Rogue ads targeting German users lead to Win32/InstallBrain PUA (Potentially Unwanted Application)

by


German Web users, watch what you install on your PCs!

Our sensors just picked up yet another rogue/deceptive ad campaign enticing visitors to install the bogus PC performance enhancing software known as ‘PCPerformer’, which in reality is a Potentially Unwanted Application (PUA), that tricks users into installing (the Delta Toolbar in particular) on their PCs.

More details:

Sample screenshot of the actual advertisement:

Adware_PUA_Potentially_Unwanted_Application_Germany_Rogue_Ads_PC_Performer_01

Sample screenshot of the landing page:

Adware_PUA_Potentially_Unwanted_Application_Germany_Rogue_Ads_PC_Performer

The PUA is digitally signed by Performersoft LLC.

Rogue URLs:
hxxp://www.fasterstrongerpc.net/pcperformer/st2/pcperformer-st2-de.php – 216.146.46.10; 216.146.46.11
hxxp://www.softologicsc.com/download

Detection rate for the Potentially Unwanted Application (PUA) – MD5: d8c542ced7879d0ca4a1a69d0ca97a53 – detected by 4 out of 47 antivirus scanners as Adware.Downware.1295; APPL/InstallBrain.Gen.

InstallBrain_Delta_Toolbar_PUA_Potentially_Unwanted_Application

Related MD5s part of the same family, known to have been downloaded from the same IPs (216.146.46.10; 216.146.46.11) in the past:
MD5: 21420e6cb90327bae4cf28e5b0544f9b
MD5: 4b6ee8317779f95e80e53e79c4641fba
MD5: 89120c3a4cb5436ae0543cec1ad38bf0
MD5: b31f81472933315d66f9dea4b3453281
MD5: 7156f2b47fd0fe6a89abacdb4d0e58cd
MD5: dbe791e0aacd084400fa62e17e19e115
MD5: fb58ca29357d25ecd447e79f61b03b67
MD5: b88650fda149064d72a7c2a49d810c65
MD5: dbef581a9db01fca22fb1d353d1df2e5
MD5: 0a0c769ef483e879e727c45948925d3b
MD5: a755d221a33813b4db8e0fda03439649
MD5: 93e8bd74b2bbf7b9214a674ce9367343
MD5: 976cf6723be45baa81a40513fbef258a
MD5: 3c3098bc796856b514cedd4500ddf782
MD5: c54c9126ce834c9b1a72f1a084b52108
MD5: 671559ba02deba84ff3abe1a850c9bbc
MD5: 5ac20f9bdeae82c28b5c45cdd7ea37a0
MD5: 9ca82be7c1821873f04959ab10fa9c7a
MD5: 4e269ce006ce599e7823a40ee4fe0feb
MD5: cdafbf8c6986791b0b8f7b902473c3f1
MD5: a7c445a075a800b5836c7af43771628b
MD5: 64159f11f26e06bb64abb7e9424ed217
MD5: 59b828d65a35ce144ba2bbca1c60b9b0
MD5: 65ea351fa94d582d9548d484c073e4bb
MD5: 7a46f9fa6d5488d748c160cb81d291bb
MD5: 6dff7941b8fb63f2049a94d7905396e1
MD5: be5f167c91788779e4507c1a1c23a1fb
MD5: e7dc6f6c354f11d06c271fb1b84cfbb6
MD5: c37ffd6b19df0ed67b4ed090746d689b
MD5: 023feae3f3cc4ccfd9ebc87642a2eae7
MD5: 5143628e02e1b0edd6cc59354b423818
MD5: fe2546f291d1b26b35df56de9195c738
MD5: 29e07d6b8eca583cb04ce32ae021cfe2
MD5: d0db4f62648912e4baae34f1d918010b
MD5: 988132ace637767c5564ce1639aaed98
MD5: ba1d94fddafa30253f47b960f957241a
MD5: 08b97d5174fac38915a1a276c2ffa74f
MD5: 06ac452b2ffe750496364a054987fda0
MD5: 2242dd5a6616e50385aeb232a32bcc37
MD5: 145cf1b82455ecdc2cbe702b8a7236f3

Webroot SecureAnywhere users are proactively protected from these PUAs.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.


Trackbacks

  1. […] Potentially Unwanted Applications.  If you wish, you can read about some recent campaigns here: [1], [2],[3], [4], [5], [6], […]