We recently received a sample from a customer and upon initial analysis it looked like a bundled software installer. Upon execution, the installer launches a website and then attempts to download an executable—an installer for FLV Player. Nothing out of the ordinary, but what grabbed our attention was the website that had loaded after execution. It appeared to be a “Thanks for installing” page but the domain name looked odd.
We navigated to the top level of this site and found several subsites.
Clicking through these, we found all of them to be fake pages that show users an advertisement to entice them to install another piece of software. This tactic is common with installers for potentially unwanted programs (PUPs), but it is uncommon for one website to have several fake pages.
The common thread is that they all show ads from castplatform.com. A copy of the script used on these pages follows:
Some of the pages we found were fake landing pages for common applications including:
- VLC Player
- FileHippoMineCraft Projects
We decided to dive deeper and try to find the source of this installer.
This is usually the tricky part when dealing with PUPs due to the different techniques used by the authors. Most PUPs include no company or owner information, no homepage, come only in bundles, and require certain switches for the installer to work.
Our first step was to see if we could find other files that connected to these fake landing pages. We soon discovered thousands of these; they all showed similar behavior.
Once we gathered all the samples we knew our best shot was to get a list of all the domains that were contacted. The logic behind this was to look at the list and see if there was a common domain that appeared more frequently than others. It was likely this domain hosted the files.
We found a few common websites that the installers contacted, so we began to go through them. A couple stood out; these were file upload sites. We assumed these file upload sites bundled the uploaded files with a new installer.
The two sites that gained most of our attention were File-space.org and 100lm.ru. File-space.org made it clear that it was about monetizing.
Here is a snippet from the FAQ page:
Here is how much its users can make:
It works out between £8 and £16 per one thousand downloads.
From reading the FAQ, we seemed to be on the right track. So we signed up to the website and uploaded a file. We then downloaded the uploaded file and found that it was indeed bundled with other applications. However, the behavior was not the same as our customer’s file. So our search continued for the source of our sample.
Our attention now went to 100lm.ru. This website had no detailed FAQ/EULA/Tariff page and no mention of monetization.
What we instantly noticed was a catalog page.
Any file that anyone uploads to the site appears on this list. This means that anyone can download files anyone else uploads, even those rated “not so secure.” Regardless, we came here to find the source of our PUP installer.
We chose one file to download. As you can see from the following image, this file had been downloaded more than one thousand times.
We replicated the file and found the behavior to be exactly the same as our initial sample.
So we downloaded a couple more of these files and we hit the jackpot. Every one we chose loaded the fake landing page. We checked the digital signature of the files and they all matched the one in the file we originally received.
Just to double-check, we uploaded our own file and downloaded it. The downloaded file was bundled with other software that loaded the fake landing page when executed.
What is different between the two upload sites is that 100lm.ru does not inform users that it is bundling; thus that site makes all the pay-per-install (PPI) revenue. This is extremely misleading. Even if a fake landing page was not loaded, this behavior would still warrant PUP detection.
Here is a flow of how this PUP spreads:
Our findings show that you have to be very careful when choosing a file-hosting website. We recommend that you use the most popular ones and do a simple check to see if the file you upload is the same as the one that you download.
A simple way to do this is to use the command-line tool FC.exe, which is available on every Windows system. It compares two files and will highlight any differences.
Usage: FC.exe “file1” “file2”
Detection for the malicious installer has been added as Adware-FakeLand and is covered in DAT Version 8055.