June 24, 2013 By Dancho Danchev

Rogue ‘Free Mozilla Firefox Download’ ads lead to ‘InstallCore’ Potentially Unwanted Application (PUA)

Our sensors continue detecting rogue ads that expose users to bogus propositions in an attempt to install privacy-invading Potentially Unwanted Applications (PUAs) on their PCs. The most recent campaign consists of a successful brand-jacking abuse of Mozilla’s Firefox browser, supposedly offered for free, while in reality, the rogue download manager entices users into installing multiple rogue toolbars, most commonly known as InstallCore.

More details:

Sample screenshot of the landing page:

Rogue_Bogus_Fake_Ads_Free_Download_Mozilla_Firefox_InstallCore_PUA_Potentially_Unwanted_Application_EZDownload

Rogue download URL:
hxxp://www.ez-download.com/mozilla-firefox

Detection rate for the Potentially Unwanted Application (PUA) – MD5: 20dfcef31256c86b888b9eee0bf8be1d – detected by 4 out of 47 antivirus scanners as Adware.InstallCore.86; Win32/InstallCore.BL; InstallCore (fs).

The rogue sample is digitally signed by ‘Secure Installer’.

Once executed, it phones back to:
media.ez-download.com – 54.230.12.193
os.downloadster2cdn.com – 54.245.235.34
cdn.secureinstaller.com – 54.230.12.162
img.downloadster2cdn.com – 199.58.87.151

Rogue domains known to have phoned back to 54.245.235.34 in the past:
os.50orcdn.com
os.5oftwarescdn.com
os.adsearchescdn.com
os.afreecodeccdn.com
os.alcoholsoftcdn.com
os.allmyappscdn.com
os.amazingwebtvcdn.com
os.amniscdn.com
os.anyprotectcdn.com
os.anysendapp.com
os.apponiccdn.com
os.appzeuscdn.com
os.baixakialtcdn.com
os.baixakicdn.com
os.barremagiquecdn.com
os.barrercouterradiocdn.com
os.berrycdn.com
os.bestflvplayer.net
os.bestvistadownloadscdn.com
os.bitlordapp.com
os.bitlordcdn.com
os.blackscdn.com
os.brsrcdn.com
os.btbycdn.com
os.bundlorecdn.com
os.clickgratiscdn.com
os.clickmeinstats.com
os.computerbildcdn.com
os.coolaudioconverter.com
os.cooldownloadmanager.com
os.coolflvplayer.com
os.coolmp3converter.com
os.coolpdfconverter.com
os.coolringtonesmaker.com
os.coolvideoconverter.com
os.coolvideotomp3.com
os.crossridercdn.com
os.dobreprogramyplcdn.com
os.downlitecdn.com
os.downloadastrocdn.com
os.downloadbureaucdn.com
os.downloadcdn.com
os.downloaddkcdn.com
os.downloadfreecdn.com
os.downloadhrcdn.com
os.downloadmixcdn.com
os.downloadster2cdn.com
os.downloadstercdn.com
os.downwallcdn.com
os.driverguidecdn.com
os.driverscoutcdn.com
os.etypecdn.com
os.extrimdownloadmanager.com
os.fdmcdn.com
os.filecartcdn.com
os.fileorgcdn.com
os.findmysoftcdn.com
os.fixiocdn.com
os.freeinternettunercdn.com
os.freesocialappcdn.com
os.friedcookiescdn.com
os.fsucdn.com
os.funmoodsapp.com
os.funmoodscdn.com
os.fvdconvertercdn.com
os.fwt7zipcdn.com
os.fwtdlmcdn.com
os.fwtfreeytdlcdn.com
os.fwtphotoscapecdn.com
os.fwtskypecdn.com
os.fwtvlcplayercdn.com
os.fytdmcdn.com
os.geatappscdn.com
os.gimpshopcdn.com
os.greatelsoftcdn.com
os.howinccdn.com
os.indircdn.com
os.instalkiplcdn.com
os.iwdownloadcdn.com
os.jdownloadercdn.com
os.kitaracdn.com
os.lisisoftcdn.com
os.maxigetcdn.com
os.mediacodecscdn.com
os.mediacrawlercdn.com
os.mediafindercdn.com
os.mensagenscomamorcdn.com
os.mhotspotcdn.com
os.mihovcdn.com
os.miponycdn.com
os.mundoconverter.com
os.musicdownloadcdn.com
os.mydivcdn.com
os.mysearchdialcdn.com
os.onedownloadspot.com
os.oovoocdn.com
os.pcgizmoscdn.com
os.pdfconvertertool.net
os.pdfperfectcdn.com
os.picbadgescdn.com
os.pivotstickcdn.com
os.policedecriturecdn.com
os.portalprogramascdn.com
os.programasgratiscdn.com
os.programsplcdn.com
os.ptfcdn.com
os.rdmsoftcdn.com
os.rightclickenhancercdn.com
os.searchyacapp.com
os.sfwincleanercdn.com
os.smarttweakcdn.com
os.smarttweakfmrcdn.com
os.smarttweakumdcdn.com
os.snapfilescdn.com
os.sofontescdn.com
os.softmencdn.com
os.softpickscdn.com
os.softportalcdn.com
os.softsoftcdn.com
os.softsumacdn.com
os.softworldcdn.com
os.superdownloadsbrcdn.com
os.telechargercdn.com
os.todownloadcdn.com
os.tudodownloadscdn.com
os.ultradownloadscdn.com
os.updatestarcdn.com
os.uptodowncdn.com
os.utorrentcdn.com
os.vcgatecdn.com
os.videoconvertertool.net
os.vittaliacdn.com
os.vndownloadcdn.com
os.volarocdn.com
os.winloadcdn.com
os.winthemepackcdn.com
os.xtremedownloadercdn.com
os.yamyamcdn.com
os.ytdcdn.com
os.ziggicdn.com
osr.afdlcdn.com
osr.alcoholsoftcdn.com

Potentially Unwanted Application MD5s known to have phoned back to the same IP (54.245.235.34) in the past:
MD5: f5916475fe4091be5f4d53e20556ceaa
MD5: 73fb5d9da82eae2ed90e5c7b93aa0189
MD5: 71126329df6a888011b43ad05d7c2727
MD5: ad9dd293b1a4e5f8f5dd017fa38745a9
MD5: 20017c4b1ec0abdd93e731b034bde58f
MD5: 8f0560e5dc5ac4d5183cf6fde155565a
MD5: cd760186dbc5d8996e3bc65e501ebeb4
MD5: b4a57155be78a103860b0d00dfbe88c9
MD5: c18c6570ab9faaf638ca7027a6a6336e
MD5: da4c1fdd47d77c7a820a2806e38a6c69
MD5: 34138101f3d0f792a1613152c821d7f9
MD5: 809bd70278b41151b2d04f7cbe397693
MD5: 195c5c15f5412e30975071e844c4b02f
MD5: ef8822ac7e0414e126f05e7b5fd0333c
MD5: 54346fa1b734b3cd1a9749dca763cbe1
MD5: df31c97d5f101c316a60c3cfa35ec161
MD5: 9a300d7905a51313a9a164a230c51896
MD5: 0b50815d3f068a69364d1eafe7e101a7
MD5: ec39f4de45949dbd9f77871431aa8773
MD5: 3c6300760eccf2e8fcf55d64195be3e0
MD5: 2b6a11a8ac1bbd54c09a943deca84728
MD5: a07bc7c6dbb36ced074ec01eddd3ae95
MD5: c7eee95f282c66092a9ce2ee3a34609f
MD5: b39b7ac868d234487669977c13e8d27a
MD5: 7b7518caa88433b1e320f00a798759ee
MD5: fd666202811546c6bf37c24024c2e9ce
MD5: ea2cbce205913c13a3ab87aaf76c693c
MD5: 3ddda0335c11d8e77a2d8e442b00f685
MD5: e7597f4dfabf37d8abfee1754d7924a3
MD5: 12f9ed01e99d7d32a663f13072c7ca28
MD5: 9157a833b422dc419ba7a9ac419da446
MD5: ae4a12dc3083030e9f3898c247603a55
MD5: 09ae7b426301abfe1e34a81df1fa7e62
MD5: d4c55610e0bc9a94865fd33512f5a725
MD5: 3325808fc1716ae070c1e777e899d30a
MD5: 76b6eaa4e01d3420d068228b401ed7dc
MD5: a5e655b6c2b86bd24133ed96e229b53e
MD5: f159216dc7852689ee2fc94527d03bc5
MD5: 4d21728ad2b70703a9983c6d8e639bce
MD5: 90b7d8c05ba0af0e16e2149749d1b98a
MD5: 404b1cf2c76d2cfa9f5042105d769355
MD5: ae62a4ca5b60ddcea7cb4c571282f70c
MD5: eebabe1553b3c12f52dbc9e00b6cfc11
MD5: 0490e017ab8ec464de21f066b0bce51e
MD5: 4dcd2f26e5ecb855d9873ce1b1e3d819
MD5: 03a8be2f34049d1914f53c83a3c2ff6e
MD5: 564d452ea8298697c6152ab5b0a0e3f7
MD5: 4ec2bc0abd0821642252f334c8057ff5
MD5: 6e3bee68345ba5b92bf070407a0493f9
MD5: 9b503da09ffb44b74a843500671448e4
MD5: bc73d186b95e9a56b79982f3e09a2142
MD5: 610779e2ea5adfee27190e174cd6f20a
MD5: 022e04b4be81f642c84b189e9b4455cb
MD5: ebda7ea29415c1185a9475ba84bf5678
MD5: a6ea0a225573a93d0510f9fbbcaffe8c
MD5: 6b61387812931e084879116137057788
MD5: 91f7e23672b4bbc9c8908dd8509c9483
MD5: 72548d4036c0c8faf0d67f338392a91f
MD5: d50af85794e9f571467d34c247adf659
MD5: 121388cd85c640b6c0f405a02d5c5810
MD5: c332f70e839db8f0303ac5e2f89cbb6c
MD5: 4153839d0eb169caa1b3ff1b65ca350f
MD5: 6613fba257330047d9c828f6be1c534e
MD5: 07b10b3ac02628b72af41825d93df309
MD5: 7f6c598df6c9fa9db83b7c2613858bb9
MD5: ed834e13e99339a15480836e8e385524
MD5: 1eb5f7505090a91d32ea57d44dc60aba
MD5: a19d25172c8d1ed97d3952a0b63e7448
MD5: c2bff97dbf2ee37c3b1f783ff7fa5010
MD5: b91eb7f27fc2af60ca47c6901f410247
MD5: 6196e075bc6540e001f081f32ea88dea
MD5: a3e99e08217e9675012a6a83f057e378
MD5: 958e3caa1a84b54a0461c882bfe178ec
MD5: 78cbfc9577275c77a85ee2a159d2d907

Rogue_Bogus_Fake_Ads_Free_Download_Mozilla_Firefox_InstallCore_PUA_Potentially_Unwanted_Application_EZDownload_01

Rogue domains known to have phoned back to 199.58.87.151 in the past:
cdnus.50orcdn.com
cdnus.adsearchescdn.com
cdnus.afdlcdn.com
cdnus.alcoholsoftcdn.com
cdnus.allmyappscdn.com
cdnus.amazingwebtvcdn.com
cdnus.amniscdn.com
cdnus.anymusicconverter.com
cdnus.anysendapp.com
cdnus.apponiccdn.com
cdnus.aviracdn.com
cdnus.baixakialtcdn.com
cdnus.baixakicdn.com
cdnus.barremagiquecdn.com
cdnus.bestringtonesmaker.com
cdnus.bestvistadownloadscdn.com
cdnus.bitlordapp.com
cdnus.bitlordcdn.com
cdnus.bonecdn.com
cdnus.browsergamesdecdn.com
cdnus.brsrcdn.com
cdnus.bundlorecdn.com
cdnus.camstudiocdn.com
cdnus.clickgratiscdn.com
cdnus.comodopocdn.com
cdnus.coolaudioconverter.com
cdnus.cooldownloadmanager.com
cdnus.coolflvplayer.com
cdnus.coolmp3converter.com
cdnus.coolpdfconverter.com
cdnus.coolpdfcreator.com
cdnus.coolpdfreader.com
cdnus.coolringtonesmaker.com
cdnus.coolvideoconverter.com
cdnus.coolvideotomp3.com
cdnus.dobreprogramyplcdn.com
cdnus.downloaddkcdn.com
cdnus.downloadfreecdn.com
cdnus.downloadhrcdn.com
cdnus.downloadsmanagerpro.com
cdnus.downloadster2cdn.com
cdnus.downloadstercdn.com
cdnus.driverguidecdn.com
cdnus.driverscoutcdn.com
cdnus.extrimdownloadmanager.com
cdnus.extrimvideoplayer.com
cdnus.fbonlinefriendsalertcdn.com
cdnus.fbstatussymbolscdn.com
cdnus.fileorgcdn.com
cdnus.fixiocdn.com
cdnus.flvplayerpro.net
cdnus.foofindcdn.com
cdnus.freemiumcdn.com
cdnus.freesocialappcdn.com
cdnus.freewindowstunercdn.com
cdnus.friedcookiescdn.com
cdnus.fsucdn.com
cdnus.funmoodsapp.com
cdnus.funmoodscdn.com
cdnus.fvdcdn.com
cdnus.fvdconvertercdn.com
cdnus.fwt7zipcdn.com
cdnus.fwtfreeytdlcdn.com
cdnus.fytdmcdn.com
cdnus.gimpshopcdn.com
cdnus.greataudioconverter.com
cdnus.greatelsoftcdn.com
cdnus.hoolappcdn.com
cdnus.instalkiplcdn.com
cdnus.ironcdn.com
cdnus.jdownloadercdn.com
cdnus.jetmp3cdn.com
cdnus.kitaracdn.com
cdnus.legendascdn.com
cdnus.mailrucdn.com
cdnus.marketingsweepcdn.com
cdnus.maxigetcdn.com
cdnus.mediacodeccdn.com
cdnus.mediacrawlercdn.com
cdnus.mediafindercdn.com
cdnus.mensagenscomamorcdn.com
cdnus.mihovcdn.com
cdnus.mpcdlcdn.com
cdnus.mundoconverter.com
cdnus.musicdownloadcdn.com
cdnus.mydivcdn.com
cdnus.mydownclubcdn.com
cdnus.mysearchdialcdn.com
cdnus.onedownloadspot.com
cdnus.pdfperfectcdn.com
cdnus.ptfcdn.com
cdnus.razemediacdn.com
cdnus.rightclickenhancercdn.com
cdnus.safemonitorcdn.com
cdnus.searchyacapp.com
cdnus.softmencdn.com
cdnus.softportalcdn.com
cdnus.superbvideoconverter.com
cdnus.superfastbrowsercdn.com
cdnus.thebestallcodecsapp.com
cdnus.thecoolzipextractorapp.com
cdnus.thedownloadmanagerapp.com
cdnus.thefastbrowserapp.com
cdnus.thefastestwordviewer.com
cdnus.theflvplayerapp.com
cdnus.thegamesapps.com
cdnus.themusicdownloadqtrax.com
cdnus.thepdfcreatorapp.com
cdnus.thepdfreaderapp.com
cdnus.theseaappcdn.com
cdnus.thesendfilesapp.com
cdnus.thevideoconverterexclusive.com
cdnus.todownloadcdn.com
cdnus.tudodownloadscdn.com
cdnus.tvrightcdn.com
cdnus.ubcmcdn.com
cdnus.ultimatedownloadaccelerator.com
cdnus.ultimatepdfconverter.com
cdnus.unipdfconverter.com
cdnus.updatestarcdn.com
cdnus.uptodowncdn.com
cdnus.utorrentcdn.com
cdnus.videoconvertertool.net
cdnus.vndownloadcdn.com
cdnus.volarocdn.com
cdnus.webfilescdn.com
cdnus.win7themescdn.com
cdnus.win8dvdcdn.com
cdnus.yamyamcdn.com
img.50orcdn.com
img.5oftwarescdn.com
img.adsearchescdn.com
img.alcoholsoftcdn.com
img.allmyappscdn.com
img.anyprotectcdn.com
img.anysendapp.com
img.apponiccdn.com
img.aviracdn.com
img.baixakialtcdn.com
img.barrercouterradiocdn.com
img.bestflvplayer.net
img.bestvistadownloadscdn.com
img.bitlordapp.com
img.brsrcdn.com
img.clickgratiscdn.com
img.clickmeinstats.com
img.coolaudioconverter.com
img.cooldownloadmanager.com
img.coolflvplayer.com
img.coolmp3converter.com
img.coolpdfconverter.com
img.coolringtonesmaker.com
img.coolvideoconverter.com
img.coolvideotomp3.com
img.downloadastrocdn.com
img.downloaddkcdn.com
img.downloadmixcdn.com
img.downloadster2cdn.com
img.downloadstercdn.com
img.downwallcdn.com
img.driverguidecdn.com
img.driverscoutcdn.com
img.etypecdn.com
img.extrimdownloadmanager.com
img.fileorgcdn.com
img.findmysoftcdn.com
img.fixiocdn.com
img.freeinternettunercdn.com
img.freesocialappcdn.com
img.freewarezippercdn.com
img.freewindowstunercdn.com
img.friedcookiescdn.com
img.fsucdn.com
img.funmoodsapp.com
img.funmoodscdn.com
img.fvdconvertercdn.com
img.fwt7zipcdn.com
img.fwtcdburnerxpcdn.com
img.fwtdlmcdn.com
img.fwtfreeytdlcdn.com
img.fwtvlcplayercdn.com
img.fytdmcdn.com
img.gamershellcdn.com
img.gimpshopcdn.com
img.greatelsoftcdn.com
img.howinccdn.com
img.indircdn.com
img.instalkiplcdn.com
img.iwdownloadcdn.com
img.jdownloadercdn.com
img.kitaracdn.com
img.lisisoftcdn.com
img.mediacrawlercdn.com
img.mediafindercdn.com
img.mensagenscomamorcdn.com
img.mihovcdn.com
img.mundoconverter.com
img.mydivcdn.com
img.mysearchdialcdn.com
img.pcgizmoscdn.com
img.picbadgescdn.com
img.pivotstickcdn.com
img.policedecriturecdn.com
img.programsplcdn.com
img.ptfcdn.com
img.smarttweakfmrcdn.com
img.smarttweakumdcdn.com
img.sofontescdn.com
img.softmencdn.com
img.softpickscdn.com
img.softportalcdn.com
img.softsoftcdn.com
img.softsumacdn.com
img.softworldcdn.com
img.superdownloadsbrcdn.com
img.telechargercdn.com
img.todownloadcdn.com
img.tudodownloadscdn.com
img.ultradownloadscdn.com
img.updatestarcdn.com
img.uptodowncdn.com
img.videoconvertertool.net
img.vittaliacdn.com
img.vndownloadcdn.com
img.volarocdn.com
img.webplayercdn.com
img.winloadcdn.com
img.ytdcdn.com
img.ziggicdn.com

Potentially Unwanted Application MD5s known to have phoned back to the same IP (199.58.87.151) in the past:
MD5: 8ae94bc72bfbfafaccd304726fd8ebda
MD5: 892edd0e66b9334f1cfcb462227fd057
MD5: f5916475fe4091be5f4d53e20556ceaa
MD5: ffa3870948b58e632d4675693dceba90
MD5: 972bf529418707d2ed81af9d94fab083
MD5: 39c829c49fa994f6dc16d9d7fa88df9b
MD5: ad9dd293b1a4e5f8f5dd017fa38745a9
MD5: 20017c4b1ec0abdd93e731b034bde58f
MD5: cf43606de0902c13a72a5a3efbc4ec70
MD5: c7d48a0f49acdbfe989ef4481a367475
MD5: 09c0f18ff6d9921dec9bd3aac2cd79df
MD5: c18c6570ab9faaf638ca7027a6a6336e
MD5: d93d3857ad917adb226051e99fbe3e5e
MD5: ed8d8e6f92a7fc84cbc7a1f8ff1cb196
MD5: c91562f6992bd1def53e3ab328c2a730
MD5: b19986a2c4dd63563735d90cf714153a
MD5: 78166e6f1b07b4b7e43568abf0126bdc
MD5: 08ee2b501a5cd9dd4be47c5700f0664f
MD5: 54346fa1b734b3cd1a9749dca763cbe1
MD5: 50dba7ccd0f656013d6ba3530032b58c
MD5: 7e420cf28391adc83d8af590a3689d05
MD5: df31c97d5f101c316a60c3cfa35ec161
MD5: 315feeb0a7f3a8855a0463deb2527f3d
MD5: 0b50815d3f068a69364d1eafe7e101a7
MD5: b14e28a0e754b9468738bb622094e517
MD5: 82e1d0433f7c234d2003a9ef08d9861a
MD5: ddf9a1c27563fcc57ca34526a8b8a1ec
MD5: 9f6cf73f6820941c61cdaee9d9c642dd
MD5: a07bc7c6dbb36ced074ec01eddd3ae95
MD5: cb7b9d698a720a01344daa40c1c3f677
MD5: 8e9eba5f9818fb3b345d513de5ac6711
MD5: e2ac1d0e7e327d6d84eec29c705d1ab7
MD5: ba94e678c173f174a328fc24024aaafb
MD5: b39b7ac868d234487669977c13e8d27a
MD5: 8816a81a0f51962adb6490aba1b981a2
MD5: a50b547b429cc795c349bf9274c64480
MD5: bf1bfe82f988c7a9da36305bdc266e9a
MD5: 39f975cca2ec7f2fc22bb154082df00b
MD5: 9157a833b422dc419ba7a9ac419da446
MD5: 09ae7b426301abfe1e34a81df1fa7e62
MD5: d4c55610e0bc9a94865fd33512f5a725
MD5: aa46eb94426952f2ac9776e8b38daf5d
MD5: 76b6eaa4e01d3420d068228b401ed7dc
MD5: 8068541132011ebc7a85dc8ef97c4399
MD5: 71fb99f445b3851b40acc459b155b16e
MD5: 982762d5531b6344d0f3a8cce10292f5
MD5: 0d767a06734ebe09f988eb76d6c66b7a
MD5: 5619eb1d8cc4553b614ed223f2f47244
MD5: 610779e2ea5adfee27190e174cd6f20a
MD5: 4a36e757ceec1449b4b5fc9448afd136
MD5: fae91d8afb366de5dbeec8610a9c3b34
MD5: 313352a433c592b49f0c7069b21af2e4
MD5: 7c1f9500343db9dfd54572c099aaaeea
MD5: f69826937e05bae3447e583e83b62ba3
MD5: 7d789e6c7989bfee60fb47d796843f00
MD5: 1accbace4786c25e38ab9389e923f6df
MD5: 1372ec7a8ac2606bb8c7b1acf803b1ca
MD5: 568d95a3fb0fb3161a0932bc6afe76f7
MD5: 88a66567013165b7aa4bbbc79b3de949
MD5: 31cf1a6fc1a2844b8bdaf52ea79428b2
MD5: 6073d9d11ce106d2931af8fd57ab6e22
MD5: 28726fc3c370d2674eea9cb882b8c364
MD5: f47f2cac732eda721a330683d1cd7dbf
MD5: bc083e6c105b4ff49c20234c6f1252bb
MD5: bebb4ebf43fa81ad3543e05060445f22
MD5: a10a6dafbdfa90bb7284a746f7be1270
MD5: 63fc9a8f84a0bf1babb7bd91bb16e8bf
MD5: 63fc9a8f84a0bf1babb7bd91bb16e8bf
MD5: 74ceb871723dbea493b7891ff0115b02
MD5: ecfe224585d6d9e96f5c2e19343201d3
MD5: 10f3974f4fa7475e89c3843f40bc1e20
MD5: 4153839d0eb169caa1b3ff1b65ca350f

We advise users to avoid interacting with ads enticing them into downloading well known software applications, and to always visit their official Web sites in order to obtain the latest versions.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

Share Button

Trackbacks

  1. […] To see all the URLs and IP Addresses connected to these malicious programs, visit Webroot Threat Blog. […]

  2. […] last week’s profile of yet another InstallCore Potentially Unwanted Application (PUA) campaign, we detected another rogue ad campaign this week. This time enticing E.U based users into […]

true