Although this one has been around for a while, DynamicPricer deserves some attention because of the different approach it uses compared to other Potentially Unwanted Programs (PUPs).
What’s different?
Where other adware applications look for sneaky ways to invade your up-to-date browsers or even install their own browser on your system, this one just installs an old version of Chrome and then disables the automatic updates for Chrome and Firefox.
As far as I could retrieve the version of Chrome it installs dates back to February of 2014. My guess is because that was the first build that included an API to take actions depending on the content of a page, without requiring permission to read the page’s content.
What does it do?
DynamicPricer is adware. It fetches the advertisements from mrlmedia[dot]net. To get and deliver the advertisements it drops three components in a folder located at C:Users{user name}AppDataLocalDynamicPricerChrome which get loaded when you are using Chrome. The files are:
- background.htm
- background.js
- manifest.json
Snippet of background.js
It was not only intended to use Chrome for this. It also downloads an xpi file (Firefox extension) and a dll (Internet Explorer Browser Helper Object). Both of those however did not always install fully due to errors.
Installer disclaimer
This PUP is normally installed as a part of software bundlers, but I had to wing it since I wanted to make sure which changes were made by this particular install. The installer I used is detected by most scanners on VirusTotal and by Malwarebytes Anti-Malware as a Trojan.Downloader.
This Trojan was hosted at cdn[dot]searchbook[dot]me. Which currently resides at an IP-address that has quite the history (198.232.127.32). If you know where to look you will be able to find other and more recent installers, but they are password protected zip files which will be unpacked by the bundle installer under “normal” circumstances. The fact I had no other choice for a standalone installer may be the reason why some of the components of the install failed for me.
Don’t forget: Save yourself the hassle and get protected.
Pieter Arntz