June 26, 2013 By Dancho Danchev

Rogue ‘Free Codec Pack’ ads lead to Win32/InstallCore Potentially Unwanted Application (PUA)

Following last week’s profile of yet another InstallCore Potentially Unwanted Application (PUA) campaign, we detected another rogue ad campaign this week. This time enticing E.U based users into downloading and installing a fake “Free Codec Pack”, with the users sacrificing their privacy in the process due to the additional toolbars that will be installed on their PCs.

More details:

Sample screenshot of the landing page:

Ultimate_Codec_Free_Codec_Download_Rogue_Ads_InstallCore_Potentially_Unwanted_Application_PUA

Based on our observations, the campaign operators use a variety of paid ads on top of the search results on some of the most popular search engines, and naturally, take advantage of market/segment targeting, only displaying them to selected audiences.

Domain name reconnaissance:
bestcodecpackapp.com – 50.19.220.248; 23.21.144.61; 23.23.144.245; 174.129.22.118

Detection rate for the Potentially Unwanted Application (PUA) InstallCore – CodecPack.exe – MD5: 2f959f5783e36e30a89f8f3ec666f16d – detected by 7 out of 45 antivirus scanners as Win32/InstallCore.BN.Gen; Adware.InstallCore.114; Artemis!2F959F5783E3; TROJ_GEN.F47V0522.

The sample is digitally signed by ‘ClickRunSoftware’.

Known rogue domains and MD5s associated with these IPs:

50.19.220.248
anymusicconverter.com
coolpdfcreator.com
coolpdfreader.com
extrimdownloadmanager.com
extrimvideoplayer.com
flvplayerpro.net
greataudioconverter.com
superbvideoconverter.com
ultimatepdfconverter.com
anymusicconverter.com
bestcodecpackapp.com
bestimageeditorfunapp.com
bestringtonesmaker.com
coolflvplayerfunapp.com
coolpdfcreator.com
coolpdfreader.com
extrimdownloadmanager.com
extrimvideoplayer.com
flvplayerpro.net
greataudioconverter.com
newzipopenerfun.com
superbvideoconverter.com
supervideoconverterfun.com
thebestimageeditorfunapp.com
thenewzipopenerfun.com
ultimatedownloadaccelerator.com
ultimatepdfconverter.com
unipdfconverter.com

MD5: ca8d902c0a2d5a521d032fedce4eb62a
MD5: 60aa8d3f6404bee37068997930055cf9
MD5: b03f88d2b7031fd877fa5cbd40f3bd5a
MD5: 8844f4042ebc4513fa8d05fc1e94ac4c
MD5: c19669ba5bea290cf75ccc575920ddd7
MD5: ddfe802181515e68972cbd7fecfdc5ff
MD5: ff7d38d93ce069364fc485ca85b9838f
MD5: 415dfe576447e38a1e0284b1f36adc34
MD5: c7950d08e3636c5b438fb95c175878d3
MD5: 10b749474a90bf430e57c928fd2b6269
MD5: 63e6296a9d0c36b8595ad8855d65c327
MD5: 77b8f715077168c7281df5c180a3468d
MD5: aaaa1e65de1377c9761fb44bea17aec8
MD5: 9aba84d4a8f82af2ed29cfc689549c30
MD5: 9d48ba38281da77ecd6f274e63471041
MD5: 440cceeb3966389547bf5e9e9143b3f8
MD5: 666db257b8f7ac909497ff6278b908a8
MD5: bbb45e81f9fb2d30ceddc7fff977bfb9
MD5: a9856080e0f998347818a3607e44660a
MD5: 16ab52dd761db68e74df08fab5540eb3
MD5: 9f1275bb6014f15b2327a1da8c886e2a
MD5: d259693e96ebdd0397182c5da718adbc
MD5: e23d2f8043e2894d11913fea66bef13a
MD5: ed37414a84379a2828d37160f9f02c3f
MD5: 7614c78c01a947ae937abf92c237caed
MD5: 7b0b3926d5fec08eeccbe0a0b04ff06a
MD5: d6468f67adc6262e935d917af5e50ecf
MD5: e426e2148a861dce9eb9a8e9cb290989

23.21.144.61
anymusicconverter.com
coolpdfcreator.com
coolpdfreader.com
extrimdownloadmanager.com
extrimvideoplayer.com
flvplayerpro.net
greataudioconverter.com
superbvideoconverter.com
ultimatepdfconverter.com
anymusicconverter.com
bestcodecpackapp.com
bestimageeditorfunapp.com
bestringtonesmaker.com
coolpdfcreator.com
coolpdfreader.com
extrimdownloadmanager.com
extrimvideoplayer.com
flvplayerpro.net
greataudioconverter.com
newzipopenerfun.com
superbvideoconverter.com
supervideoconverterfun.com
thenewzipopenerfun.com
ultimatedownloadaccelerator.com
ultimatepdfconverter.com
unipdfconverter.com

MD5: ca8d902c0a2d5a521d032fedce4eb62a
MD5: 60aa8d3f6404bee37068997930055cf9
MD5: 89374f7afcfe53b66c9f7ecb6b5e0f60
MD5: 6bbfc52101d05263880fac2dc876b25f
MD5: 415dfe576447e38a1e0284b1f36adc34
MD5: ddfe802181515e68972cbd7fecfdc5ff
MD5: 415dfe576447e38a1e0284b1f36adc34
MD5: ddfe802181515e68972cbd7fecfdc5ff
MD5: 4d9bf5c75fe82aae9d2261d4c6cd0e04
MD5: b9db1faf73a6e88b63f208058b6d1852
MD5: a658778da5d2629b2da96690fe477fcb
MD5: c19669ba5bea290cf75ccc575920ddd7
MD5: 1d86aa9fc5af5757d767fdb6772bfca3
MD5: a9856080e0f998347818a3607e44660a
MD5: 4f8d11493982a3640b94f51aeeba8316
MD5: aaaa1e65de1377c9761fb44bea17aec8
MD5: 9aba84d4a8f82af2ed29cfc689549c30
MD5: 7e9927c90e64cc5bee58a3449863d955
MD5: 63e6296a9d0c36b8595ad8855d65c327
MD5: 16ab52dd761db68e74df08fab5540eb3
MD5: 97de43fdf7a1fa7e99b9a9b1050a5cba
MD5: ed37414a84379a2828d37160f9f02c3f
MD5: e23d2f8043e2894d11913fea66bef13a
MD5: cb80f0ff9ed073b213c4ff5c2a157e5e
MD5: 7614c78c01a947ae937abf92c237caed
MD5: 7b0b3926d5fec08eeccbe0a0b04ff06a
MD5: d6468f67adc6262e935d917af5e50ecf
MD5: cc268ecb083e946e2b492bd7aa0b9298
MD5: 83b67161fbb39cbda423f81fc2e0f599
MD5: 6786b4cd62e0b9ebd4eccf4cbe0c3665
MD5: 0f42c320be9f7654da2040b7b36ab23f

23.23.144.245
extrimdownloadmanager.com
flvplayerpro.net
superbvideoconverter.com
ultimatepdfconverter.com
anymusicconverter.com
bestcodecpackapp.com
bestimageeditorfunapp.com
bestringtonesmaker.com
coolflvplayerfunapp.com
coolpdfcreator.com
coolpdfreader.com
extrimdownloadmanager.com
extrimvideoplayer.com
flvplayerpro.net
greataudioconverter.com
newzipopenerfun.com
superbvideoconverter.com
thebestimageeditorfunapp.com
thenewzipopenerfun.com
ultimatedownloadaccelerator.com
ultimatepdfconverter.com
unipdfconverter.com

174.129.22.118
anymusicconverter.com
extrimdownloadmanager.com
flvplayerpro.net
ultimatepdfconverter.com
anymusicconverter.com
bestcodecpackapp.com
bestimageeditorfunapp.com
bestringtonesmaker.com
coolflvplayerfunapp.com
coolpdfcreator.com
coolpdfreader.com
extrimdownloadmanager.com
extrimvideoplayer.com
flvplayerpro.net
greataudioconverter.com
newzipopenerfun.com
superbvideoconverter.com
supervideoconverterfun.com
thenewzipopenerfun.com
ultimatedownloadaccelerator.com
ultimatepdfconverter.com
unipdfconverter.com

We’ll continue monitoring these ongoing privacy-invading campaigns serving Potentially Unwanted Applications (PUAs). Meanwhile, users are advised to avoid installing the rogue “Ultimate Codec” application.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

Share Button
0 comments
true