In July’s potentially unwanted program (PUP) prevalence report sees detections with family names containing "Application.Bundler" such as Application.Bundler.Somoto.I, Gen:Variant.Application.Bundler.OptimumInstaller.1, Gen:Variant.Application.Bundler.DomaIQ.14 and Gen:Application.Bundler.DefaultTab.1.
This article will clarify what an Application Bundler is, how problematic they can be and explain why Ad-Aware Antivirus detects bundle installers.

An interesting example passed through our Malware Analysis System detected as Application.Bundler.Somoto.A.
The installer bundles VLC Media Player with several shopping applications.
Once launched, the installer displays the following dialog window explaining that it will install the popular VLC Media Player. Closer investigation reveals text that say ‘that Bundled Software Uninstaller will be installed along with the player, which will help to remove VLC player’. This is unusual – there should be no need to install a special uninstaller. The application should be removable via the Add/Remove Programs in the Control Panel. This is a sign that all may not be what it seems.

To compare the original VLC installer from VideoLan looks like the following:

The second form contains an offer to install “YouTube Accelerator”, which is installed when the user clicks ‘Next’. However, looking closely, by clicking next, “ShopperPro”, an application that displays ‘relevant’ ads, will also be installed.
This ‘offer’ is easily missed in the wall of text presented to the user. The “Skip” button is grey, which , even if the user sees it, appears to be inactive.

The third window uses similar tactics to reconfigure the user’s homepage, search and page shown when a new tab is opened in a browser.

The fourth window, if you look carefully at the overwhelming amount of text, offers something called “trolatunt” – this is adware that plugs into your browser to enable “related search results, site ratings, coupons, site reviews, special offers, multi-searching, and comparison shopping. Additional features may be auto-enabled after installing”.

Finally we see the Apps Hat toolbar offer that supposedly helps you discover aplications in the Android App Store.

When installing this bundle in the lab, the installation process crashed at the very end while downloading VLC installer. “Better Installer” could be better!

If we take a look at network activity we can see that, among other connections to the bundler’s software repositories, it really did attempt to download VLC player (albeit, an out of date version):

URL	IP
hxxp://d3rs1f9x4ymprm.cloudfront.net/mirror/vuupc/qms.exe	216.137.41.87
hxxp://d2baajcqvc8bxx.cloudfront.net/mirror/okiitan/Okiitan_bs.exe	54.230.21.146
hxxp://d2baajcqvc8bxx.cloudfront.net/mirror/couponalert/ie_ff/CouponAlerts_new.exe	54.230.21.146
hxxp://212.7.212.137/software_files/vlc/2_0_2/vlc-2.0.2-win32.exe
hxxp://download.filesfrog.com/software_files/vlc/2_0_2/vlc-2.0.2-win32.exe

GET /software_files/vlc/2_0_2/vlc-2.0.2-win32.exe HTTP/1.1

Range: bytes=0-

User-Agent: Better Installer(Mozilla)

Host: download.filesfrog.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 16 May 2014 02:48:09 GMT

Content-Type: application/octet-stream

Content-Length: 22630361

Last-Modified: Thu, 11 Oct 2012 11:07:06 GMT

Connection: keep-alive

Content-Range: bytes 0-22630360/22630361

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................