Bundled Software: Good or Evil?

In July’s potentially unwanted program (PUP) prevalence report sees detections with family names containing "Application.Bundler" such as Application.Bundler.Somoto.I, Gen:Variant.Application.Bundler.OptimumInstaller.1, Gen:Variant.Application.Bundler.DomaIQ.14 and Gen:Application.Bundler.DefaultTab.1.
This article will clarify what an Application Bundler is, how problematic they can be and explain why Ad-Aware Antivirus detects bundle installers.

An interesting example passed through our Malware Analysis System detected as Application.Bundler.Somoto.A.
The installer bundles VLC Media Player with several shopping applications.
Once launched, the installer displays the following dialog window explaining that it will install the popular VLC Media Player. Closer investigation reveals text that say ‘that Bundled Software Uninstaller will be installed along with the player, which will help to remove VLC player’. This is unusual – there should be no need to install a special uninstaller. The application should be removable via the Add/Remove Programs in the Control Panel. This is a sign that all may not be what it seems.

To compare the original VLC installer from VideoLan looks like the following:

The second form contains an offer to install “YouTube Accelerator”, which is installed when the user clicks ‘Next’. However, looking closely, by clicking next, “ShopperPro”, an application that displays ‘relevant’ ads, will also be installed.
This ‘offer’ is easily missed in the wall of text presented to the user. The “Skip” button is grey, which , even if the user sees it, appears to be inactive.

The third window uses similar tactics to reconfigure the user’s homepage, search and page shown when a new tab is opened in a browser.

The fourth window, if you look carefully at the overwhelming amount of text, offers something called “trolatunt” – this is adware that plugs into your browser to enable “related search results, site ratings, coupons, site reviews, special offers, multi-searching, and comparison shopping. Additional features may be auto-enabled after installing”.

Finally we see the Apps Hat toolbar offer that supposedly helps you discover aplications in the Android App Store.

When installing this bundle in the lab, the installation process crashed at the very end while downloading VLC installer. “Better Installer” could be better!

If we take a look at network activity we can see that, among other connections to the bundler’s software repositories, it really did attempt to download VLC player (albeit, an out of date version):

URL IP
hxxp://d3rs1f9x4ymprm.cloudfront.net/mirror/vuupc/qms.exe 216.137.41.87
hxxp://d2baajcqvc8bxx.cloudfront.net/mirror/okiitan/Okiitan_bs.exe 54.230.21.146
hxxp://d2baajcqvc8bxx.cloudfront.net/mirror/couponalert/ie_ff/CouponAlerts_new.exe 54.230.21.146
hxxp://212.7.212.137/software_files/vlc/2_0_2/vlc-2.0.2-win32.exe
hxxp://download.filesfrog.com/software_files/vlc/2_0_2/vlc-2.0.2-win32.exe


GET /software_files/vlc/2_0_2/vlc-2.0.2-win32.exe HTTP/1.1
Range: bytes=0-
User-Agent: Better Installer(Mozilla)
Host: download.filesfrog.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Server: nginx
Date: Fri, 16 May 2014 02:48:09 GMT
Content-Type: application/octet-stream
Content-Length: 22630361
Last-Modified: Thu, 11 Oct 2012 11:07:06 GMT
Connection: keep-alive
Content-Range: bytes 0-22630360/22630361


MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................



After the crash the installer starts once again, advising the user to finish the installation.
At the end we may have several PUPs installed, but there is no Media Player installed at all.

The bundle of installed PUPs may vary depending on your geographic location, language and type of browsers.

Taking into consideration the above, we do not recommend run such Application Bundlers - you are likely to find that applications you weren’t planning to install have been installed on your machine. The latest version of Ad-Aware Antivirus can alert you if an attempt is made to download or execute an unwanted bundler. When searching for an application you want to install, we advise to visit the application vendor’s official website where you can be sure you are downloading the latest version of a product without having to negotiate a seemingly endless stream of unsolicited offers for products.

Read also:
Lavasoft Security Bulletin - July 2014: Top Threats.
Lavasoft Security Bulletin - July 2014: Bot Review.

  • Back to articles


  • Share this post:    Twitter Facebook
    x

    Our best antivirus yet!

    Fresh new look. Faster scanning. Better protection.

    Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

    For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

    Download adaware antivirus 12
    No thanks, continue to lavasoft.com
    close x

    Discover the new adaware antivirus 12

    Our best antivirus yet

    Download Now