Fifty shades of gray:world of potentially unwanted programs by Arun Pradeep - ( extracts from McAfee Labs Threat Report)
We assume that all malware is bad and should be blacklisted. However, the class of malware called potentially unwanted programs (PUPs) is often hard to categorize and combat, and PUPs are not always bad. Adware, spyware, and other types of nondestructive apps are generally considered PUPs. PUPs lie in a “gray zone” of classification because they often offer a benefit to the user in addition to being a risk. Their developers sometimes have reasonable justifications but their behavior varies considerably, ranging from relatively benign to quite malicious. McAfee Labs carefully examines PUPs to determine their functions and helps customers remove them. Any application a user may find beneficial but that exhibits a tangible underlying risk to the user may be considered a PUP. The applications generally do not inform users of these risks. Unlike Trojans, viruses, rootkits, and other forms of malware, PUPs generally do not steal user identities, banking credentials, or alter system files. An application can be considered a PUP if it performs any of the following behaviors:
- Modifies system settings, such as browser configuration, without authorization.
- Conceals an unsought program within a legitimate application.
- Covertly collects user information, browsing habits, and system configuration.
- Hides application installation.
- Makes removal difficult.
- Is distributed by confusing or deceptive advertisements
Based on their behavior, we classify PUPs into these subcategories:
- Adware: Serves advertisements mainly through browsers.
- Password cracker/revealer: Displays an application’s hidden password.
- Remote administration tool (RAT): Monitors user activities on the installed machine or allows remote control of the system without user awareness or consent.
- Keygen: Generates product keys for legitimate applications.
- Browser hijacker: Changes the home page, search page, browser settings, etc.
- Hack tools: Standalone apps that can facilitate system intrusions or loss of critical data.
- Proxy: Redirects or hides IP-related information.
- Tracking tools: Spyware or keylogging applications that collect user keystrokes, log personal communications, monitor user online activities, or capture screens without user awareness.
Key differences between PUPs and other malware like Trojans, ransomware, bots, and viruses are shown below:
Potentially unwanted programs
Other malware: Trojans, viruses, bots, etc.
Standard application installation procedure, at times with EULA. Often needs user acceptance and input to completely install on a system.
Installed as a standalone program without any user input. Mostly operates as an independent file.
Bundled with clean applications and covertly installed along with the clean app.
Standalone files with few additional components. Not packaged as installers.
Sometimes the package contains an uninstaller, allowing removal. Often the uninstall procedure is difficult.
Executables add more complexity in removing the malware due to hooks into other processes, process handles, and other complex linkages. Because these are not installer packages, they do not appear in Control Panel.
Displays unintended advertisements, pop-ups, pop-unders. Modifies browser settings, collects user and system data, or allows remote control of the system without user awareness or consent.
Steals personal identity and banking information, modifies system files, makes system unusable, asks for ransom, etc.
Behavior is usually not stealthy.
Can hide files, folders,
Cybercriminals rely on techniques such as phishing email campaigns, search engine optimization hijacking, vulnerable web servers, or bots to spread their malware. PUPs, on the other hand, are typically propagated by abusing the trust of innocent users as explained in the McAfee Labs Threats Report: November 2014. The most common distribution techniques for PUPs include:
- Covertly piggybacking on a legitimate application.
- Social engineering.
- Selling Facebook likes.
- Posting scam messages on Facebook.
- Hijacking Google AdSense.
- Unintended browser extensions and plug-ins.
- Forced installation along with legitimate applications.
Hard to police
Although PUPs do not perform complex evasive maneuvers such as custom packing, encryption, virtual machine detection, and other stealth behavior commonly used by Trojans and viruses, they still manage to evade detection by various security products. But if they aren’t complex, what makes these programs hard to police?
Innocent-looking propagation techniques adapted by PUP authors allow them to slip through various security gates—network intrusion prevention, firewall, and antimalware—and reach their targets, even within enterprises. PUPs do not have to be stealthy to bypass security checks because they are bundled with legitimate apps and are sometimes installed with unwitting user consent. Sometimes these apps are digitally signed to sneak onto systems.
It is easy for threat researchers to reverse engineer files to detect if they are Trojans, viruses, or bots because they exhibit malicious behavior when analyzed dynamically or statically, or when they are reverse engineered. PUPs, however, generally do not exhibit such characteristics. Their behavior is similar to legitimate programs’; hence they are considered “gray files” by the security community. Gray program behavior challenges researchers to classify them as PUPs or clean files.
For many years, PUPs were considered non-critical threats and did not greatly concern security vendors. PUPs have now significantly enhanced their behavior.
Among all the PUP categories, adware has attracted the greatest attention from security vendors not because of annoying advertisements but because of the way in which adware abuses trust.
Adware has become smarter by implementing various techniques to ensure its continuous presence on infected systems. Here are some of the methods:
- Standalone process running in memory.
- Component object model (COM) and non-COM DLL files with functions built specifically for the app.
- Browser helper object registry keys.
- DLLs hooked to system processes.
- Browser extensions and plug-ins.
- Registered system services.
- Device driver components performing device control functions.
- Low-level filter drivers.
- Trojans delivered as payload.
The red zone in the following chart illustrates the multiple vectors targeted by PUPs in various layers of Microsoft Windows.
McAfee Labs saw in the third quarter a high volume of PUP-related escalations that use adware techniques. The leading apps were OutBrowse, SearchSuite, SearchProtect, and Browsefox.
The most prevalent adware families in 2014:
- PUPs that use the Crossrider framework
Browsefox runs two services on the infected system and both connect to remote servers using TCP and UDP ports. UDP connections do not guarantee packet delivery, but TCP connections do guarantee delivery, thus ensuring that the data pushed from the remote server reaches the victim’s machine without fail. This adware’s system services ensure that the program continuously runs on infected machines even after a reboot.
SearchSuite adware, analyzed by McAfee Labs in 2014, revealed significant aggressive behavior. In addition to a complete install package, browser components, and system services, SearchSuite can control device drivers through the device control APIs of Windows. This peculiar behavior challenges detection methods used in security products. These components go deep into kernel mode and create low-level filter drivers that are usually employed by applications to interact with hardware devices.
The Crossrider framework helps developers build cross-platform browser plug-ins. Now some adware manipulates this framework, using the Crossrider API to covertly push advertisements to targeted machines. This is another trick employed by adware authors to evade detection by endpoint security products.
PUPs reach out of Windows to take a bite of Apple
Although Trojans still find it difficult to infect Apple systems, variants of PUP families such as Bundlore, Aobo Keylogger, Ginieo, and SearchProtect have successfully infected the Mac. More than 70% of all malware found on Macs falls under the PUP category. Adware on Macs was first observed in 2012; now many PUP families are found on Macs.
Similar to their behavior on Windows, PUPs targeting Macs are bundled with clean applications like video converters, YouTube downloaders, and many more legit applications. Once installed on a victim’s Mac, adware covertly monitors the user’s browsing habits and serves advertisements based on those activities.
Let’s take a look at a day in the life of PUPs. The following map shows reports gathered from McAfee Labs field telemetry in a 24-hour period:
More than 300,000 unique IPs had some adware components running on the host.
- PUPs were spread across 170 countries with the greatest impact in the United States.
- 1.5 million unique nodes had PUP infections.
- 373,000 unique hashes with some PUP components were on customer machines.
Among the top 50 malware families monitored in this period, PUPs dominated, with 94% of total hits.
In a typical 24 hour period, McAfee detects PUPs on more than 91 million systems.
Number of detections reported in 24 hours
Other PUP detections
Making money through Google’s rankings
While search engine optimizers attempt to increase site rankings to earn more on Google AdSense, PUP authors use adware to gain higher rankings using shortcuts. After embedding adware on victims’ machines, remote servers connect covertly through hijacked ads to increase visitor hits, thereby increasing a site’s rank. Ads delivered to compromised machines are tailored to victims’ interests to increase the chance of clicks. Higher site ranks make websites appear higher in Google search results, thus increasing ad-based revenue.
Once an adware app spreads to thousands of victims’ machines, these ad hijacking and redirecting click traits function as a service, turning the adware itself into a propagation medium.
Containing PUPs through aggressive policies
Due to the “grayness” of some PUP files and the difficulty in classifying them, many security vendors develop PUP policies so that threat researchers can classify PUPs in a more systematic way. A PUP policy is a document that defines the rules for evaluating, classifying, and adding PUP detection.
McAfee Labs periodically revises its PUP policy to counter changes adopted by PUP developers. Our most recent policy includes the following criteria to help guide McAfee Labs threat researchers as they attempt to determine whether files are PUPs.
- The value that the technology offers the user.
- The risk posed by the technology to a user.
- The context of the technology or component.
- The source or distribution of the technology.
- The prevalence of any misuse compared to legitimate use of the technology.
McAfee Labs threat researchers then examine the following areas:
- The extent to which the user is notified of the software’s risks.
- The extent to which the user consents to the software’s behavior.
- The degree of control that the user has over the software’s installation, operation, and removal.
At McAfee Labs, we examine every component file of a possible PUP to hunt for its main installer. We replicate the installation in-house, allowing the installer to download the complete package. We thoroughly analyze these downloads and use our latest PUP policy to determine whether the app is a PUP or legitimate. Once an app is classified as a PUP, users can then configure their endpoint protection products to allow or block the PUP. Endpoint configuration guidance for PUPs can be found here.