Microsoft and Malwarebytes Boost PUP Detection

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
The term Potentially Unwanted Programs, or PUPs, is often used to describe software installed on somebody's computer without the owner's specific and direct approval.

Many legally-registered software development companies engage in "bundling," mainly because they earn a nice profit by packaging another company's software (PUPs) with their legitimate apps.

Detecting software as PUP comes with a financial and legal cost
For years, antivirus vendors have fought to blacklist PUPs, marking specific software as dangerous inside their security products. The makers of those programs didn't sit idly, and for years, have sued antivirus vendors whenever their software received the label of "PUP" or "adware" in AV products.

Nevertheless, security firms fought back in all lawsuits and continued to mark PUP software as dangerous, despite the rising costs of mounting a legal defense against these scumbag developers.

Because of their work, PUP makers, who are often very large software development firms themselves, have continually evolved their products, adding new evasion tricks and pioneered new distribution methods.

These new techniques have allowed older PUPs to pass undetected, or have helped PUP makers create newer and more advanced threats.

PUP makers are the most litigious companies around
Last week, Malwarebytes CEO Marcin Kleczynski, said his company is ready to modify the detection rules based on which their product, the Malwarebytes Anti-Malware (MBAM) toolkit detects PUP software.

The new rules, which you can read below, aren't anything regular users would consider an exaggerated move from Malwarebytes. Nevertheless, Kleczynski said he expects PUP makers to fight back.

"[Previously] This has resulted in backlash ranging from nasty blog posts and comments from fake profiles defending the products to, of course, a mountain of letters with legal letterheads demanding that we stop," Kleczynski said, expecting something similar again.

- Obtrusive, misleading, or deceptive advertising, branding, or search practices
- Excessive or deceptive distribution, affiliate or opt-out bundling practices
- Aggressive or deceptive behavior especially surrounding purchasing or licensing
- Unwarranted, unnecessary, excessive, illegitimate, or deceptive modifications of system settings or configuration (including browser settings and toolbars)
- Difficulty uninstalling or removing the software
- Predominantly negative feedback or ratings from the user community
- Diminishes user experience
- Other practices generally accepted as riskware, scareware, adware, greyware, or otherwise commonly unwanted software by the user community PUP should be called malware! PUP should not be a standalone term!
Lawrence Abrams, Bleeping Computer founder, shares Kleczynski's opinion and takes it one step further.

"As I have said numerous times," Abrams writes on his site, "PUP distributors and developers are getting out of control and need to be stopped. They are creating adware and PUPs that are not only distributed in a deceptive manner, but in many cases also include characteristics that are only found in computer infections. These characteristics could include backdoors, rootkits, and persistence techniques that make the programs difficult to remove.

"Though anyone with common sense would say that these programs should be considered malware, instead they are classified as PUPs, or not detected at all, because security companies are afraid of legal threats from the PUP developers," Abrams adds. "In fact, the term PUP, or Potentially Unwanted Program, was created to avoid calling these programs malware and to avoid legal consequences of doing so."

Microsoft updates MSRT to detect newer PUP families
But Malwarebytes is not the only one that's getting tougher on PUPs. Yesterday, Microsoft announced the addition of three new PUP families (SupTab, Sasquor, and Ghokswa) to its Malicious Software Removal Tool (MSRT) release, which come to complement the two new PUP families added last month (Suweezy and Xadupi).

For example, Microsoft says that it decided to add the SupTab and Sasquor PUPs after it found them part of bundlers such as Istartpageing, Omniboxes, Yoursearching, iStart123, Hohosearch, Yessearches, Youndoo, and Trotux.

If you take the time to read Microsoft's analysis of these new threats, PUPs aren't "PUPs" anymore. Gone are the days when a PUP that came bundled with a legitimate app would just change your homepage.

PUPs have the same capabilities as APT malware
Nowadays, PUPs come with rootkit components that make removal almost impossible. They also feature a modular design, with different components being installed at later times, while the main PUP component communicates with a central C&C server.

Ironically, malware used in politically-motivated cyber-espionage campaigns has the very same features. Of course, if you call a PUP software as "malware," or you use its real name, you might get sued.

If you haven't been aware by now, Sasquor, Xadupi, or just about any PUP codename is a generic term given to certain software applications often found inside bundled software, which security vendors avoid pointing out by their real name, afraid of legal threats.

FTC and EU need to get involved
Until the FTC or the EU gets involved with more strict legislation, PUP software vendors can create destructive and intrusive software, hide it under a generic EULA agreement, and then sue any company or security researcher that dares to call it malicious, let alone mark it as a PUP or malware in their security products. The only times when PUP vendors are shut down is when the victims of these aggressive software packages come forward and sue the software vendors.

If you want to know what are the latest trends in PUP development, below is a list of the recent threats added to Microsoft's Malicious Software Removal Tool, along with their capabilities.

BrowserModifier:Win32/Sasquor
Changes browser search and homepage settings to circumvent the browser’s supported methods and bypass your consent. It generally targets Google Chrome and Mozilla Firefox users. It also installs services and scheduled tasks that regularly install other malware like Trojan:Win32/Xadupi. It also sometimes installs Trojan:Win32/Suweezy.

BrowserModifier:Win32/SupTab
Changes browser search and homepage settings, circumventing the browser’s supported methods and bypass your consent. It usually targets Internet Explorer, Microsoft Edge, Google Chrome and Mozilla Firefox. It also installs services and scheduled tasks that regularly install additional or another type of malware.

Trojan:Win32/Suweezy
Attempts to modify settings for Windows Defender, Microsoft Security Essentials, AVG Antivirus, Avast Antivirus and Avira Antivirus, to exclude certain folders from being scanned. This can prevent detection and removal of the related malware like Sasquor and SupTab, as well as any other malware or unwanted software the machine might encounter. Suweezy usually adds C: to the exclusion list, which includes everything under that path, hence creating a significant and imminent danger to your computer’s overall security, by making that path unprotected by your antimalware software.
Trojan:Win32/Xadupi Installs a service that regularly installs other apps, including Ghokswa and SupTab. This service is ostensibly an update service for an app that has some user-facing functionality – CornerSunshine displays weather information on the taskbar, WinZipper can open and extract archive files, and QKSee can be used to view image files.

Trojan:Win32/Ghokswa
Installs a customized version of Chrome or Firefox browsers. The Chrome version represents itself as Google Chrome, but is modified to use a different home page and search engine front-end. If Google Chrome is already installed when Ghokswa is downloaded by Xadupi, the Ghokswa installer will silently stop any running Google Chrome processes, and replace all shortcuts and associations for the real Google Chrome with ones pointing to its own version.
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Great, scary share!


Trojan:Win32/Suweezy

Attempts to modify settings of AVs...not good, not good at all....how do they sue AVs? What can they say to sue? These people should be fined!
We really need more attention from our legislators/control commissions!
 
L

LabZero

The average user may think that PUP is not so dangerous, but he knows these things superficially, reading on the web.
Wrong, some new generation's PUPs drop stealth malware designed to bypss all security control: infect - stay - steal.
 

BoraMurdar

Super Moderator
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
No it isn't. Microsoft is not going to take a truly hard-line stance against PUPs because of the potential civil suits.
You are probably right, even tho Microsoft is much bugger company than Avast and ESET combined, I think they have a lot of bothside agreements which will brake if they start to block some PUPs
 

CMLew

Level 23
Verified
Well-known
Oct 30, 2015
1,251
Well, it's free with WD. So can't complain that much with free stuff. They're meant to compromise .:D
 
  • Like
Reactions: shukla44

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
AV's should steer away for any such partnership that will include bundled products, so any behavior should sanctioned immediately.

Next; why not implement stronger analysis and collecting information for PUP's same like other threats besides on the criteria mentioned above? For sure that will boost the PUP detection efficiently.
 
  • Like
Reactions: shukla44

Myriad

Level 7
Verified
Well-known
May 22, 2016
349
Malwarebytes are certainly doing something different these days regarding PUP detection.

I run weekly system scans and last week it flagged " Slimware Driver " as a PUP ( which I have never installed )

Today it flags "Advanced System Care " which I have also never installed ! (... although I do have IOBit Uninstaller ).

It got my attention because (a) I am super-aggressive in avoiding bundleware , and
(b) I haven't installed anything new on this machine for many weeks .

Here's a screenie for the ASC detection :-

MBAM.PNG
 
  • Like
Reactions: harlan4096

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
@Myriad: Same with ESET and few other AV's that definitely analyze the behavior program no matter if it's legitimate.

I've remembered that Viber complain about ESET flag detection to their product however the software company itself backfire for possible PUP based.
 
  • Like
Reactions: Der.Reisende

Myriad

Level 7
Verified
Well-known
May 22, 2016
349
The average user may think that PUP is not so dangerous, but he knows these things superficially, reading on the web.
Wrong, some new generation's PUPs drop stealth malware designed to bypss all security control: infect - stay - steal.

That's a good point ,and I have just looked on the MBAM Forum and saw this from a couple of years ago :-

"We've seen way too many support tickets and forum posts about PUPs, Potentially Unwanted Programs, that we couldn't sit back anymore.

Starting today, we are upping our Malwarebytes Anti-Malware detection to include those annoying and misleading PUPs, in addition to the harmful and dangerous PUPs we already detect."

My guess is that they have recently stepped up the war on PUPs again because I'm seeing old items that had slipped by previously

Good work MBAM is what I say !
 
Last edited:

Myriad

Level 7
Verified
Well-known
May 22, 2016
349
This issue of continuing aggressive action against PUPs has come up again recently on the MB forum ( October 5th ) and blog

But not all of their customers are happy campers .
Here's a quote from there :-

"Bad move. It's basically AntiCompetitionWare and creates an unnecessary burden on your own customers."

But it is not fair to quote out-of-context ,and Malwarebytes staff responded , so I recommend checking it out before judging .
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top