Source: Microsoft and Malwarebytes Boost PUP Detection
The term Potentially Unwanted Programs, or PUPs, is often used to describe software installed on somebody's computer without the owner's specific and direct approval.
Many legally-registered software development companies engage in "bundling," mainly because they earn a nice profit by packaging another company's software (PUPs) with their legitimate apps.
Detecting software as PUP comes with a financial and legal cost
For years, antivirus vendors have fought to blacklist PUPs, marking specific software as dangerous inside their security products. The makers of those programs didn't sit idly, and for years, have sued antivirus vendors whenever their software received the label of "PUP" or "adware" in AV products.
Nevertheless, security firms fought back in all lawsuits and continued to mark PUP software as dangerous, despite the rising costs of mounting a legal defense against these scumbag developers.
Because of their work, PUP makers, who are often very large software development firms themselves, have continually evolved their products, adding new evasion tricks and pioneered new distribution methods.
These new techniques have allowed older PUPs to pass undetected, or have helped PUP makers create newer and more advanced threats.
PUP makers are the most litigious companies around
Last week, Malwarebytes CEO Marcin Kleczynski, said his company is ready to modify the detection rules based on which their product, the Malwarebytes Anti-Malware (MBAM) toolkit detects PUP software.
The new rules, which you can read below, aren't anything regular users would consider an exaggerated move from Malwarebytes. Nevertheless, Kleczynski said he expects PUP makers to fight back.
"[Previously] This has resulted in backlash ranging from nasty blog posts and comments from fake profiles defending the products to, of course, a mountain of letters with legal letterheads demanding that we stop," Kleczynski said, expecting something similar again.
- Obtrusive, misleading, or deceptive advertising, branding, or search practices
- Excessive or deceptive distribution, affiliate or opt-out bundling practices
- Aggressive or deceptive behavior especially surrounding purchasing or licensing
- Unwarranted, unnecessary, excessive, illegitimate, or deceptive modifications of system settings or configuration (including browser settings and toolbars)
- Difficulty uninstalling or removing the software
- Predominantly negative feedback or ratings from the user community
- Diminishes user experience
- Other practices generally accepted as riskware, scareware, adware, greyware, or otherwise commonly unwanted software by the user community PUP should be called malware! PUP should not be a standalone term!
Lawrence Abrams, Bleeping Computer founder, shares Kleczynski's opinion and takes it one step further.
"As I have said numerous times," Abrams writes on his site, "PUP distributors and developers are getting out of control and need to be stopped. They are creating adware and PUPs that are not only distributed in a deceptive manner, but in many cases also include characteristics that are only found in computer infections. These characteristics could include backdoors, rootkits, and persistence techniques that make the programs difficult to remove.
"Though anyone with common sense would say that these programs should be considered malware, instead they are classified as PUPs, or not detected at all, because security companies are afraid of legal threats from the PUP developers," Abrams adds. "In fact, the term PUP, or Potentially Unwanted Program, was created to avoid calling these programs malware and to avoid legal consequences of doing so."
Microsoft updates MSRT to detect newer PUP families
But Malwarebytes is not the only one that's getting tougher on PUPs. Yesterday, Microsoft announced the addition of three new PUP families (SupTab, Sasquor, and Ghokswa) to its Malicious Software Removal Tool (MSRT) release, which come to complement the two new PUP families added last month (Suweezy and Xadupi).
For example, Microsoft says that it decided to add the SupTab and Sasquor PUPs after it found them part of bundlers such as Istartpageing, Omniboxes, Yoursearching, iStart123, Hohosearch, Yessearches, Youndoo, and Trotux.
If you take the time to read Microsoft's analysis of these new threats, PUPs aren't "PUPs" anymore. Gone are the days when a PUP that came bundled with a legitimate app would just change your homepage.
PUPs have the same capabilities as APT malware
Nowadays, PUPs come with rootkit components that make removal almost impossible. They also feature a modular design, with different components being installed at later times, while the main PUP component communicates with a central C&C server.
Ironically, malware used in politically-motivated cyber-espionage campaigns has the very same features. Of course, if you call a PUP software as "malware," or you use its real name, you might get sued.
If you haven't been aware by now, Sasquor, Xadupi, or just about any PUP codename is a generic term given to certain software applications often found inside bundled software, which security vendors avoid pointing out by their real name, afraid of legal threats.
FTC and EU need to get involved
Until the FTC or the EU gets involved with more strict legislation, PUP software vendors can create destructive and intrusive software, hide it under a generic EULA agreement, and then sue any company or security researcher that dares to call it malicious, let alone mark it as a PUP or malware in their security products. The only times when PUP vendors are shut down is when the victims of these aggressive software packages come forward and sue the software vendors.
If you want to know what are the latest trends in PUP development, below is a list of the recent threats added to Microsoft's Malicious Software Removal Tool, along with their capabilities.
Changes browser search and homepage settings to circumvent the browser’s supported methods and bypass your consent. It generally targets Google Chrome and Mozilla Firefox users. It also installs services and scheduled tasks that regularly install other malware like Trojan:Win32/Xadupi. It also sometimes installs Trojan:Win32/Suweezy.
Changes browser search and homepage settings, circumventing the browser’s supported methods and bypass your consent. It usually targets Internet Explorer, Microsoft Edge, Google Chrome and Mozilla Firefox. It also installs services and scheduled tasks that regularly install additional or another type of malware.
Attempts to modify settings for Windows Defender, Microsoft Security Essentials, AVG Antivirus, Avast Antivirus and Avira Antivirus, to exclude certain folders from being scanned. This can prevent detection and removal of the related malware like Sasquor and SupTab, as well as any other malware or unwanted software the machine might encounter. Suweezy usually adds C: to the exclusion list, which includes everything under that path, hence creating a significant and imminent danger to your computer’s overall security, by making that path unprotected by your antimalware software.
Trojan:Win32/Xadupi Installs a service that regularly installs other apps, including Ghokswa and SupTab. This service is ostensibly an update service for an app that has some user-facing functionality – CornerSunshine displays weather information on the taskbar, WinZipper can open and extract archive files, and QKSee can be used to view image files.
Installs a customized version of Chrome or Firefox browsers. The Chrome version represents itself as Google Chrome, but is modified to use a different home page and search engine front-end. If Google Chrome is already installed when Ghokswa is downloaded by Xadupi, the Ghokswa installer will silently stop any running Google Chrome processes, and replace all shortcuts and associations for the real Google Chrome with ones pointing to its own version.