OFFICIAL SECURITY BLOG

Fake and Bundled Malwarebytes Anti-Malware 2.0 Abound

May 1, 2014 | BY

A month after Malwarebytes CEO Marcin Kleczynski announced the launch of Malwarebytes Anti-Malware 2.0, we already started seeing executable files purporting to be free versions of our product being hosted on unfamiliar sites – some are bundles, and others are fakes which lead to things such as survey scams.

samplesA small sample of rogue files we found in the wild

These are all potentially unwanted programs (PUPs), meaning they’re not really malware, but they exhibit behaviours that we find questionable (and some folks would argue certain behaviours are potentially malicious). Here are our detections for the following files:

  • SHA256: 21b20d3f928e4b9f357d097861f8cad9f3b083dcba7b0d32b01093d886f6f771
  • Detected as: PUP.Optional.InstallCore (12/52)
  • SHA256: b2e1f59116eb9cf95b28a3d1067d232b46048af28cca8d7787048f64f39b1753
  • Detected as: PUP.Optional.InstallCore.A (11/50)
  • SHA256: ee6be90a13685eccda4cf2387ffa3e83c37d6b0a406bbd6ec8eeeb7620e75ab8
  • Detected as: PUP.Optional.InstallCore.A (20/51)
  • SHA256: dbe1e668c759bf12b8cb00a0e4fdc5bddbe5aef9cb9ec575a24da93229e54bbc
  • Detected as: PUP.Optional.AppsInstaller (14/52)

One of the many sites that host MBAM PUPsOne of the many sites that host MBAM PUPs
(click to enlarge)

Upon testing, we found that these files have common behaviours: they all enable themselves to run whenever Windows is restarted or the system is turned on and they’re capable of accessing private information that browsers store whenever we go online, such as data pertaining to cookies, browsing history, and list of restricted sites. These files also create the following noteworthy registry keys upon installation:

  • {3050F406-98B5-11CF-BB82-00AA00BDCE0B} – a CLSID key that is associated with CoolWebSearch (CWS)
  • {A3CCEDF7-2DE2-11D0-86F4-00A0C913F750} – a CLSID key that is associated with a known spyware

Several of these samples also create entries to IE’s restricted sites zone, consequently blocking users from accessing specific domains. Some of these sites are as follows:

  • Twitch TV
  • The Elder Scrolls Online
  • Runescape Online
  • Gamespot
  • Wikia
  • Neogaf

Sample of MBAM Installation GUI (from malwr.com)Sample of MBAM Installation GUI (taken from malwr.com)

We’ve also seen torrent download sites claiming that they are hosting the Premium version of MBAM with a keygen. To even access the supposed download, you have to fill in a survey:

At the end of the hoop-jumpingAt the end of the hoop-jumping
(click to enlarge)

For anyone interested in trying out MBAM 2.0, the wisest thing to do is still to go to our official download site, try it for free and, if it grew on you within the 14-day trial, get the Premium version.

Jovi Umawing