Previous blog posts on potentially unwanted applications have outlined our research into the level of trust we can place in PUA installers and the vulnerabilities they can potentially bring to user systems. According to our results, of the 60 potentially unwanted applications sampled, 50% of them were identified as containing one or more forms of malware, and 43% of them were flagged as containing known security vulnerabilities. However, these programs did not necessarily match across these two categories (i.e. some PUAs were considered malware while no vulnerability was reported).
Is it possible that the applications that were only detected as malware by one engine and did not contain any of the known vulnerabilities were false positives? In this blog, we will delve deeper into this topic in an attempt to highlight what these potentially unwanted applications do to the user system and how likely they are to be incorrectly detected as malware.
| Product name (Vendor name) | Detected by (engine) | Threat detected |
| BitHit (P2PHood LLC.) | Kaspersky Lab | Downloader.Win32.Agent.bpvb |
| BitLord (House of Life) | ThreatTrack | Conduit (fs) |
| BitRope Sharing (BitRope) | Kaspersky Lab | Downloader.Win32.Agent.bpvb |
| CitrixWire (CitrixWire) | DrWebGateway | Adware.Conduit.33 |
| LimeRunner (P2PHood LLC.) | DrWebGateway | Adware.Conduit.33 |
| LimeZilla (ShareZillas) | Kaspersky Lab | Downloader.Win32.Agent.bpvb |
| Movie Torrent (GoodKatShare LLC) | DrWebGateway | Adware.Conduit.33 |
| P2P Rocket (P2P Rocket LLC) | DrWebGateway | Adware.Conduit.33 |
| ShareGhost (ShareGhost) | Kaspersky Lab | Downloader.Win32.Agent.bpvb |
| Sharin'Hood (P2PHood LLC.) | Kaspersky Lab | Downloader.Win32.Agent.bpvb |
| Torrent Captor (Torrent Raptors LLC) | Kaspersky Lab | Downloader.Win32.Agent.bpvb |
| Uranium Backup (Nanosystems S.r.l.) | Jiangmin | Backdoor/Bifrose.ccu |
| VIP Torrent (VipRumor LLC) | DrWebGateway | Adware.Conduit.33 |
The table above shows the 13 of the 60 potentially unwanted applications tested that were detected as malware by only one anti-malware engine and did not contain any known vulnerability, as discussed in our last blog on unwanted programs and system vulnerability. In order to explore this further, we installed these 13 applications onto some virtual machines separately and analyzed their footprints and behaviors on the system.
BitHit from P2PHood LLC.
- Installed additional PUAs including the following ones:
- MyPC Backup
- BitGuard
- BobyLyrics
- Quickshare
- Doko toolbar
- Advanced System Protector
- Launched four new unexpected processes:
- AdvancedSystemProtector.exe from Systweak
- MyPC Backup.exe from MyPCBackup
- BitGuard.exe from PerformerSoft LLC
- QuickShare.exe from Quickshare
- Created two new unexpected services:
- BackupStack from MyPCBackup
- BitGuard from PerformerSoft LLC
- Injected some of the BitTorrent registries
- Injected some of the RegClearnPro files into the "Program File" folder
- Injected some of the Babylon files into the user's "appdata" folder
- Changed the search engine of the system's default browser to doko-search.com
BitLord from House of Life
- Installed Microsoft Visual C++ 2008 Redistributable
- Injected 23 different cookies to the Internet Explorer browser
- Injected some of the Conduit files into the "Product Install" directory
- Injected StartX Application program onto the system
BitRope Sharing from BitRope
- Installed additional PUAs including the following ones:
- Shareaza
- Search Protect
- Launched six new unexpected processes:
- cltmng.exe from Conduit Ltd.
- cltmngui.exe from Conduit Ltd.
- nsoE8C9.exe from unknown vendor
- nszF6A4.exe from unknown vendor
- sp-downloader.exe from Conduit Ltd.
- bi_client.exe from Somoto Ltd.
- Created one new unexpected service:
- Search Protect by Conduit Service from Conduit Ltd.
- Injected some of the BitTorrent and eMule files into the "Product Install" directory
- Injected five different cookies to the IE browser
- Deployed additional PUA installers on the system desktop:
- QuickShare Addon from Quickshare
- Trends Genius from TGF Interactive LLC
- FilesFrog Update Checker from Somoto Ltd.
- Wajam from Wajam Internet Technologies Inc.
CitrixWire from CitrixWire
- Installed additional PUAs including the following ones:
- Search Protect
- CouponDropDown Plugin
- Download_Energy Toolbar
- Quickshare
- Launched three new unexpected processes:
- cltmng.exe from Conduit Ltd.
- QuickShare.exe from Quickshare
- coupondropdown plugin-bg.exe from Innovative Apps
- Created one new unexpected service:
- Search Protect by Conduit Service from Conduit Ltd.
- Injected some of the Community Alerts registries from Conduit Ltd.
- Installed browser plug-ins from Linkury Inc. on IE, Firefox, and Google Chrome.
LimeRunner from P2PHood LLC.
- Installed additional PUAs including the following ones
- BitGuard
- Babylon Toolbar
- Delta Toolbar
- Launched one new unexpected process:
- BitGuard from PerformerSoft LLC
- Injected 12 different cookies into the IE browser
LimeZilla from ShareZillas
- Installed additional PUAs including the following ones:
- BitGuard
- Delta Toolbar
- Launched one new unexpected process:
- BitGuard.exe from PerformerSoft LLC
- Injected eight different cookies to the IE browser
- Injected some of the Babylon files into the user's "appdata" folder
- Changed the default browser's home page to babylon.com
Movie Torrent from GoodKatShare LLC.
- Triggered SearchFilterHost.exe from Microsoft to consume a huge amount of the system's CPU
- Installed additional PUAs including the following one:
- CouponDropDown Plugin
- Launched one new unexpected process:
- coupondropdown plugin-bg.exe from Innovative Apps
- Injected 100+ different cookies to the IE browser
- Deployed two unknown msi files on the system's "Program Data" folder
P2P Rocket from P2P Rocket LLC.
- Installed additional PUAs including the following ones:
- Search Protect
- CouponDropDown Plugin
- Conduit Toolbar
- Shareaza
- Launched three new unexpected processes:
- cltmng.exe from Conduit Ltd.
- Updater27793.exe from Innovative Apps
- unsecapp.exe from unknown vendor. Please notice, this process is not the same as the one from Microsoft, it is unsigned and located at "C:\Windows\System32" instead of "C:\Windows\System32\ wbem"
- Created one new unexpected service:
- Search Protect by Conduit Service from Conduit Ltd.
- Injected five different cookies to the IE browser
- Injected tens of different browsing histories to the IE browser
ShareGhost from ShareGhost
- Installed additional PUAs including the following ones:
- Optimizer Pro
- Trends Genius
- Search Protect
- Quickshare
- FilesFrog Update Checker
- Gossiper_V1 Toolbar
- Conduit Toolbar
- Launched six new unexpected processes:
- OptProStart.exe from PC Utilities Pro
- OptimizerPro.exe from PC Utilities Pro
- QuickShare.exe from Quickshare
- bi_client.exe from Somoto Ltd.
- cltmng.exe from Conduit Ltd.
- TrendsGenius.exe from TGF Interactive LLC
- Created three new unexpected services:
- Search Protect by Conduit Service from Conduit Ltd.
- WajamUpdaterV2 from Wajam Internet Technologies Inc.
- Optimizer Pro Crash Monitor from PC Utilities Pro
- Injected 22 different cookies to the IE browser
- Injected hundreds of unknown registry entries onto the system
- Injected some of the Wajam files into the system's "Program File" folder
Sharin'Hood from P2PHood LLC.
- Installed additional PUAs including the following ones
- MyPC Backup
- BitGuard
- BobyLyrics
- Quickshare
- Doko toolbar
- Advanced System Protector
- Babylon Toolbar
- Launched four new unexpected processes:
- AdvancedSystemProtector.exe from Systweak
- MyPC Backup.exe from MyPCBackup
- BitGuard.exe from PerformerSoft LLC.
- QuickShare.exe from Quickshare
- Created two new unexpected services:
- BackupStack from MyPCBackup
- BitGuard from PerformerSoft LLC.
- Injected some of the BitTorrent and eMule registries
- Changed the search engine of the system's default browser to babylon.com
Torrent Captor from Torrent Raptors LLC
- Installed additional PUAs including:
- Complitly toolbar
- AutocompleteInstallationTracker
- Injected six different cookies to the IE browser
Uranium Backup from Nanosystems S.r.l.
- Triggered a Windows Update process via wuauclt
- Prompted-up advertisement windows
- Deployed a file which contains the MD5 hash of 'Backdoor.Bifrose.ccu' file into the product's install directory
VIP Torrent from VipRumor LLC
- Installed additional PUAs including the following ones:
- Search Protect
- Conduit Toolbar
- Launched three new unexpected processes:
- cltmng.exe from Conduit Ltd.
- ping.exe from Microsoft, it generates thousands of ICMP echo requests
- tracert.exe from Microsoft, it generates thousands of ICMP echo requests
- Created one new unexpected service:
- Search Protect by Conduit Service from Conduit Ltd.
- Injected 11 different cookies to the IE browser
- Injected hundreds of Windows temporary internet files to the IE browser
Taking the data represented above into consideration, it is clear that all of the applications that were detected by only one anti-malware engine in our study still behaved questionably on the user's system. This can be seen in the table below:
| Product Name | Installed additional PUA(s) | Launched unexpected process(es) | Created unexpected service(s) | Injected unexpected file(s) | Updated browser setting(s) | Triggered unexpected Windows process(es) |
| BitHit | X | X | X | X | X | |
| BitLord | X | |||||
| BitRope Sharing | X | X | X | X | ||
| CitrixWire | X | X | X | X | X | |
| LimeRunner | X | X | X | X | ||
| LimeZilla | X | X | X | X | X | |
| Movie Torrent | X | X | X | X | ||
| P2P Rocket | X | X | X | X | X | |
| ShareGhost | X | X | X | X | ||
| Sharin'Hood | X | X | X | X | X | |
| Torrent Captor | X | X | ||||
| Uranium Backup | X | X | ||||
| VIP Torrent | X | X | X | X | X | |
| Summary | 11/13 | 10/13 | 9/13 | 13/13 | 6/13 | 2/13 |
These results should alarm any user who is attempting to install potentially unwanted applications. In general, every potentially unwanted application gives users a "surprise" whether it be in a soft way, such as injecting browser cookies or introducing some of their "PUA friends", or by something more blatant, such as updating the user's browser settings, launching unknown processes, creating suspect services or even triggering huge amounts of network traffic and occupying all of the CPU/memory resources to slow down the system.
Overall, potentially unwanted applications are dangerous, no matter how alluring their advertisements are or how well they market their unique features. Although this does not mean that all of the potentially unwanted applications detected as suspicious are definitely not false positives, it should serve as a warning and convince users to be cautious before installing any PUAs. Furthermore, as 5 of the 13 programs above were flagged as "adware", this is a strong indication that this type of application is a potentially unwanted one and these should probably be avoided.
In conclusion, while some potentially unwanted applications that are flagged as suspicious by only one anti-malware engine may actually be false positives, our research shows that they are very likely to show behavior that is questionable once installed on a user's system. Therefore, users should take extreme caution before installing these. Potentially unwanted applications are like "devils" disguised as "angels" in their attempts to gain access to a user's system under innocent pretenses before stealing personal information, advertising their products and slowing down the system in general.
