{"id":16314,"date":"2014-03-25T10:37:10","date_gmt":"2014-03-25T16:37:10","guid":{"rendered":"https://www.webroot.com/blog/?p=16314"},"modified":"2023-11-02T11:44:39","modified_gmt":"2023-11-02T17:44:39","slug":"deceptive-ads-expose-users-adware-linkularwin32-speedupmypc-puas-potentially-unwanted-applications","status":"publish","type":"post","link":"https://www.webroot.com/blog/2014\/03\/25\/deceptive-ads-expose-users-adware-linkularwin32-speedupmypc-puas-potentially-unwanted-applications\/","title":{"rendered":"Deceptive ads expose users to the Adware.Linkular\/Win32.SpeedUpMyPC.A PUAs (Potentially Unwanted Applications)"},"content":{"rendered":"

Rogue vendors of\u00a0<\/strong>Potentially Unwanted Applications (PUAs) continue tricking tens of thousands of gullible users into installing deceptive and privacy violating applications. Largely relying on ‘visual social engineering’ tactics and basic branding concepts, the majority of campaigns convincingly present users with legitimately looking ToS (Terms of Service)\/EULA (End User License Agreements) which socially engineered users accept, thereby assuming the responsibility for the potential privacy-violating activities taking place on their host.<\/p>\n

We’ve recently spotted yet another PUA campaign, relying on deceptive “Download Now” types of ads, enticing users into downloading the bogus GetMyFiles (Adware.Linkular) application, as well as the rogue\u00a0SpeedUpMyPC (Win32.SpeedUpMyPC.A) PUA. Let’s profile the campaign, and provide actionable intelligence on the infrastructure behind it.<\/p>\n

More details:<\/p>\n

<\/p>\n

Sample screenshot of\u00a0Adware.Linkular download page:<\/strong><\/p>\n

\"W32.Linkular_W32.SpeedUpMy_PUA_Potentially_Unwanted_Application\"<\/a><\/p>\n

Sample screenshot of\u00a0Win32.SpeedUpMyPC.A download page:<\/strong><\/p>\n

\"W32.Linkular_W32.SpeedUpMy_PUA_Potentially_Unwanted_Application_01\"<\/a><\/p>\n

Sample redirection chain:<\/strong>
\nhxxp:\/\/ad.propellerads.com\/ck.php?oaparams=2__bannerid=91608__zoneid=605__OXLCA=1__cb=__oadest=http%3A%2F%2Fwww.getmyfilesnow.info%2F%3Fpid%3D887%26context%3D%24{SUBID}<\/em> -> hxxp:\/\/www.getmyfilesnow.info\/?pid=887&context=4912867270<\/em><\/p>\n

Domain name reconnaissance:<\/strong>
\ngetmyfilesnow.info – 54.208.165.36
\ngetmyfilesnow.com – 174.142.147.2
\ncoollinks.us – 174.142.147.5
\nlinkular.com – 208.109.216.125<\/p>\n

Detection rate for the PUA:<\/strong>
\nMD5: 0d60941d1ec284cab2e861e05df89511<\/strong><\/a> – detected by 6 out of 51 antivirus scanners as Adware.Linkular<\/p>\n

Known to have responded to 54.208.165.36, are also the following PUA samples:<\/strong>
\nMD5: e3d7a5dda69a83a4dbffb195fe41e68f
\nMD5: 3f9e510e2ebe20141dbb8b61ea15e21b
\nMD5: 9a4dd0724d8d241d748c6b2d4658a996
\nMD5: 567545c3947667913853ab34bdf38e3b
\nMD5: 83d21d9a6a1df8a4b4beb6190dbe8266
\nMD5: a08a35a241b0c7aa6ed7dda7ae8bab1e
\nMD5: 07aae60ce06590a3b8a4e86d0b94335a
\nMD5: 9ab73e226bfd9393b13423490d3ed77d
\nMD5: 75ec259b97e67f1174820beee4cafa29<\/p>\n

Once executed, the sample phones back to:<\/strong>
\nhxxp:\/\/107.23.152.80\/api\/software\/?s=887&os=win32&output=1&v=2.2.2&l=1033&np=0&osv=5.1&b=ie&bv=8.0.6001.18702&c=12&cv=2.2.2.1768<\/p>\n

Known to have been downloaded from the same IP (107.23.152.80) are also the following PUAs:<\/strong>
\nMD5: a3f2dca9cf2fbf0b6221db476b9d889c
\nMD5: 8f021a07e83f2b455aad969268fbcba7
\nMD5: 57d1a9c5de77ac85e79ad675df7753dc<\/p>\n

Compete Inc’s Certificate Serial ID:<\/strong> 4A 4A CA E0 72 F8 06 5D 9C 03 E2 A2 24 09 75 B0
\nAdvanceMark’s Certificate Serial ID:<\/strong> 52 32 D1 95 19 B6 63 90 12 01 63 65 2B E1 E8 9E
\nLinkular LLC, 2012’s Certificate Serial ID:<\/strong> 27 C7 0F 80 92 79 A3<\/p>\n

Responding to 107.23.152.80 is also the rogue mspowerpack.com<\/strong>, which redirects to hxxp:\/\/www.uniblue.com\/cm\/foxlingo\/speedupmypc\/banner1\/download<\/em> (Win32.SpeedUpMyPC.A).<\/p>\n

Known to have been downloaded from the same IP (107.23.152.80) are also the following PUAs:<\/strong>
\nMD5: a3f2dca9cf2fbf0b6221db476b9d889c
\nMD5: 8f021a07e83f2b455aad969268fbcba7
\nMD5: 57d1a9c5de77ac85e79ad675df7753dc<\/p>\n

Sample detection rate for the Win32.SpeedUpMyPC.A PUA:<\/strong>
\nMD5: 0a8ecb11e39db5647dcad9f0cc938c99<\/strong><\/a> – detected by 3 out of 51 antivirus scanners as PUP.Optional.SpeedUpMyPC<\/p>\n

Known to have been downloaded from uniblue.com (176.34.125.17; 46.137.104.179; 50.19.240.60; 54.217.212.162; 54.246.105.117) are also the following PUAs:<\/strong>
\nMD5: 178e9cf3c95c0867104f14310bec10cf
\nMD5: 573a55f36b0ff521ac5012a7ae935a04
\nMD5: 3ee4e5cc4ee74b45fbbba507181efaeb
\nMD5: 563750b3b4a7f00115c83708a7e95d39
\nMD5: a59e9a0ce57365bbef2042f52d622539
\nMD5: abc3534ef2b1086330151ef42423d208
\nMD5: d41ea1f04ef610566b0ad4750b2040e7<\/p>\n

Uniblue Systems’s Certificate Serial ID:<\/strong> 38 B5 E3 0A ED 74 F6 CD 05 D8 F2 0F 18 E8 91 E2<\/p>\n

Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from these PUAs.<\/p>\n","protected":false},"excerpt":{"rendered":"

Rogue vendors of\u00a0Potentially Unwanted Applications (PUAs) continue tricking tens of thousands of gullible users into installing deceptive and privacy violating applications. Largely relying on ‘visual social engineering’ tactics and basic branding concepts, the majority of campaigns convincingly present users with legitimately looking ToS (Terms of Service)\/EULA (End User License Agreements) which socially engineered users accept, […]<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[17605,17595,3871,17599,17593,11021,14789,16239,17607,23167,17611,17609,5253,5255,4029,17603,3875,5605,17601,3529],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16314"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=16314"}],"version-history":[{"count":9,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16314\/revisions"}],"predecessor-version":[{"id":32271,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16314\/revisions\/32271"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=16314"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=16314"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=16314"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=16314"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}