July 19, 2013 By Dancho Danchev

Rogue ads targeting German users lead to Win32/InstallBrain PUA (Potentially Unwanted Application)

German Web users, watch what you install on your PCs!

Our sensors just picked up yet another rogue/deceptive ad campaign enticing visitors to install the bogus PC performance enhancing software known as ‘PCPerformer’, which in reality is a Potentially Unwanted Application (PUA), that tricks users into installing (the Delta Toolbar in particular) on their PCs.

More details:

Sample screenshot of the actual advertisement:

Adware_PUA_Potentially_Unwanted_Application_Germany_Rogue_Ads_PC_Performer_01

Sample screenshot of the landing page:

Adware_PUA_Potentially_Unwanted_Application_Germany_Rogue_Ads_PC_Performer

The PUA is digitally signed by Performersoft LLC.

Rogue URLs:
hxxp://www.fasterstrongerpc.net/pcperformer/st2/pcperformer-st2-de.php – 216.146.46.10; 216.146.46.11
hxxp://www.softologicsc.com/download

Detection rate for the Potentially Unwanted Application (PUA) – MD5: d8c542ced7879d0ca4a1a69d0ca97a53 – detected by 4 out of 47 antivirus scanners as Adware.Downware.1295; APPL/InstallBrain.Gen.

InstallBrain_Delta_Toolbar_PUA_Potentially_Unwanted_Application

Related MD5s part of the same family, known to have been downloaded from the same IPs (216.146.46.10; 216.146.46.11) in the past:
MD5: 21420e6cb90327bae4cf28e5b0544f9b
MD5: 4b6ee8317779f95e80e53e79c4641fba
MD5: 89120c3a4cb5436ae0543cec1ad38bf0
MD5: b31f81472933315d66f9dea4b3453281
MD5: 7156f2b47fd0fe6a89abacdb4d0e58cd
MD5: dbe791e0aacd084400fa62e17e19e115
MD5: fb58ca29357d25ecd447e79f61b03b67
MD5: b88650fda149064d72a7c2a49d810c65
MD5: dbef581a9db01fca22fb1d353d1df2e5
MD5: 0a0c769ef483e879e727c45948925d3b
MD5: a755d221a33813b4db8e0fda03439649
MD5: 93e8bd74b2bbf7b9214a674ce9367343
MD5: 976cf6723be45baa81a40513fbef258a
MD5: 3c3098bc796856b514cedd4500ddf782
MD5: c54c9126ce834c9b1a72f1a084b52108
MD5: 671559ba02deba84ff3abe1a850c9bbc
MD5: 5ac20f9bdeae82c28b5c45cdd7ea37a0
MD5: 9ca82be7c1821873f04959ab10fa9c7a
MD5: 4e269ce006ce599e7823a40ee4fe0feb
MD5: cdafbf8c6986791b0b8f7b902473c3f1
MD5: a7c445a075a800b5836c7af43771628b
MD5: 64159f11f26e06bb64abb7e9424ed217
MD5: 59b828d65a35ce144ba2bbca1c60b9b0
MD5: 65ea351fa94d582d9548d484c073e4bb
MD5: 7a46f9fa6d5488d748c160cb81d291bb
MD5: 6dff7941b8fb63f2049a94d7905396e1
MD5: be5f167c91788779e4507c1a1c23a1fb
MD5: e7dc6f6c354f11d06c271fb1b84cfbb6
MD5: c37ffd6b19df0ed67b4ed090746d689b
MD5: 023feae3f3cc4ccfd9ebc87642a2eae7
MD5: 5143628e02e1b0edd6cc59354b423818
MD5: fe2546f291d1b26b35df56de9195c738
MD5: 29e07d6b8eca583cb04ce32ae021cfe2
MD5: d0db4f62648912e4baae34f1d918010b
MD5: 988132ace637767c5564ce1639aaed98
MD5: ba1d94fddafa30253f47b960f957241a
MD5: 08b97d5174fac38915a1a276c2ffa74f
MD5: 06ac452b2ffe750496364a054987fda0
MD5: 2242dd5a6616e50385aeb232a32bcc37
MD5: 145cf1b82455ecdc2cbe702b8a7236f3

Webroot SecureAnywhere users are proactively protected from these PUAs.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

Share Button

Trackbacks

  1. […] Potentially Unwanted Applications.  If you wish, you can read about some recent campaigns here: [1], [2],[3], [4], [5], [6], […]

true