Bundled Software: Good or Evil?
In July’s potentially unwanted program (PUP) prevalence report sees detections with family names containing "Application.Bundler" such as Application.Bundler.Somoto.I, Gen:Variant.Application.Bundler.OptimumInstaller.1, Gen:Variant.Application.Bundler.DomaIQ.14 and Gen:Application.Bundler.DefaultTab.1.
This article will clarify what an Application Bundler is, how problematic they can be and explain why Ad-Aware Antivirus detects bundle installers.
An interesting example passed through our Malware Analysis System detected as Application.Bundler.Somoto.A.
The installer bundles VLC Media Player with several shopping applications.
Once launched, the installer displays the following dialog window explaining that it will install the popular VLC Media Player. Closer investigation reveals text that say ‘that Bundled Software Uninstaller will be installed along with the player, which will help to remove VLC player’. This is unusual – there should be no need to install a special uninstaller. The application should be removable via the Add/Remove Programs in the Control Panel. This is a sign that all may not be what it seems.
To compare the original VLC installer from VideoLan looks like the following:
The second form contains an offer to install “YouTube Accelerator”, which is installed when the user clicks ‘Next’. However, looking closely, by clicking next, “ShopperPro”, an application that displays ‘relevant’ ads, will also be installed.
This ‘offer’ is easily missed in the wall of text presented to the user. The “Skip” button is grey, which , even if the user sees it, appears to be inactive.
The third window uses similar tactics to reconfigure the user’s homepage, search and page shown when a new tab is opened in a browser.
The fourth window, if you look carefully at the overwhelming amount of text, offers something called “trolatunt” – this is adware that plugs into your browser to enable “related search results, site ratings, coupons, site reviews, special offers, multi-searching, and comparison shopping. Additional features may be auto-enabled after installing”.
Finally we see the Apps Hat toolbar offer that supposedly helps you discover aplications in the Android App Store.
When installing this bundle in the lab, the installation process crashed at the very end while downloading VLC installer. “Better Installer” could be better!
If we take a look at network activity we can see that, among other connections to the bundler’s software repositories, it really did attempt to download VLC player (albeit, an out of date version):
URL | IP |
---|---|
hxxp://d3rs1f9x4ymprm.cloudfront.net/mirror/vuupc/qms.exe | ![]() |
hxxp://d2baajcqvc8bxx.cloudfront.net/mirror/okiitan/Okiitan_bs.exe | ![]() |
hxxp://d2baajcqvc8bxx.cloudfront.net/mirror/couponalert/ie_ff/CouponAlerts_new.exe | ![]() |
hxxp://212.7.212.137/software_files/vlc/2_0_2/vlc-2.0.2-win32.exe | ![]() |
hxxp://download.filesfrog.com/software_files/vlc/2_0_2/vlc-2.0.2-win32.exe |
GET /software_files/vlc/2_0_2/vlc-2.0.2-win32.exe HTTP/1.1
Range: bytes=0-
User-Agent: Better Installer(Mozilla)
Host: download.filesfrog.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Server: nginx
Date: Fri, 16 May 2014 02:48:09 GMT
Content-Type: application/octet-stream
Content-Length: 22630361
Last-Modified: Thu, 11 Oct 2012 11:07:06 GMT
Connection: keep-alive
Content-Range: bytes 0-22630360/22630361
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
After the crash the installer starts once again, advising the user to finish the installation.
At the end we may have several PUPs installed, but there is no Media Player installed at all.
The bundle of installed PUPs may vary depending on your geographic location, language and type of browsers.
Taking into consideration the above, we do not recommend run such Application Bundlers - you are likely to find that applications you weren’t planning to install have been installed on your machine. The latest version of Ad-Aware Antivirus can alert you if an attempt is made to download or execute an unwanted bundler. When searching for an application you want to install, we advise to visit the application vendor’s official website where you can be sure you are downloading the latest version of a product without having to negotiate a seemingly endless stream of unsolicited offers for products.
Read also:
Lavasoft Security Bulletin - July 2014: Top Threats.
Lavasoft Security Bulletin - July 2014: Bot Review.
Share this post:

