Deceptive vendors of PUAs (Potentially Unwanted Applications) continue relying on a multitude of traffic acquisition tactics, which in combination with the ubiquitous for the market segment ‘visual social engineering‘, continue tricking tens of thousands of users into installing the privacy-violating applications. With the majority of PUA campaigns, utilizing legitimately looking Web sites, as well as deceptive EULAs (End User License Agreements), in 2014, the risk-forwarding practice for the actual privacy-violation, continues getting forwarded to the socially engineered end user.
We’ve recently intercepted a rogue portfolio consisting of hundreds of thousands of blackhat SEO friendly, legitimate applications, successfully exposing users to the Sevas-S PUA, through a layered monetization relying on OpenCandy/Conduit affiliate based revenue sharing networks.
More details:
Sample screenshot of the Sevas-S/OpenCandy PU serving Web site:
Deceptive portfolio domain name reconnaissance: hxxp://joydownload.com – 54.235.94.58
Detection rate for a sample Sevas-S/OpenCandy PUA:
MD5: a8fb69cf527df4a731333c06129faf3a – detected by 15 out of 51 antivirus scanners as PUP.Optional.OpenCandy; Sevas-S Installer
Serial number: 4B 35 AC 22 3F4 DB 03 D3 B4 C5 36 89 83 A4 B53
Related Sevas-S certificate numbers:
52 74 71 e5 38 62 e2 f9 0ab 45 ed 4a cb 8f 4c2
6b 59 cd e1 53 f9 d6 b8 05 25 99 e5 05 47 7c 19
Deceptive PUA vendor’s domain name reconnaissance: hxxp://sevas-s.com – 107.23.223.98
Known to have been downloaded from the same IP (107.23.223.98) are also the following PUAs:
MD5: e1a49c030ca2f679b70d92ec3637bf1e
MD5: ce9f84f734cbb6a29eee377112d9e5cf
Once executed, the sample phones back to:
api.opencandy.com – 204.232.180.209
media.opencandy.com – 54.231.2.241; 54.231.0.65
cdn.opencandy.com – 87.248.203.254
installs.sevas-s.com – 107.23.223.98
d3.sevas-s.com – 5.79.64.239
sp-installer.conduit-data.com – 54.83.197.43
sp-storage.conduit-services.com – 23.67.3.152
sp-download.conduit-services.com – 199.101.114.124
sp-storage.spccinta.com – 23.66.234.207
sp-settings.conduit-services.com – 23.67.3.152
mediahelper.org – 23.21.66.175
servicemap.conduit-services.com – 23.67.3.152
sp-alive-msg.conduit-data.com – 23.23.100.240
sp-autoupdate.conduit-services.com – 23.67.3.152
sp-ip2location.conduit-services.com – 199.101.114.209
Related Sevas-S download locations:
d2.sevas-s.com – 198.7.58.217
d3.sevas-s.com – 5.79.64.239
d4.sevas-s.com – 162.210.192.105
d5.sevas-s.comv – 207.244.67.208
d6.sevas-s.com – 207.244.67.198
d7.sevas-s.com – 207.244.67.199
Go through related assessments of PUA (Potentially Unwanted Applications) campaigns intercepted in the wild:
- Rogue ads target EU users, expose them to Win32/Toolbar.SearchSuite through the KingTranslate PUA
- Rogue ‘Oops Video Player’ attempts to visually social engineer users, mimicks Adobe Flash Player’s installation process
- Rogue ‘Free Mozilla Firefox Download’ ads lead to ‘InstallCore’ Potentially Unwanted Application (PUA)
- Rogue ‘Free Codec Pack’ ads lead to Win32/InstallCore Potentially Unwanted Application (PUA)
- iLivid ads lead to ‘Searchqu Toolbar/Search Suite’ PUA (Potentially Unwanted Application)
- Rogue ads lead to SafeMonitorApp Potentially Unwanted Application (PUA)
- Deceptive ads targeting German users lead to the ‘W32/SomotoBetterInstaller’ Potentially Unwanted Application (PUA)
- Rogue ads lead to the ‘Free Player’ Win32/Somoto Potentially Unwanted Application (PUA)
- Rogue ads targeting German users lead to Win32/InstallBrain PUA (Potentially Unwanted Application)
- Rogue ads lead to the ‘Mipony Download Accelerator/FunMoods Toolbar’ PUA (Potentially Unwanted Application)
- Rogue ads lead to the ‘EzDownloaderpro’ PUA (Potentially Unwanted Application)
- Deceptive ads lead to the SpyAlertApp PUA (Potentially Unwanted Application)
Related domains known to have responded to the same IP (mediahelper.org; 23.21.66.175):
2download.co
cpuz.2download.co
directx.2download.co
mediahelper.org
2download.co
youtube-to-mp3-converter.org
youtubeconverterhd.co.uk
youtubetomp3format.com
Related MD5s known to have been downloaded from the same IP (23.21.66.175):
MD5: e6bbd7ce83192d5505489fe738b547e8
MD5: 8e29d732e07a67858d10ee6b85230df7
MD5: 5f7e3f9758aa425fdc602f4b03cdfa2e
MD5: 2462a20c590399755577761bfb9cf919
MD5: 9b860b6e48c6266f09935c6245fea623
MD5: 9affdce21391343f83d84bea830e90a0
Known to have phoned back to (204.232.180.209) are also the following malicious MD5s:
MD5: e3d95855c85654de83286f1b6ad4a421
MD5: 0a3617a094b5a73e8bdd2655ff257a7b
MD5: 234047e53ba58255cc24fd7e38b385bc
MD5: 8eac6af7ffd80e5731cc7c5b6ffadeae
MD5: 69e1d70d315c502f5d963f2ed5f39ae4
MD5: f64e14110f8f5871011d3f3cc0566539
MD5: 28bf2ec685291297970b56b48b113e32
MD5: ea70d275f6de4229bfad9bda9ad5d380
MD5: 72b64cc54e107a8df3f1b6047a5d9c97
MD5: 2f18fad5471733f1924a8b6bdfd52867
MD5: aa49205590c65803c5a47d21fad6f09d
MD5: 5d230f2dfadbccbe38c3b103ab275429
MD5: 5fd51587e1e0aeae6deaa6883c2034b7
MD5: cb9ea2692f0aa50d3967fb690717642a
MD5: a66bec592f954fe04efd06e64f9ad96a
Known to have phoned back to the same IP (54.231.2.241) are also the following malicious MD5s:
MD5: f33c86664d84fbbc8e05c4a7ec7941db
MD5: 92f312b8ce0248e11e83afbc891ef710
MD5: 7dba9a415756f20632a66dce2eaffca0
MD5: ec0de726447384b03bb99c2b940c9957
MD5: 20532744bd920846f097b42cb3d044e8
MD5: 9a77df392689b193c2d0eb1f8d7b9312
MD5: 4d4d0544d53f00fce5e7ce76f97dc480
MD5: 749be75d111c51e274b2bb65668592bf
MD5: 6aaee6759cd9795ab619cf1dfc022260
MD5: a8fb69cf527df4a731333c06129faf3a
MD5: 8f140e54e26b081cad542065aefe8d3b
MD5: 42c3418efcdb5b6bb8d7561f14ad2187
MD5: dec13aa433387f7644d5042cd2f10c4d
MD5: 6138dcbf580b1463dbf53863cdc8531a
Webroot SecureAnywhere users are proactively protected from these PUAs.
