REPORT

Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs

The History of WakeNet AB, a Major PPI Player

McAfee Advanced Threat Research REPORT Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs

McAfee® Labs has investigated a developer of pay-per-install software that has stayed active for a significant period without much negative press from the media or the computer Authors security industry. During a span of 10 months, McAfee prevented 1.9 million infections by This report was researched WakeNet AB’s FileCapital as we observed thousands of unique websites being created to and written by:

spread FileCapital installers. ■■ Oliver Devane

■■ Charles Crofford The FileCapital tools are responsible for installing The McAfee PUP Policy helps users understand what is some of the most prevalent potentially unwanted being installed on their systems and notifies them when program (PUP) families, such as Adware-Linkury and a technology poses a risk to their systems or privacy. Wajam, which plague infected clients with unwanted PUP detection and removal provides notification to our advertisements and seriously impact performance. customers when a software program or technology lacks sufficient notification or control over the software, or The revenue WakeNet AB generated in one year puts it fails to adequately gain user consent to the risks posed above some of the most prevalent ransomware families, by the technology. For more on how McAfee defines which explains why creating PUPs is so appealing. PUP and protects against PUPs, read the McAfee® Potentially developers generate revenue primarily by exploiting PC Unwanted Programs Policy. users. In spite of their ubiquity, PUPs often draw little attention PUPs compared with less numerous but more destructive A PUP is software that might offer some useful malware such as Trojans and ransomware. Nonetheless, functionality to a customer but also presents some risk. PUPs impact a far greater percentage of users (see Users see some PUPs as benign, others as malicious. Figure 1), and can render a machine almost unusable One of the latter is Adware-Elex (aka Fireball), which (see Figure 2). infected 250 million devices. McAfee strives to protect Connect With Us its customers against all kinds of threats, including PUPs.

2 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

PUPs are often installed via pay-per-install tools, which some software manufacturers develop to make money. They can generate revenue by bundling their installers with third-party software and receiving money when these bundled applications are installed. Pay per install can be a legitimate way of business; however, some companies misuse this method to generate revenue.

Installers from the companies that misuse the pay-per- install method are categorized by security companies as PUPs, usually because they use deceptive tactics to trick users into executing and installing the bundled software.

Figure 1. Percentage breakdown of detection types. PUPs are by far the WakeNet AB most common. Source: McAfee Labs. WakeNet AB, based in Sweden, has developed pay-per- install software since 1999 and recently is responsible for creating bundled software installers that have a huge performance and privacy impact on users’ machines. Figure 3 shows that after running one of the latest WakeNet AB tools and installing the bundled applications, the desktop’s performance degraded by 12.5%.

Figure 2. PUP toolbars can make a browser almost useless. Source: AhelioTech.

Figure 3. Performance results using UL’s PCMark 10 of a machine after installing software with WakeNet’s FileCapital. (Higher numbers indicate better performance.)

3 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

In this report, we will examine this company’s The Anti-Leech plug-in is also no longer available to history and how it has spread millions of PUPs onto download. We based this section on information from unsuspecting users’ machines and generates several the Anti-Leech website and forum postings we found. million dollars in revenue using extremely deceptive The Anti-Leech site said it can help webmasters protect techniques. their files by hiding the links on the site so that only its software (plug-ins/executable) can locate them. Thus all files on a site would be inaccessible unless the users had the Anti-Leech software installed. This tactic allowed WakeNet AB to get its software on many machines.

In some forum posts users say they received a link but

Figure 4. Timeline of the domains registered by WakeNet AB. were unable to view the content unless they installed the Anti-Leech software.

1999: Anti-Leech.com The first website we found registered to WakeNet AB was Anti-Leech.com. That site is no longer available so we visited Archive.org, which stores cached versions of sites.

Figure 6. A forum post commenting on the Anti-Leech plug-in.

Figure 5. The former Anti-Leech home page.

4 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

The Anti-Leech site also highlighted the software NetPumper, a PUP known to install other PUPs and

malware. McAfee products detect this threat as Adware- NetPumper. This tool demonstrates that WakeNet AB were involved in creating PUPs from the company’s beginning. This software makes another appearance in WakeNet AB’s next venture. 2006: C4DL.com The second venture for WakeNet AB was C4DL.com, which resolves to Cash4Downloads.com, a pay-per- install website. This site is still available, but we cannot create a new account. We suspect even if we had an account, we would not be able to log in.

C4DL claims to offer a unique opportunity to make money by distributing free software. It also claims that this is software that users value. WakeNet AB created Figure 7. The C4DL homepage. all the software on this site and is not distributing PUPs developed by other companies.

5 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

The site’s software includes media players, Torrent LunaPlayer stood out for us. We did some investigating applications, compression tools, and download and found several forum posts asking whether the managers: poster should install it. LunaPlayer cost US$3.75 and allowed purchasers to view videos on certain sites. Software Icon URL The owners of these sites used a tool complementing 3wPlayer 3wplayer.com LunaPlayer that uniquely encoded videos so only LunaPlayer could play them. At the time, this method DivoCodec Divocode.com must have seemed a novel idea though similar to what Anti-Leech did. We suspect many users fell for this tactic BitRoll Bitroll.com and paid the fee. All the other media players on the C4DL website used the same tactic. DomPlayer Domplayer.com The financial crash of 2007–2008 impacted WakeNet

AB. A post on C4DL mentions that bonus prices for GalaPlayer Galaplayer.com downloads were put on temporary hold.

LunaPlayer Lunaplayer.com

NetPumper Netpumper.com

TorrentSpeeder Torrentspeeder.com

WinZix Winzix.com

Figure 9. A post referencing the financial crash. Figure 8. Software advertised on C4DL.com. 2013: FileCapital These sites are no longer available, but some are cached FileCapital is by far the most professional-looking on Archives.Org. The list gives us insight into what the product site WakeNet AB has created. The home page is applications were doing. fresh and fluid and, unlike C4DL, looks impressive.

6 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

Figure 10. FileCapital’s home page.

Figure 11. FileCapital’s marketing tools. This is the latest website from WakeNet and still current. We signed up for the service to see what it offers. We The section comprises six tools: were assigned an account manager whom we could email and Skype with if we had any questions. We ■■ Direct download: Allows customers to build a had access to an interface that showed how many bundled installer by just creating a link on a website or downloads occurred, how much money we made, and in a social media post. Customers are presented with notifications showing if there were any issues with the the domain and a few variables they can enter, creating service. a link that serves the bundled installer to whoever clicks on it. Format: http://DirectDownloadURL/ We were mainly interested in the marketing tools ?dffid=1234&instid=1234/appTitle=USERS_TITLE section. This is where we learn how to create the installers for the bundled applications. ■■ Landing pages: Customers can choose one of five landing pages to entice users to click “download now,” which downloads a bundled installer. (See Figure 12.) One of these pages opens a fake movie site that loads a five-second clip of the Paramount Pictures intro and presents users with a message that the codec to play the video is not available. (See Figure 13.) Clicking this message downloads the bundled installer on the user’s machine.

7 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

■■ Banners and buttons: Similar to direct download. Displays a button or banner on a website. Customers can choose a landing page. (See Figure 12.)

■■ Embed movie: Allows customers to create a fake video website to show the “codec missing” message and entice users into downloading and running the bundled installer.

■■ Embed buttons and banners: Direct download buttons that do not load a landing page. When users click the link, they instantly download the file and do not navigate away from the site. Figure 12. FileCapital’s landing pages.

■■ Build installer: Creates a custom bundle installer to allow customers to change the landing page, add unique tracking IDs to monitor campaigns, change the numbers of installs offered, and add command-line arguments. The switch /S runs the installer in silent mode. This tool creates the bundled installer so that

it can be hosted on a site, though FileCapital does not recommend this: “We recommend using our direct download links instead as the installer is updated frequently. If you host the installer yourself, remember to update at least weekly.”

Figure 13. FileCapital’s fake movie landing page. Looking through these options, it is clear that FileCapital encourages deceptive tactics to achieve as many downloads as possible. The embed movie tool is by far the worst; we have seen this often while analyzing football and movie-streaming services.

8 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

During our analysis, we found the FileCapital tools Analyzing the FileCapital Installer for Windows installed the following PUPs: When users execute the Windows installer, they are

■■ Wajam: This adware-based software replaces ads presented with a fake codec installer. on websites with its own. There are several variants of Wajam, also called Social2Search. McAfee detects these adware PUPs as Adware-Wajam.

■■ Linkury: Similar to Wajam, this is adware-based software. Linkury is installed by dropping an encrypted .exe in the root of %APPDATA%\installer.dat. This file is decrypted by the installer and installed onto the machine. McAfee detects this as Adware-Linkury.

■■ OnlineApp: This proxy routes all traffic through its own servers. There is no way of telling this software is installed unless you view it in add/remove programs. Figure 15. The fake codec installer.

■■ Other PUPs include BrowserAir, OneSystem Care, HDWallPaper, FastestFile Downloader, and InterStat. Unfortunately for the user, there is no codec. In the The following screenshot shows Amazon.com with background, the installer sends some information to Adware-Wajam installed. the server to check for and retrieve available offers. The unpacked URLs from the file look like this:

Figure 16. An unpacked URL query.

Figure 14. Adware-Wajam advertisements on Amazon.com.

9 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

The server’s response is encrypted, but can easily be decrypted into a JavaScript Object Notation (JSON) message that is easy to understand.

Figure 17. Another unpacked URL query.

And the variables are populated with this information:

Parameter Description {uac} user access check {ie} IE version {net} .NET version {cid} user sid {sb} x86/x64 {wv} Windows version {osd} OS install date {res} screen resolution {db} default browser

Figure 18. The installer sends this information to FileCapital’s server.

The resulting link becomes:

Figure 19. A Wireshark capture.

Figure 20. A JSON message from the FileCapital server with URLs and offers.

10 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

From this information we see two URLs used for The web request with the system information: installation and several offers currently available.

When the user clicks the install button, some system data is sent to the server to check if it is running on a virtual machine or sandbox. This information is collected with the Windows Management Instrumentation query

language and contains BIOS info, processor vendor, processor manufacturer, model name, and MAC address. This method is a relatively new form of virtual machine/ sandbox avoidance, achieved with three simple queries.

■■ SELECT * FROM Win32_ComputerSystem Figure 22. A Wireshark capture showing system information. ■■ SELECT * FROM Win32_NetworkAdapter

■■ SELECT * FROM Win32_BIOS If the server is satisfied with the data sent to report. php, then the installer downloads and launches the selected installers from Url1 and Url2 in the preceding JSON; otherwise the installer exits because of the virtual machine detection. Figure 21. A Windows Management Instrumentation query.

Figure 23. Software to be installed.

11 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

Analyzing the FileCapital Installer for Mac When users execute the Mac installer, they are also presented with a fake codec installer.

Figure 25. Information sent to the FileCapital server.

Figure 24. The fake codec installer page on the Mac. The installer receives a response containing the offers to be shown to the user: The installer sends a request to a FileCapital server that includes the software installed on the machine and some system information.

Figure 26. A JSON offer for the browser hijacker TapuFind.

12 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

The fake installer offers a list of software received from the server. Users may install these because they are presented in a fake Adobe Flash Player message to gain their trust.

Figure 28. The Advanced Mac Cleaner PUP.

Figure 27. A fake Adobe Flash Player installer.

We observed the installation of several adware and PUPs such as browser extensions and fake performance boosters.

Figure 29. The TapuFind browser extension.

13 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

Torrent Site The download is useless, just a large file filled with During our research we discovered several torrent files garbage. that contained PC and Mac FileCapital installers.

Figure 30. A torrent file structure. Figure 32. A downloaded junk file.

After further investigation we found several hundred Most users, having downloaded an apparently legitimate torrent files containing popular movies to tempt users to file, might check the readme: download them.

Figure 33. The readme.txt entices users to run the FileCapital setup file.

This message lures users into executing the setup files located in the same folder, installing multiple pieces of adware. Once the files are installed, users will still be Figure 31. Torrents including the FileCapital installer. unable to view the “movie” and will have adware-infected machines.

14 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

Domains WakeNet AB offers customers an API that lets them generate setup files in real time. For a period of eight weeks between May and July, we observed the URL- download API generate more than 5,000 unique domains that redirect to a FileCapital installer. These domains were purchased via namecheap.com.

Figure 35. Examples of FileCapital domains.

Out of the 5,000 unique domains, there were only 780 subdomains and 18 top-level domains.

Sub Domain Count Top-Level Domain Count insect 18 Bid 821 store 15 Cricket 368 suit 14 Party 365 Figure 34. A whois of the FileCapital domain. locket 14 Stream 351 pocket 14 Webcam 351 The domains were made from random dictionary words, impulse 14 Men 350 with one word for the subdomain, two words for the meat 14 Loan 349 domain, and another word for the top-level domain. cook 14 Trade 344 anger 14 accountant 336 shape 13 Faith 334

Figure 36. The leading top-level and sub domains.

We suspect FileCapital uses a script to search a dictionary for words and randomize them before registering each domain. Several Python scripts on GitHub make this process easy.

15 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

Prevalence Out of 249 IP map countries, we saw infections in 178.

McAfee Labs tallied more than 1.9 million detections between September 2017 and June 2018. The top 10 infected countries:

Country Percentage Detections Germany 62.6% 1,220,459 Great Britain 16.1% 314,272 United States 15.9% 310,970 Indonesia 0.7% 13,052 Croatia 0.7% 12,711 India 0.6% 11,536

Netherlands 0.4% 7,718 Figure 38. An infection heatmap for the period ending June 30, 2018. Italy 0.2% 4,686 Canada 0.2% 3,675 Malaysia 0.1% 2,795 The following graph shows the number of unique FileCapital samples that entered the McAfee database Figure 37. Top 10 infected countries for the ten-month period ending June 30, 2018. since 2016.

Figure 39. Unique FileCapital samples collected since 2016.

16 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

DailyUploads The following diagram shows how DailyUploads works:

While investigating FileCapital, we came across DailyUploads.net, a file-hosting site that pays its customers an amount depending on how many downloads their files generate. It uses FileCapital to convert the uploaded files into bundled installers. DailyUploads receives money from FileCapital and passes on some of that revenue to its customers. Customers of DailyUploads can earn the following:

Groups Rates per 1,000 Downloads A $16 B $5 Figure 41. DailyUploads’ distribution method. C $3 D $1 1. A user navigates to DailyUploads.net via a link on Figure 40. DailyUploads payments in US dollars. The amount is paid only if the user installs all the bundled software. social media, a blog post, or website 2. DailyUploads uses the FileCapital API to generate a Groups: link to the bundled installer

■■ A: United States, United Kingdom 3. The user downloads this bundled installer and follows the steps to extract and execute it ■■ B: France, Spain, Australia, Sweden, Switzerland, Italy, Netherlands 4. The user executes the installer that was downloaded

■■ C: Japan, Poland, Russia, Romania, Hungary, Greece, from a FileCapital domain UAE, Bulgaria, Singapore, South Korea, New Zealand, 5. The installer adds several pieces of adware before Kuwait receiving and installing the intended file ■■ D: All others

17 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

While looking through the homepage of DailyUploads. Month–Year Total Visitors New Visitors Page Views net we examined the HTML and found a piece of code Jan-16 962,754 658,450 2,333,861 that linked to the site-statistics service HiStats.com. Feb-16 832,535 564,344 2,148,199 We noticed what appeared to be a unique site ID, Mar-16 888,884 611,723 2,351,525 highlighted in Figure 42. Apr-16 911,921 606,313 2,725,305 May-16 887,195 570,205 2,593,400

Jun-16 915,804 562,209 2,508,528 Jul-16 1,053,310 660,146 3,094,910 Aug-16 1,045,868 651,290 3,179,113 Sep-16 1,088,737 700,425 3,161,559 Oct-16 1,186,760 752,214 3,624,548 Nov-16 1,176,386 738,839 3,407,014 Figure 42. A HiStats ID on DailyUploads.net. Dec-16 1,271,593 793,189 4,091,871 Jan-17 1,226,011 761,917 4,548,902 A little more detective work gave us all the site statistics Feb-17 1,047,224 648,255 4,265,322 since the DailyUploads has been online. The site was set Mar-17 1,099,981 700,651 3,683,702 up in 2015. It used FileCapital as a service between 2016 Apr-17 975,809 636,036 3,544,001 and the end of 2017. In 2018, Daily Uploads moved to May-17 975,634 649,222 3,807,549 another pay-per-install company. The following charts Jun-17 876,546 593,640 3,209,968 show the traffic to DailyUploads from January 1, 2016, Jul-17 809,127 556,662 2,900,237 through December 31, 2017. Aug-17 715,510 479,896 3,023,213 Sep-17 606,930 422,720 1,972,126

Oct-17 717,027 517,044 2,022,507 Nov-17 537,931 388,840 1,575,455 Dec-17 542,033 382,100 1,620,538

Figure 43. Two views of DailyUploads traffic. Source: HiStats.com.

The number of page views are sometimes about four times the number of total visitors. FileCapital requires four clicks for the user to finally get to the download page. Based on that information, we can estimate that each visitor will likely have downloaded one file.

18 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

If we average the amount of adware installed per We tracked down the owner of DailyUploads to see if bundled installer, DailyUploads.net is responsible for there was a link with WakeNet AB. We found several around 4 million adware installations per month, 48 posts on adware forums asking people to join the site; million per year, and around 90 million in the years 2016 all these posts were from one person. We discovered and 2017. This must have generated a huge amount of this person was the owner and creator of DailyUploads. revenue for the site owner. He has created other websites that offer software cracks and games. We found no link between this person and The geographic breakdown of visitors to the owner of WakeNet AB. DailyUploads.net: Freelancer During our research, we tracked down some relevant job postings on Freelancer.com. We discovered several from a user in Sweden.

Country Visitors Indonesia 6,927,181 United States 6,189,187 India 3,240,332 Asia-Pacific Region 729,271 Philippines 588,946 Thailand 517,730

Brazil 454,940 Figure 45. Freelancer job post. Germany 424,572

Figure 44. Two views of the location of visitors to DailyUploads from January 1, 2016, through December 31, 2017. Source: HiStats.com.

19 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

These posts matched some of the functionality in WakeNet AB’s software. Based on our findings, we believe these jobs were posted by the owner of WakeNet AB. The jobs include a request for a Mac installer, a fake YouTube video viewer, and several posts on torrents. More posts appear in the appendix. WakeNet AB’s Finances WakeNet AB is a public company registered in Sweden; we can see their financial statements. In 2017 WakeNet AB had revenues of $2,000,000 (SEK 1,800,000].

Figure 46. Freelancer job post.

Figure 48. WakeNet AB’s revenues from 2013–2017. Source: allabolag.se.

Attribution WakeNet AB was set up in 2001. The domain wakenet. se was purchased in 1999 with registration details that match the WakeNet AB registration details. This time frame coincides with the creation of Anti-Leech.com. The registered address of the company is in block of flats in Figure 47. Freelancer post requesting torrent upload script. Danderyd, Sweden. A Google Maps search for WakeNet AB shows an office nearby. The location of the business also ties to the freelancer job postings.

20 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

The homepage for WakeNet AB shows only the logo, but Conclusion thanks to archive.org we went back in time to see the WakeNet AB has remained active for 19 years with homepage from several years ago. When WakeNet AB little outcry. McAfee customers are protected against launched, it did not hide its connection to Anti-Leech FileCapital, which installs leading PUP families that infect and NetPumper. systems with ads as they slow performance. Meanwhile, PUPs, which are more numerous than malware, plague users around the world. PUP development is unlikely to slow because they earn their distributors considerable sums. The security industry needs to do more to investigate companies that create PUPs and raise awareness among customers of their bad practices. Figure 49. Wakenet.se snapshots. McAfee Protection

McAfee endpoint customers are protected from FileCapital by the detection Adware-InstCap. Due to the polymorphism of adware installers, we constantly update our detection signatures. Our first detections appeared in these DAT versions:

■■ V2: 8401

■■ V3: 2855

Detection signatures:

■■ Adware-InstCap! [FileCapital]

■■ Adware-InstCap!xht [FileCapital]

Figure 50. WakeNet.se in 2003. ■■ SystemHealer [PUP installed by FileCapital]

■■ Adware-Linkury [PUP installed by FileCapital]

In 2008 the homepage for WakeNet AB briefly changed ■■ Adware-Wajam [PUP installed by FileCapital] to a replica of C4DL. After 2008 the homepage contained ■■ OneSysCare [PUP Installed by FileCapital] only the WakeNet AB logo. Perhaps this minimalism is due to antimalware vendors getting aggressive with PUP We advise our customers to enable PUP detection within detections. their products.

21 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

Indicators of Compromise Hashes ■■ 0xB9AAD38377C4A4AE453C7BB2EED8E80126C076766C769EA8BF45296A2EEEAA10

■■ 0x12379027DFB40D0577D28CF7B1CF813A1966CC18501748E544D9EDA2E331D24F

■■ 0x53B70EA22F60F1B2C8583D8E8B19FA2EAC23093C89BC1527A4F536DCC8837D5B

■■ 0x06E147AAECA32293F220D9799BA81295629ED7C6B70646E9486D03C892BE6598

■■ 0x44713D6EEA059DFA95FC141130FA1E1DE19C32BB66AA089BBB7B79E36812EE24

■■ 0xB324B5688FDF904CEE09DC3E604E754746323123777BFDDAC938F18E25EA5510

■■ 0x06CFB4F3620E6BB3944F03B398641AE3484AB2E9D886499CC2C3BDFA73AF5C1C

■■ 0x82F01C5724C31691A40C8C76D24C5839878C84E6E6C76D23F8F647576F0158C6

■■ 0x74E2208474BB52DB23D8D91F88338AC76F9E8D3A1AFFEBA762CDF4046F003EDF

■■ 0x05C7A4335DDC5326CE2616503446D477407C3F16A5C144D9CF9D6E8148F1D919

■■ 0x29F2E2CBACE4D9D97ABB62FF1B7D8FCD3B765A029563AED0740B0C87C8A822DC

■■ 0x5B7B78DA94DC9A114B7B228DFF44F2CBF360891D739C4D6CA58DF863BB8213E6

■■ 0xD3F56F2DE3638B76FC0191AC31D24A1B2034DA88C87458409879564D6F3F20C0

■■ 0x194ABCF9E552B520F11F7785A9C551D50076A763C143F09097A32235313CAB8C

■■ 0xC6DD6C38D3C7E7CFDDE4AD11D3E8745342DF0D5F9282BF6C85A86F457D7E3BB2

■■ 0x6F0319906767C19D50129E093574ACA7E06D0B242DF3385F54543779DC6CE983

■■ 0x33ABBC500461DB59E5376DBF2F1FB2659235388B65565858A737E96D607F754C

■■ 0x00D073B99AD07FDDE65781B2D3DAD7E4D4AFA3DCD348737D4B35B929CB4A1344

■■ 0x1E3A9861C29FE43ED8ECD6EEE9E435DB05546961AE4A990F9B9BCF7A2C5351D0

■■ 0x00055342AB51BA8F89B10D8E08569051F848CAE899EFB8C165428E4E6807CE40

■■ 0xF313EFDE9A637CA19F85B64419E20234CC029EED9145480E1F54D212DAE9E44E

■■ 0x9006CE1E14001759E0D3EEFB01C9B5D37D7460A6180BE990D5D58FA4789C33AA

■■ 0x1BD1ED24153AF7E9C67122F3432648671CAE0F7FE7A60EAC6868FF9755193753

■■ 0xE1B48243603F3804696508950D4E2138F49494C1C4E2AAE35171035D52A68C9B

22 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

■■ 0x2C4066A45E9453F373AA3661053B9B13D6E382080931F5B088D76276827F54B8

■■ 0xCEC463F2B16EA2361D5ACA01805C196E1A0022CE72C7DDDE71300BAD0C314F20

■■ 0xE6E44A84B58A8B38F9EF86E48EB5DD046CA366B5B2D1B0F54B781F1EEA4EE9D6

■■ 0x084DC856F88A20984C1FA96551E004A8387DF8EF51DE2D510028EAF2F44C7D78

■■ 0x612595BE0E03EE3803352D3DA4338F1D72D7E0ADBED7852179028F3C58D6817B

■■ 0xC17D7CD65065DD52A06BA0B42864FF39615D82F67B29699891E64D7D42C9857B

■■ 0x7AD648C14875679DA1E1574F3C7082BD3DAD445F30F13E7F0C01647D171E4FC6

■■ 0x015D7616B999F4E36108B083476BD1819261808DBFF4E956F0A59FCF7927D79F

■■ 0x89A6F9F5EA240F4700010407CCD8E698338C6329CDB2DB44BD9D0B45AE495D4F

■■ 0xABE9A4054BB529E2603991A5EC3F31E582721C647A77A17AFCC17C7348E3EAFD

■■ 0x40B36624F788039F91C9078D075D35DA20016E05EABDACB9F38DFBC129C2C24B

■■ 0x3C580E8B317F9BD7F3ACEFCE1F5CD9AD24485D88BD0FDC5D0C44A67271BDE3D3

■■ 0x0228219222C7ACA8A7AA1332CA7BB5132D037C3C8F5263805E1D8CC0A4420F1F

■■ 0x6BAFB5B69057E839BAE635D908747042FAC2F188B60EB5CD7BCE2B6C1572DC7E

■■ 0x06F87B1B289C2C20016E8FD6A8BE33E9AEF1A03F7DAA4D38C355F64DB945D42E

■■ 0xF38E14EE919C908C03FDA9B742DE5338A7CFE482A5A5223A4CFCCC73AABC8367

■■ 0x84429FE98661392037AE2EB9284F5A8ECCC4900E88E01DA30CE83714E5EB94B7

■■ 0x3B9835107AC089DE30840D6239AA0712B7501292A80BD5E4D36CD3E07A764F9D

Domains/network ■■ Any network traffic with “User-Agent = InstallCapital”

■■ Full list of domains is available here.

23 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

About the Authors Charles Crofford, a security researcher, has worked Oliver Devane is a senior security scientist with at McAfee since 2010, starting as technical support more than 10 years experience in the cybersecurity engineer. He has found a passion for malware analysis, sector. Has has been involved in containing and reverse engineering, and solving the puzzles set by remediating some of the most notorious malware malicious actors. As a member of the Security Research outbreaks—including WannaCry, NotPetya, TeslaCrypt, Team Crofford has authored several blogs for McAfee and FakeAlert. Recently Devane has moved into the Labs, developed internal automation tools for faster managing of projects and creating and leading task customer response, and developed customer-facing forces to combat malware and potentially unwanted tools for identifying and removing fileless malware. programs. His interest in PUPs has grown over the years due to a noticeable lack of attention from the security and legal community despite the large impact these families have on users.

24 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

References earspider.one 24/07/2016 DYNADOT LLC Appendix econcrete.one 24/07/2016 DYNADOT LLC Domains purchase by the owner of WakeNet AB. eingliber.one 24/07/2016 DYNADOT LLC executione.one 24/07/2016 DYNADOT LLC Domain Name Creation Date Registrar feats.fyi 19/03/2016 DYNADOT, LLC 3984sjkf.xyz 30/07/2015 NAMECHEAP fgweoq8h3lriq.xyz 30/07/2015 NAMECHEAP adoptionp.one 24/07/2016 DYNADOT LLC filecapital.com 11/07/2013 ENOM, INC. allingbea.one 24/07/2016 DYNADOT LLC findfile-now.website 27/11/2015 NAMECHEAP alpromise.one 24/07/2016 DYNADOT LLC fleebottom-33.xyz 30/07/2015 NAMECHEAP anti-leech.com 22/05/1999 ENOM, INC. fleebutton-22.xyz 30/07/2015 NAMECHEAP applenewch.one 24/07/2016 DYNADOT LLC flow-56.xyz 30/07/2015 NAMECHEAP bastichirs.one 24/07/2016 DYNADOT LLC free-me-ic.xyz 30/07/2015 NAMECHEAP bloomexc.one 24/07/2016 DYNADOT LLC fumebelowa.one 24/07/2016 DYNADOT LLC braziliancoffee.top 18/03/2016 DYNADOT LLC getfile.website 27/11/2015 NAMECHEAP c4dl.com 05/06/2006 ENOM, INC. getmediacodec.xyz 30/07/2015 NAMECHEAP canecando.top 15/04/2016 DYNADOT LLC grilltwel.one 24/07/2016 DYNADOT LLC cedeadly.one 24/07/2016 DYNADOT LLC gunrunnerp.one 24/07/2016 DYNADOT LLC cherryplayer.com 21/11/2011 ENOM, INC. ic-dri-76.xyz 30/07/2015 NAMECHEAP cp-flower45.xyz 30/07/2015 NAMECHEAP ic-ftree34.xyz 30/07/2015 NAMECHEAP cp-int-45.xyz 30/07/2015 NAMECHEAP ic-int-34.xyz 30/07/2015 NAMECHEAP cp-lio.xyz 17/07/2015 NAMECHEAP ic-int-99.xyz 30/07/2015 NAMECHEAP cp-reffi.xyz 30/07/2015 NAMECHEAP ic-u-88.xyz 30/07/2015 NAMECHEAP cp-retr.xyz 24/07/2015 NAMECHEAP ic-upp.xyz 30/07/2015 NAMECHEAP cp-rig.xyz 17/07/2015 NAMECHEAP ildrenfina.one 24/07/2016 DYNADOT LLC dabado-34.xyz 30/07/2015 NAMECHEAP imitlessrival.one 24/07/2016 DYNADOT LLC dibida-22.xyz 30/07/2015 NAMECHEAP infinitebl.one 24/07/2016 DYNADOT LLC digital-store.top 03/11/2015 DYNADOT LLC inmyglasse3.xyz 30/07/2015 NAMECHEAP download-codec- 30/07/2015 NAMECHEAP int-cp2-234.xyz 30/07/2015 NAMECHEAP now.xyz int-cp-234.xyz 30/07/2015 NAMECHEAP downloadfile-now. 27/11/2015 NAMECHEAP website int-cp3-234.xyz 30/07/2015 NAMECHEAP downloadfile.website 27/11/2015 NAMECHEAP int-ic-1.xyz 30/07/2015 NAMECHEAP downloadit-now. 27/11/2015 NAMECHEAP int-ic-2.xyz 30/07/2015 NAMECHEAP website int-ic-3.xyz 30/07/2015 NAMECHEAP

25 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

int-ic-4.xyz 30/07/2015 NAMECHEAP pe-kli.com 10/01/2014 ENOM, INC. is3o8rh3ohf.xyz 30/07/2015 NAMECHEAP pe-mainin.com 13/09/2013 ENOM, INC. itvolca.one 24/07/2016 DYNADOT LLC pe-sixi.com 16/01/2014 ENOM, INC. jfs7d6fsduifh.xyz 30/07/2015 NAMECHEAP pe-sta3e.info 10/01/2014 ENOM, INC. kanoasandalias.top 22/10/2015 DYNADOT LLC pe-stats.com 13/09/2013 ENOM, INC. lfo8793hrlksdf.xyz 30/07/2015 NAMECHEAP pe-stit.com 11/04/2014 ENOM, INC. lightinthegame.com 01/09/2013 GO MONTENEGRO pe-szip.com 13/09/2013 ENOM, INC. DOMAINS, LLC pe-wixi.com 16/01/2014 ENOM, INC. lsaltyper.one 24/07/2016 DYNADOT LLC pe-wxv.com 13/09/2013 ENOM, INC. lusivebom.one 24/07/2016 DYNADOT LLC ptichoaxer.one 24/07/2016 DYNADOT LLC mhornguns.one 24/07/2016 DYNADOT LLC riddlecry.one 24/07/2016 DYNADOT LLC monnacalcados.top 22/10/2015 DYNADOT LLC rpowerless.one 24/07/2016 DYNADOT LLC mycodec.net 11/02/2014 ENOM, INC. rsharkmena.one 24/07/2016 DYNADOT LLC mydll.website 27/11/2015 NAMECHEAP saarrivald.one 24/07/2016 DYNADOT LLC my-dll.website 27/11/2015 NAMECHEAP sdf87kjsdf.xyz 30/07/2015 NAMECHEAP my-dl.website 27/11/2015 NAMECHEAP sdfj38wrhsfi.xyz 30/07/2015 NAMECHEAP nicgambler.one 24/07/2016 DYNADOT LLC sdfjow3f.xyz 30/07/2015 NAMECHEAP ockettight.one 24/07/2016 DYNADOT LLC sdfuus98d7f.xyz 30/07/2015 NAMECHEAP onendlessf.one 24/07/2016 DYNADOT LLC sevenzip.info 20/03/2013 ENOM, INC. oorgradeed.one 24/07/2016 DYNADOT LLC sfd973rfs.xyz 30/07/2015 NAMECHEAP operaticbe.one 24/07/2016 DYNADOT LLC sfl38qohflsdnfs.xyz 30/07/2015 NAMECHEAP orkenter.one 24/07/2016 DYNADOT LLC skdfhi73.xyz 30/07/2015 NAMECHEAP ourdl.website 27/11/2015 NAMECHEAP skdfw8hfjskdf.xyz 30/07/2015 NAMECHEAP our-dl.website 27/11/2015 NAMECHEAP skdjf83lkdf.xyz 30/07/2015 NAMECHEAP p2client.info 16/02/2010 ENOM, INC. sl22jr-334.xyz 30/07/2015 NAMECHEAP p2custom.info 16/02/2010 ENOM, INC. slf37hf.xyz 30/07/2015 NAMECHEAP p2user.info 16/02/2010 ENOM, INC. slfdio83rh.xyz 30/07/2015 NAMECHEAP partmentl.one 24/07/2016 DYNADOT LLC spongemedu.one 24/07/2016 DYNADOT LLC pdflocker.net 13/02/2014 ENOM, INC. up-cp-23.xyz 30/07/2015 NAMECHEAP pe-ento.com 10/01/2014 ENOM, INC. up-cp-99.xyz 30/07/2015 NAMECHEAP pe-eri.com 10/01/2014 ENOM, INC. vehomemad.one 24/07/2016 DYNADOT LLC peeritnow.com 08/01/2014 ENOM, INC. webxvid.com 20/03/2013 ENOM, INC. peerq2.info 09/01/2013 ENOM, INC. winzix.com 22/02/2007 ENOM, INC.

26 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

Freelancer Job Posts

27 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

28 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs REPORT

29 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs About McAfee About McAfee Labs and Advanced Threat McAfee is the device-to-cloud cybersecurity company. Research Inspired by the power of working together, McAfee McAfee Labs, led by McAfee Advanced Threat creates business and consumer solutions that make our Research, is one of the world’s leading sources for world a safer place. By building solutions that work with threat research, threat intelligence, and cybersecurity other companies’ products, McAfee helps businesses thought leadership. With data from millions of sensors orchestrate cyber environments that are truly across key threats vectors—file, web, message, and integrated, where protection, detection, and correction network— McAfee Labs and McAfee Advanced Threat of threats happen simultaneously and collaboratively. By Research deliver real-time threat intelligence, critical protecting consumers across all their devices, McAfee analysis, and expert thinking to improve protection and secures their digital lifestyle at home and away. By reduce risks. working with other security players, McAfee is leading www.mcafee.com/us/mcafee-labs.aspx. the effort to unite against cybercriminals for the benefit of all.

www.mcafee.com.

2821 Mission College Blvd. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Santa Clara, CA 95054 Other marks and brands may be claimed as the property of others. Copyright © 2018 McAfee, LLC. 4158_1018 888.847.8766 OCTOBER 2018 www.mcafee.com

30 Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs