Online internet banner with text

TopFlix: a DNS Unlocker variant

Author’s Note: We at Malwarebytes continue to do our part in educating our product users and constant blog readers about day-to-day online threats and how they can avoid falling prey to them. “PUP Friday”, our latest attempt at getting users acquainted with files they may need to watch out for in the Wild Web, offers an in-depth look at some interesting and quite notable potentially unwanted programs (PUPs). Expect to see this type of content pushed out twice a month at the end of a work week.


We have discussed DNS hijackers in general in the past. This week, we like to have a look at an example called TopFlix. It belongs to a family of adware that we call DNSUnlocker.

How do people get infected?

This one is pushed by a bundle wrapper called SoftPulse. SoftPulse uses advertisements to lure users into downloading and installing “useful” applications like Java or Flash Player from their servers and to spice things up a bit they add some extra ingredients of their own.

softpulse1

A current example of how the SoftPulse bundle installer looks

Depending on your geolocation and maybe some other parameters, you’d see some additional offers to digest along with the main course.

TopFlix was presented as a media-player during recent install procedures.

Installation

Once the bundle wrapper triggers the installation of TopFlix, you’d be able to read their EULA as it should be, but in these cases, it’s not always shown. Since you have already allowed the wrapper to run, they don’t need to ask for your permission to install the extras. You have implicitly and are probably unaware that you already allowed them. This one also includes a link to their Privacy Policy.

installer1

Scrolling down a bit in the EULA, you may notice this warning about you giving the “Services” permission to change your DNS settings:

installer2

In my book, that’s a deal breaker. Do not ever allow anyone to control your DNS settings. The ramifications of changing them can range from extra content to being unable to reach any Web address at all.

The installer offers us another warning still further down, and lets us know that the Service “may”—trust me, it will—contain unsupervised third-party content:

installer3

Third-party content

From what we’ve seen, the above-mentioned third-party content comes as text popups, which are little advertisements that show up when you hover over certain keywords—

screenie1

—and some others that open a new browser tab or window.

One of the examples that we were served led to the potentially unwanted program called “OneSafe PC Cleaner” by “Avanquest”.

screenie2

As you can see, that advertisement was marked as “Ad by adsupply”, but many of them do not reveal any information about their origin at all.

Removal and detection

The SoftPulse bundle wrapper is detected by Malwarebytes Anti-Malware as PUP.Optional.SoftPulse. The TopFlix installer is detected as Adware.TopGuard.

protection1

A full removal guide and logs of the install can be found on our forums.

Prevention

In the case of bundle wrappers, a few habits can go a long way to prevent unwanted side-dishes:

  • Download software from the publisher’s own site whenever possible.
  • Review the extra offers carefully. In many bundles you can “Skip” or “Deny” them.
  • Create a “Restore Point” before you install or use software that can undo the changes made to your system, such as Total Uninstall or Ashampoo Uninstaller.

Summary

We looked at a DNS hijacker called TopFlix. It poses as a media player and is brought to you by one of the mainstream bundle wrappers called SoftPulse.

Pieter Arntz

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.