Author's Note: We at Malwarebytes continue to do our part in educating our product users and constant blog readers about day-to-day online threats and how they can avoid falling prey to them. "PUP Friday", our latest attempt at getting users acquainted with files they may need to watch out for in the Wild Web, offers an in-depth look at some interesting and quite notable potentially unwanted programs (PUPs). Expect to see this type of content pushed out twice a month at the end of a work week.
Today, we're going to look at a potentially unwanted program (PUP) that anyone awaiting a zombie apocalypse would probably like to have: a reliable alert system. Thanks to Zombie Alert App, this is no longer a dream but a reality.
The above screen is what Chrome, Firefox, and Safari users will see once they visit zombiealertapp[DOT]com, the download site of Zombie Alert. Normally, the red screen is seen when one visits malicious pages, such as pages hosting a phish or malware. But due to Google Safe Browsing, an effort that has now extended to targeting sites hosting what they call unwanted software (UwS), users can now see the same red screen if they access domains where one can download PUPs. You can read more about Google's more visible protection on their blog.
Anyway, let’s dive in to see what this site and the app it serves are all about. Below is a full screenshot of the domain:
Malwarebytes Anti-Malware (MBAM) detects this file as PUP.Optional.ZombieSearch.A. Once executed, it acts like any installer would: displaying multiple graphical user interfaces (GUIs) that progresses to a successful installation, as you can see from the slideshow below:
[gallery type="slideshow" ids="9360,9361,9362,9363"]
After installation, it then executes the default system browser to open a page stating that the installation is a success.Coupon Alert. The box, in this case, is showing a "Zombie Level”, which seems to be a risk level indicator for a "zombie threat" that is ranked from Low to High.
Clicking this pop-up box will reveal a news feed. We noticed that majority of articles on it display decidedly nonliving-impaired headlines containing the words "zombie" or "dead" (screenshot below is enlarged).
We wondered if the Zombie Alert pop-up box automatically appears on certain sites the same way as the Coupon Alert pop-up did. To test this, we visited sites with the word "zombie" (yes, even articles about Rob Zombie) in it to see if the pop-up will show by itself, but this didn't happen. In fact, the only way we could get it to appear at all was by using the assigned key combination—CTRL + ALT + Z—to open it up.
According to HerdProtect, the company behind Zombie Alert is "a primary distributor of adware type software." It's also known for other programs like TubeDimmer, Websteroids, and Secure Web. The Zombie Alert app can be found on various third-party sites that are hosting or redirecting users to free software. Below is a screenshot of one of these sites:Pieter Arntz, a fellow analyst who also pushes posts for PUP Friday, told me that Zombie Alert reminded him of the Zombie News app, which he'd deconstructed and written about more than a year ago.
If you or someone you know own a computer affected by the Zombie Alert, please point or refer them to this forum page for its manual solution. This post also contains technical details on the program, such as the changes made it has done to a system upon installation.
There is not much apps out there that cater to users who look forward to an actual zombie invasion, which may or may not happen in the future; however, Zombie Alert isn’t the kind of app one may need to survive such a brain-draining catastrophe. It may be fun to have at first because....zomg zombies! At the end of the day, all you really have is a feed that pushes out news about silly topics you may not really be interested in reading about.