By Dancho Danchev
Our sensors just picked up yet another rogue ad enticing users into installing the SafeMonitorApp, a potentially unwanted application (PUA) that socially engineers users into giving away their privacy through deceptive advertising of the rogue application’s “features”.
More details:
Sample screenshot of the landing page, featuring a bogus ‘Norton Secured’ Seal:
Sample screenshot of the installation process:
Rogue URL: hxxp://www.safemonitorapp.com
Detection rate for the Potentially Unwanted Application (PUA) – MD5: eaa96a5208df256251e0b66616070e3a – detected by 6 out of 47 antivirus scanners as a variant of Win32/ExFriendAlert.B; SearchDonkey (fs).
Once executed, the sample drops the following MD5s on the affected hosts:
MD5: ab73c0c2a23f913eabdc4cb24b75cbad
MD5: e563648ef955995fd109d4232d73201c
MD5: 389cbb8359d19d3753372ad1dea76618
MD5: e77df74a83b6e8c14b18f0681e4bdf46
MD5: edbb5cbaabcde52fa9822b5fe3f11f5a
MD5: f89a352a0cac2918b96df24a00a6b7ad
MD5: 93119058502398fefa04a2c2848c5716
MD5: d41d8cd98f00b204e9800998ecf8427e
MD5: 951c85a09dca9af7c52a8bcc17181fca
MD5: a783d28e15e07a38d9bbc1723ff93d1d
MD5: 0f904319c685830e08b793a94bcb29b3
MD5: c946d058e89e5dd47dd8812fe21a5a01
MD5: 00a0194c20ee912257df53bfe258ee4a
MD5: 68f5aeeaa307ca05233412ac3fb77643
MD5: 61fd777443084ed61c05c22e8e3c3eff
MD5: bf2c5f2b94cd7fd780572ed4d6d53ec6
MD5: 90d2959d0f5ab6bd68512fbfe1be05c4
MD5: 063cafc1ae75c1e6702d1fc671e7a941
MD5: 3a3a9223dd834d9898fdd8bf260bc373
MD5: 9e36cea59147bc7cd39ff85b91e9b925
MD5: 5c04a9320f466ba35407aba45d69be18
MD5: 2cfba79d485cf441c646dd40d82490fc
Phones back to s.safemonitorapp.com – 66.135.32.42, in particular, the following URLs:
hxxp://s.safemonitorapp.com/InsertInstallNotice3.ashx?v=SFMN_P0_2.6.17&p=590&c=211&m=start-myOnGuiInitStart&g=&i=p
hxxp://s.safemonitorapp.com/InsertInstallNotice3.ashx?v=SFMN_P0_2.6.17&p=590&c=230&m=CopyFilesEnd&g=db9bdab426e648d094d927b1e8e5a128&i=p
The following domains are also known to have phoned back to the same IP (66.135.32.42) :
betterwebapps.org
l.spyguardapp.com
m.exfriendalert.com
m.reboundalert.com
m.spyalertapp.com
m.spyguardapp.com
m.tvgenieapp.com
m.unfriendapp.com
s.autoupdateserver.com
s.betterwebapps.org
s.exfriendalert.com
s.infoseekerapp.com
s.injekt.com
s.provideodownloader.com
s.reboundalert.com
s.recordcheckerapp.com
s.safemonitorapp.com
s.searchdonkeyapp.com
s.spyalertapp.com
s.spyguardapp.com
s.spyscoutapp.com
s.tvgenieapp.com
s.unfriendapp.com
s.unfriendtool.com
u.safemonitorapp.com
u.tvgenieapp.com
u.unfriendapp.com
autoupdateserver.com
What’s worth emphasizing on regarding the SafeMonitorApp in terms of preserving your privacy? Their EULA/Privacy Policy speaks for itself:
Safe Monitor is supported by advertising, which may include display, in-text and/or interstitial ads. Users may see additional display ads on websites that the product runs on or adds functionality to. You will see approximately 1 display ad per page on content sites; however, at times as many as 5 display advertisements per page. On search engines there may be a search app, which may display 3 text ads beneath the application. In addition, topics or keyword phrases are automatically matched and products or services relevant to those topics or keyword phrases will appear on the webpage as a double underline. Safe Monitor may also contain interstitial advertising where full-screen webpages are displayed between the current and destination page for a restricted amount of time. When users access or use the Safe Monitor App, certain non-personally identifiable information is collected, stored and used for business and marketing purposes. This non-personally identifiable information includes, without limitation: IP address, unique identifier number, operating system, browser and other software information, webpage URLs visited, and search queries entered. This collected data may also be supplemented with information obtained from third parties.
We advise users to avoid interacting with the SafeMonitorApp.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.