Deceptive ‘Media Player Update’ ads expose users to the rogue ‘Video Downloader/Bundlore’ Potentially Unwanted Application (PUA)


By Dancho Danchev

Our sensors continue picking up deceptive advertisements that expose gullible and socially engineered users to privacy-invading applications and toolbars, most commonly known as Potentially Unwanted Applications (PUAs).

The latest detected campaign utilizes multiple legitimately looking banners in an attempt to trick users into thinking that their media player needs to be updated. Once users install the bogus ‘Media Player Update’, they introduce third-party privacy-invading software onto their PCs and directly contribute to the revenue flow of the cybercriminals behind the campaign.

More details:

Sample screenshots of multiple deceptive ads leading to the same Potentially Unwanted Application (PUA):

Deceptive_Ads_Rogue_Ads_Adware_Potentially_Unwanted_Application_PUA_Bundlore_Fake_Media_Player_Update Deceptive_Ads_Rogue_Ads_Adware_Potentially_Unwanted_Application_PUA_Bundlore_Fake_Media_Player_Update_01 Deceptive_Ads_Rogue_Ads_Adware_Potentially_Unwanted_Application_PUA_Bundlore_Fake_Media_Player_Update_02 Deceptive_Ads_Rogue_Ads_Adware_Potentially_Unwanted_Application_PUA_Bundlore_Fake_Media_Player_Update_03 Deceptive_Ads_Rogue_Ads_Adware_Potentially_Unwanted_Application_PUA_Bundlore_Fake_Media_Player_Update_04

Sample screenshot of the landing page:

Deceptive_Ads_Rogue_Ads_Adware_Potentially_Unwanted_Application_PUA_Bundlore_Fake_Media_Player_Update_06

Rogue URL:
hxxp://dkg.videodownloadonline.com/download/video_downloader – 107.14.36.160; 107.14.36.120

Detection rate for the PUAMD5: 85387afff8e5e66e2d9cc5dc1c43c922 – detected by 2 out of 46 antivirus scanners as Adware.Downware.925; Bundlore (fs).

The sample is digitally signed by Bundlore LTD, which is yet another pay-per-install affiliate network.

Deceptive_Ads_Rogue_Ads_Adware_Potentially_Unwanted_Application_PUA_Bundlore_Fake_Media_Player_Update_05

Rogue URL:
bundlore.com – 98.129.229.186 – Email: eldad.shaltiel@gmail.com

The following MD5s that are known to have interacted with the same IP (98.129.229.186):
MD5: 70dc774493a1741495675d5958530bbc
MD5: 910c87b57f58793dfac033d82d1dfef6
MD5: 8e0c8b6a2d742f7a933ec54042ce3c40
MD5: 1c14cd6e4b8305587a993fe1fadc25ee
MD5: e8cbbd58e318d768205c7b7c8a1800c8
MD5: f64a91d5f8a2b2ecebbeec478ed5cf8b
MD5: 485ee904242cf2f503425bd2546b0aea

Webroot SecureAnywhere users are proactively protected from these PUAs.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

One thought on “Deceptive ‘Media Player Update’ ads expose users to the rogue ‘Video Downloader/Bundlore’ Potentially Unwanted Application (PUA)

  1. Pingback: Potentially Unwanted Applications and you | Webroot Threat Blog - Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s