{"id":11405,"date":"2013-06-13T00:00:42","date_gmt":"2013-06-13T07:00:42","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=11405"},"modified":"2018-01-30T12:36:45","modified_gmt":"2018-01-30T19:36:45","slug":"rogue-ads-lead-to-safemonitorapp-potentially-unwanted-application-pua","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/06\/13\/rogue-ads-lead-to-safemonitorapp-potentially-unwanted-application-pua\/","title":{"rendered":"Rogue ads lead to SafeMonitorApp Potentially Unwanted Application (PUA)"},"content":{"rendered":"

By Dancho\u00a0Danchev<\/strong><\/p>\n

Our sensors just picked up yet another rogue ad enticing users into installing the SafeMonitorApp, a potentially unwanted application (PUA)<\/strong><\/a> that socially engineers users into giving away their privacy through deceptive advertising of the rogue application’s “features”.<\/p>\n

More details:<\/p>\n

<\/p>\n

Sample screenshot of the landing page, featuring a bogus ‘Norton Secured’ Seal:<\/strong><\/p>\n

\"SafeMonitorApp_PUA_01\"<\/a><\/p>\n

Sample screenshot of the installation process:<\/strong><\/p>\n

\"SafeMonitorApp_PUA\"<\/a><\/p>\n

Rogue URL:<\/strong> hxxp:\/\/www.safemonitorapp.com<\/em><\/p>\n

Detection rate for the Potentially Unwanted Application (PUA) – MD5: eaa96a5208df256251e0b66616070e3a<\/strong><\/a>\u00a0– detected by 6 out of 47 antivirus scanners as a variant of Win32\/ExFriendAlert.B; SearchDonkey (fs).<\/p>\n

Once executed, the sample drops the following MD5s on the affected hosts:<\/strong>
\nMD5: ab73c0c2a23f913eabdc4cb24b75cbad
\nMD5: e563648ef955995fd109d4232d73201c
\nMD5: 389cbb8359d19d3753372ad1dea76618
\nMD5: e77df74a83b6e8c14b18f0681e4bdf46
\nMD5: edbb5cbaabcde52fa9822b5fe3f11f5a
\nMD5: f89a352a0cac2918b96df24a00a6b7ad
\nMD5: 93119058502398fefa04a2c2848c5716
\nMD5: d41d8cd98f00b204e9800998ecf8427e
\nMD5: 951c85a09dca9af7c52a8bcc17181fca
\nMD5: a783d28e15e07a38d9bbc1723ff93d1d
\nMD5: 0f904319c685830e08b793a94bcb29b3
\nMD5: c946d058e89e5dd47dd8812fe21a5a01
\nMD5: 00a0194c20ee912257df53bfe258ee4a
\nMD5: 68f5aeeaa307ca05233412ac3fb77643
\nMD5: 61fd777443084ed61c05c22e8e3c3eff
\nMD5: bf2c5f2b94cd7fd780572ed4d6d53ec6
\nMD5: 90d2959d0f5ab6bd68512fbfe1be05c4
\nMD5: 063cafc1ae75c1e6702d1fc671e7a941
\nMD5: 3a3a9223dd834d9898fdd8bf260bc373
\nMD5: 9e36cea59147bc7cd39ff85b91e9b925
\nMD5: 5c04a9320f466ba35407aba45d69be18
\nMD5: 2cfba79d485cf441c646dd40d82490fc<\/p>\n

Phones back to s.safemonitorapp.com – 66.135.32.42, in particular, the following URLs:<\/strong>
\nhxxp:\/\/s.safemonitorapp.com\/InsertInstallNotice3.ashx?v=SFMN_P0_2.6.17&p=590&c=211&m=start-myOnGuiInitStart&g=&i=p<\/em>
\nhxxp:\/\/s.safemonitorapp.com\/InsertInstallNotice3.ashx?v=SFMN_P0_2.6.17&p=590&c=230&m=CopyFilesEnd&g=db9bdab426e648d094d927b1e8e5a128&i=p<\/em><\/p>\n

The following domains are also known to have phoned back to the same IP (66.135.32.42) :<\/strong>
\nbetterwebapps.org<\/em>
\nl.spyguardapp.com<\/em>
\nm.exfriendalert.com<\/em>
\nm.reboundalert.com<\/em>
\nm.spyalertapp.com<\/em>
\nm.spyguardapp.com<\/em>
\nm.tvgenieapp.com<\/em>
\nm.unfriendapp.com<\/em>
\ns.autoupdateserver.com<\/em>
\ns.betterwebapps.org<\/em>
\ns.exfriendalert.com<\/em>
\ns.infoseekerapp.com<\/em>
\ns.injekt.com<\/em>
\ns.provideodownloader.com<\/em>
\ns.reboundalert.com<\/em>
\ns.recordcheckerapp.com<\/em>
\ns.safemonitorapp.com<\/em>
\ns.searchdonkeyapp.com<\/em>
\ns.spyalertapp.com<\/em>
\ns.spyguardapp.com<\/em>
\ns.spyscoutapp.com<\/em>
\ns.tvgenieapp.com<\/em>
\ns.unfriendapp.com<\/em>
\ns.unfriendtool.com<\/em>
\nu.safemonitorapp.com<\/em>
\nu.tvgenieapp.com<\/em>
\nu.unfriendapp.com<\/em>
\nautoupdateserver.com<\/em><\/p>\n

What’s worth emphasizing on regarding the SafeMonitorApp in terms of preserving your privacy? Their EULA\/Privacy Policy speaks for itself:<\/p>\n

Safe Monitor is supported by advertising, which may include display, in-text and\/or interstitial ads. Users may see additional display ads on websites that the product runs on or adds functionality to. You will see approximately 1 display ad per page on content sites; however, at times as many as 5 display advertisements per page.<\/strong> On search engines there may be a search app, which may display 3 text ads beneath the application. In addition, topics or keyword phrases are automatically matched and products or services relevant to those topics or keyword phrases will appear on the webpage as a double underline. Safe Monitor may also contain interstitial advertising where full-screen webpages are displayed between the current and destination page for a restricted amount of time.<\/strong> When users access or use the Safe Monitor App, certain non-personally identifiable information is collected, stored and used for business and marketing purposes. This non-personally identifiable information includes, without limitation: IP address, unique identifier number, operating system, browser and other software information, webpage URLs visited, and search queries entered. This collected data may also be supplemented with information obtained from third parties.<\/strong><\/em><\/p>\n

We advise users to avoid interacting with the SafeMonitorApp.<\/p>\n

You can find more about Dancho\u00a0Danchev at his\u00a0LinkedIn Profile<\/a><\/strong>. You can also\u00a0follow him on Twitter<\/a><\/strong>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

By Dancho\u00a0Danchev Our sensors just picked up yet another rogue ad enticing users into installing the SafeMonitorApp, a potentially unwanted application (PUA) that socially engineers users into giving away their privacy through deceptive advertising of the rogue application’s “features”. More details:<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[4209,14747,5735,14759,14757,14753,14755,14745,5251,11671,14739,14749,14761,5605,14751,14743,11681,14741,3529,3471],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/11405"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=11405"}],"version-history":[{"count":1,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/11405\/revisions"}],"predecessor-version":[{"id":23843,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/11405\/revisions\/23843"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=11405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=11405"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=11405"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=11405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}