. Better protection.

    Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

    For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

    Download adaware antivirus 12
    No thanks, continue to lavasoft.com
    close x

    Discover the new adaware antivirus 12

    Our best antivirus yet

    Download Now