Author’s Note: We at Malwarebytes continue to do our part in educating our product users and constant blog readers about day-to-day online threats and how they can avoid falling prey to them. “PUP Friday”, our latest attempt at getting users acquainted with files they may need to watch out for in the Wild Web, offers an in-depth look at some interesting and quite notable potentially unwanted programs (PUPs). Expect to see this type of content pushed out twice a month at the end of a work week.
We have discussed DNS hijackers in general in the past. This week, we like to have a look at an example called TopFlix. It belongs to a family of adware that we call DNSUnlocker.
How do people get infected?
This one is pushed by a bundle wrapper called SoftPulse. SoftPulse uses advertisements to lure users into downloading and installing “useful” applications like Java or Flash Player from their servers and to spice things up a bit they add some extra ingredients of their own.
A current example of how the SoftPulse bundle installer looks
Depending on your geolocation and maybe some other parameters, you’d see some additional offers to digest along with the main course.
TopFlix was presented as a media-player during recent install procedures.
Installation
Once the bundle wrapper triggers the installation of TopFlix, you’d be able to read their EULA as it should be, but in these cases, it’s not always shown. Since you have already allowed the wrapper to run, they don’t need to ask for your permission to install the extras. You have implicitly and are probably unaware that you already allowed them. This one also includes a link to their Privacy Policy.
Scrolling down a bit in the EULA, you may notice this warning about you giving the “Services” permission to change your DNS settings:
In my book, that’s a deal breaker. Do not ever allow anyone to control your DNS settings. The ramifications of changing them can range from extra content to being unable to reach any Web address at all.
The installer offers us another warning still further down, and lets us know that the Service “may”—trust me, it will—contain unsupervised third-party content:
Third-party content
From what we’ve seen, the above-mentioned third-party content comes as text popups, which are little advertisements that show up when you hover over certain keywords—
—and some others that open a new browser tab or window.
One of the examples that we were served led to the potentially unwanted program called “OneSafe PC Cleaner” by “Avanquest”.
As you can see, that advertisement was marked as “Ad by adsupply”, but many of them do not reveal any information about their origin at all.
Removal and detection
The SoftPulse bundle wrapper is detected by Malwarebytes Anti-Malware as PUP.Optional.SoftPulse. The TopFlix installer is detected as Adware.TopGuard.
A full removal guide and logs of the install can be found on our forums.
Prevention
In the case of bundle wrappers, a few habits can go a long way to prevent unwanted side-dishes:
- Download software from the publisher’s own site whenever possible.
- Review the extra offers carefully. In many bundles you can “Skip” or “Deny” them.
- Create a “Restore Point” before you install or use software that can undo the changes made to your system, such as Total Uninstall or Ashampoo Uninstaller.
Summary
We looked at a DNS hijacker called TopFlix. It poses as a media player and is brought to you by one of the mainstream bundle wrappers called SoftPulse.
Pieter Arntz
A few years ago (last year , I think.) I got a virus from a site called ad(dot)fly. This site is well known as a useless, commonly used service to help people shorten links, and help them make millicents off of links. (I don’t see the point.) I clicked a big download button on the site, because I mistook it for the program I was trying to download, which were drivers to let me use the PS3 controller with a PC. (BAD MISTAKE!)Chrome proceeded to download the installer, under the name Open Download Manager. It finished, and when opened, greeted me with at least 18 offers before closing. Regardless of my choice, which was to decline all of them, the program closed. I was very confused, and frustrated.I started seeing multiple random programs, some of which were mentioned in the excessive offers. I was overwhelmed, and freaked out by the amount of viruses that were being loaded on my computer. I instantly whipped out Malwarebytes, and turned the wi-fi off so that the program couldn’t download any more viruses. When the scan finished, Malwarebytes detected over 7,000 viruses on the PC, and counting. I thought it was all over, and turned the wi-fi back on. Nope. more and more viruses flooded onto the computer. I repeated the same process with Malware bytes, freaking out, and backing up my latest project. I stopped because it was way too laggy. When the scan finished, There were fewer viruses, but still too many to remember. I had to wipe the computer clean, and start over. Please, for the sake of people’s computer’s, don’t use adf(dot)ly. I got the program in the end, but just don’t do it. Seriously.
I started seeing multiple random program icons appear on the desktop, some of which were mentioned in the excessive offers. I was overwhelmed, and freaked out by the amount of viruses that were being loaded on my computer.
well i still use that website i just click the skip add and i also recommend running something like webroot and if you can the premium version of malwarebytes because it will detect and block these sorts of attacks and also try your best to stay away from windows i recommend linux
faster and more secure