{"id":14842,"date":"2013-10-18T00:00:16","date_gmt":"2013-10-18T06:00:16","guid":{"rendered":"https://www.webroot.com/blog/?p=14842"},"modified":"2023-11-01T13:43:10","modified_gmt":"2023-11-01T19:43:10","slug":"rogue-ads-lead-mipony-download-accelerator-fun-moods-toolbar-pua-potentially-unwanted-application","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/10\/18\/rogue-ads-lead-mipony-download-accelerator-fun-moods-toolbar-pua-potentially-unwanted-application\/","title":{"rendered":"Rogue ads lead to the ‘Mipony Download Accelerator\/FunMoods Toolbar’ PUA (Potentially Unwanted Application)"},"content":{"rendered":"

Potentially Unwanted Applications (PUAs)<\/strong> continue to visually social engineer users into installing virtually useless applications. They monetize each and every install by relying on ‘bundling’ which often comes in the form of a privacy-violating toolbar or third-party application. We recently intercepted a rogue ad that entices users into downloading the Mipony Download Accelerator that is bundled with the privacy-invading FunMoods toolbar PUA, an unnecessary bargain with the integrity and confidentiality of your PC.<\/p>\n

<\/p>\n

Sample screenshot of the landing page:<\/strong><\/p>\n

\"Download_Accelerator_Mipony_InstallCore_PUA_FunMoods_Toolbar_Potentially_Unwanted_Application\"<\/a><\/p>\n

Detection rate for the PUA:<\/strong> MD5: 023e625cbb1b30565d46f7533ddc03db<\/strong><\/a> – detected by 6 out of 47 antivirus scanners as W32\/InstallCore.R4.gen!Eldorado; Install Core Click run software.<\/p>\n

Domain name reconnaissance:<\/strong> ultimatedownloadaccelerator.com – 50.19.220.248; 174.129.22.118; 23.21.144.61; 23.23.144.245<\/p>\n

Upon execution, it phones back to:<\/strong>
\ncdneu.ultimatedownloadaccelerator.com – 65.254.40.36
\nos-test.ultimatedownloadaccelerator.com – 54.244.230.64
\ncdnus.ultimatedownloadaccelerator.com – 199.58.87.155
\nimg.ultimatedownloadaccelerator.com – 199.58.87.155<\/p>\n

Related MD5s part of the same network that are known to have been downloaded from the same IPs, over the last couple of days:<\/strong>
\nMD5: caa5e691d1eddef66294d1323720556e
\nMD5: 88ba249e0fac7ece69e8a769ec9e81dc
\nMD5: 748346dc2138aa4927e2ad577c0a97c8
\nMD5: 78b98bbec669999bd51f7f408d06d9f6
\nMD5: 7ee56be08401efbc443c286dce641bd6
\nMD5: 0a6836e3f26e4be1654b18f84191985a
\nMD5: 3822e38b95cde512aa5a11dc21cd2699
\nMD5: 2cc18f48633788894e505eaa7b11f6bf
\nMD5: 02f5346e1ee415de637458be66eb319e
\nMD5: cdddec958148633578b0574d6551facd
\nMD5: bc276e312294916fc748937b9e9a6423
\nMD5: de146519fb5ffe3c5bee07f49ebd0907
\nMD5: 2d28af1f6bf5115532c19010edbdd463
\nMD5: df2181cf0b55eebf0f281562314740b1
\nMD5: 0a6fdc3ecb5da97038df8b28bfaf9581
\nMD5: df2181cf0b55eebf0f281562314740b1
\nMD5: 0a6fdc3ecb5da97038df8b28bfaf9581
\nMD5: 1cd458a9181e1c30cb2b28efd29075cd
\nMD5: f5976b181cde557f620578eb92535ac7
\nMD5: b2a7fad9f3f892577d876c74cb221525
\nMD5: f1242926095907cebd741d8d540567b0
\nMD5: 2e60e85bfaf1175c2e7ed0390b09ee67<\/p>\n

\"Download_Accelerator_Mipony_InstallCore_PUA_FunMoods_Toolbar_Potentially_Unwanted_Application_01\"<\/a><\/p>\n

Detection rate for the FunMoods Toolbar:<\/strong> MD5: 592f35f9954a7ec4c0b4985857f81ad8<\/strong><\/a> – detected by 13 out of 48 antivirus scanners as Win32\/InstallCore; PUP.Optional.Funmoods<\/p>\n

Once executed, it phones back to:<\/strong>
\nos.funmoodscdn.com (54.245.235.34)
\ncdneu.funmoodscdn.com (146.185.27.53)
\ncdnus.funmoodscdn.com (199.58.87.155)<\/p>\n

Known to have responded to the same IPs, are also the following domains part of the same infrastructure:<\/strong>
\nos-test.anymusicconverter.com
\nos-test.coolpdfcreator.com
\nos-test.extrimdownloadmanager.com
\nos-test.greataudioconverter.com
\nos-test.thebestallcodecsapp.com
\nos-test.thebestcodecpackapp.com
\nos-test.thebestimageeditorfunapp.com
\nos-test.thecoolzipextractorapp.com
\nos-test.thedownloadmanagerapp.com
\nos-test.thenewzipopenerfun.com
\nos-test.thepdfcreatorapp.com
\nos-test.thevideoconverterexclusive.com
\nos-test.ultimatedownloadaccelerator.com
\nos-test.unipdfconverter.com
\nos.50orcdn.com
\nos.5oftwarescdn.com
\nos.abiwordapp.com
\nos.adsearchescdn.com
\nos.afdlcdn.com
\nos.afreecodeccdn.com
\ncdneu.50orcdn.com
\ncdneu.5oftwarescdn.com
\ncdneu.adsearchescdn.com
\ncdneu.afdlcdn.com
\ncdneu.alcoholsoftcdn.com
\ncdneu.allmyappscdn.com
\ncdneu.amazingwebtvcdn.com
\ncdneu.amniscdn.com
\ncdneu.anymusicconverter.com
\ncdneu.anyprotectcdn.com
\ncdneu.anysendapp.com
\ncdneu.apponiccdn.com
\ncdneu.appzeuscdn.com
\ncdneu.aviracdn.com
\ncdneu.baixakialtcdn.com
\ncdneu.baixakialtcdn2.com
\n2cdneu.baixakicdn.com
\ncdneu.bestflvplayer.net
\ncdneu.bestringtonesmaker.com
\ncdneu.bestvistadownloadscdn.com<\/p>\n

Despite the fact that most modern day PUAs include uninstall instructions, our advice is to not install them in the first place, instead, seek a legitimate — often free but this time fully featured and working — alternative to their pseudo-unique value propositions.<\/p>\n

Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from these PUAs.<\/p>\n","protected":false},"excerpt":{"rendered":"

Potentially Unwanted Applications (PUAs) continue to visually social engineer users into installing virtually useless applications. They monetize each and every install by relying on ‘bundling’ which often comes in the form of a privacy-violating toolbar or third-party application. We recently intercepted a rogue ad that entices users into downloading the Mipony Download Accelerator that is […]<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[16309,4811,3871,5267,5257,11067,11021,16301,4295,16305,16303,8933,5253,5255,11657,16307,5721,5291,3529],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/14842"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=14842"}],"version-history":[{"count":15,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/14842\/revisions"}],"predecessor-version":[{"id":32171,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/14842\/revisions\/32171"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=14842"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=14842"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=14842"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=14842"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}