The detection name of PUP.Optional.Downloader is probably as non-specific as you can get when it comes to identifying what particular unwanted program that is. Generally, Malwarebytes uses this name to detect Crossrider uninstallers, installers from the CHIP Online download portal, and other bundlers offered as downloaders.
For this blog post, we’re going to look at a bundled program called Internet Download Manager (IDM) for Windows, which we retrieved from a third-party website, as an example of how Malwarebytes uses the PUP.Optional.Downloader detection name. This sample falls under the “other bundlers offered as downloaders” category. For clarification, the IDM program discussed was not obtained directly from https://www.internetdownloadmanager.com/.
During installation, it displays the following user interfaces—
—and creates the following URL shortcut files for BestOffer Everyday and iStripper, as per the latest sample we have retrieved and tested.
IDM also integrates itself into Chrome and Firefox as browser extensions:
After installation, the bundler promising to install IDM then visits two consecutive websites via the Opera browser, the first one triggering Malwarebytes to block a URL it has deemed malicious—
—and the second one prompting us to “update our Adobe Flash Player”:
Malwarebytes detects the IDM installer as PUP.Optional.Downloader. We also detect all dropped shortcut files as PUP.Optional.BestOffer.
To read more on the technical details of the sample we just discussed, you can visit our removal instruction page on the forum here.
Jovi Umawing (Thanks to Pieter for additional info)
Hi,
As someone who has been a user of Internet Download Manager for over a decade I must say that I’ve never experienced the behaviour you’ve listed, although I’ve only ever downloaded the software from the developers website.
I have no relationship with the developers of Internet Download Manager other than being a long term satisfied customer.
In your post you state that you downloaded Internet Download Manager from a third-party website.
Is it possible that the behaviour you’ve listed only applies to versions that are downloaded from third-party sites, and that these sites may be distributing versions which were not created by the developer?
If that’s the case, then I wouldn’t like to see the reputation of what I consider an excellent download manager tarnished by something outside of the developers control.
I personally avoid downloading software from third-party sites as you can’t verify that the software hasn’t been modified unless you know how the original developer signs their software.
On a separate note I would like to thank the Malwarebytes team for the great work that you do. I’ve been a Malwarebytes user for well over 5 years, and I’ve always found your software to be excellent.
I appreciate your recently announced tougher stance on PUPs and ‘m looking forward to the official release of your anti-ransomware product.
Les
Hi, Les.
As per the blog : “Malwarebytes detects the IDM installer as PUP.Optional.Downloader”. The problem here is the bundler which installs a number of programs in addition to IDM. Bundling legitimate and occasionally less desirable programs together is very common depending on what deals were done between individual programmers and companies with whoever is responsible for the bundler, and we frequently see (and write about) combinations of the above on the blog.
While we have no way to explain the behind the scenes mechanics of how any bundle is put together, we definitely agree that going to the original source for a specific download is a good idea. Many bundles will often offer full versions of otherwise paid for programs, and of course many of these installs will have costs covered by additional advertising. As always, the choice remains with the consumer, but bundles often remain a mystery right up until installation.
Thanks for the kind words! 🙂
That iStripper reminds me of vinesauce joel