In last month’s Security Bulletin we talked about issues surrounding bundled software and explained why AV companies often detect such programs as potentially unwanted programs a.k.a ‘PUP’.

This month we are going to walk through an interesting example of bundled software called Media Player by VideoBuzz (detected by Ad-Aware as Gen:Variant.Application.MediaFinder.2), which brings hidden surprises to a user.

As is typical of bundled in installers it notifies the user that the player is supported by offers. In this example, ResultsBay, SmartDriver Updater, SpeedUpMyPC and DriverScanner are on offer.

After installation the following applications icons are placed on the desktop.

Often so-called optimization and update tools provide no additional benefit or really solve any problems – in fact, they often detract from the user experience with frequent popups, badgering the user to buy the full version. These tools are generally not recommended - there are standard tools to update and optimize your operating system included in Windows, such as Microsoft Windows Update which can be set up to automatically download necessary updates.

However, not all the bundled software is mentioned during install. In addition, the Linkey browser extension (detected by Ad-Aware as Adware.Linkey.C) is surreptitiously installed into Internet Explorer, Chrome and Mozilla Firefox browsers. The Linkey window:

Internet Explorer with Linkey on board is changed to look as follows.

The Chrome and Firefox browsers ask for confirmation to install the extension.

The extension sets the home page and search engine to www.default-search.net without any notification.

And the last but not least interesting peculiarity of the Media Player bundler is its ability to track antivirus and firewall components installed on a computer. The installer reveals the following registry keys used to check the presence of the corresponding security solutions.

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9D2B0322-44AE-460E-9283-4D2D7A9205AE}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{718D791F-F4E8-4aa7-98A6-15FDED17BDD0}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{40E12A55-C504-4223-AFAC-7672DBF1ACDE}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ABBD4BA8-6703-40D2-AB1E-5BB1F7DB49A4}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4FF9E8AA-D554-4CE7-89F9-B69DAA5A1E98}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B02D047-A56D-4994-B1F1-53DA6B9885AB}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F5AA006A-1ABE-4F16-B6E1-FEE1F7D38102}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B3AEF776-7FFF-4C50-A402-9119E3849EE0}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG SafeGuard toolbar
SOFTWARE\grisoft\avg7
SOFTWARE\Avg
SOFTWARE\ALWIL Software\Avast\4.0
SOFTWARE\AVAST Software\Avast
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\avast
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-Aware
SOFTWARE\Lavasoft\Ad-Aware
SOFTWARE\McAfee
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSC
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CFF4500E-C5D6-695D-A027-B3D4DDED2CC3}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{27C467F8-F8EF-4f68-BD72-D63632B2096C}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NIS
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NSS
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NAV
SOFTWARE\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}
Norton Internet Security
SOFTWARE\Symantec\InstalledApps

Once the program is found the installer sends a corresponding application code to the PUP’s server. For example, “ada” is for Lavasoft Ad-Aware, “ntn” - Norton Antivirus and Firewall, “mca” – McAffee, “avt” – Avast, “avg” – AVG, “tdm” – TrendMicro.

JSON object sent to the PUP's server

Another bundler, AbiWord Personal (detected by Ad-Aware as Application.Bundler.BH) containing the same set of offers checks for running virtual machines and debuggers.

JSON object sent to the PUP's server

A question arises: why do the PUP installers collect and send such information to a remote server? To get a better offer or to download malware/adware that is not detected by this particular antivirus? Interestingly, this AV tracking methodology is used as a part of server-side polymorphism when a newly generated piece of polymorphic malware is checked using popular antiviruses to avoid being detected before delivery.

Let us try to find information that clarifies what information the installer may collect and for what purpose in Privacy Policy. If we take a look into the Privacy Policy linked in the installer we can see only its summary (http://policy.w3i.com/privacypolicy.html).

The complete Privacy Policy is available by the following link (http://policy.w3i.com/PrivacyPolicy_Full.html#InfoCollect). The section “Aggregate Information We Collect” contains information about tracking installed software.

“We employ a technology that allows us to determine the operating systems you are using and to view your computer's registry. Software installed on your computer has unique registry keys. By viewing your registry, we are able to detect whether you have a compatible computer for the Service and Offers. We use your registry information and other Aggregate information to determine whether our software offers are compatible with software already present on your computer. We do not tie registry information gathered to our customers' Personally Identifiable Information.”

According to the full version of Privacy Policy, all collected information is used only for compatibility issues although it is not clear why it checks for the presence of debuggers and how this information could be used for software compatibility.

Read also:
Lavasoft Security Bulletin - August 2014: Top Threats.
Lavasoft Security Bulletin - August 2014: Bot Review.