The detection name of PUP.Optional.Downloader is probably as non-specific as you can get when it comes to identifying what particular unwanted program that is. Generally, Malwarebytes uses this name to detect Crossrider uninstallers, installers from the CHIP Online download portal, and other bundlers offered as downloaders.
For this blog post, we’re going to look at a bundled program called Internet Download Manager (IDM) for Windows, which we retrieved from a third-party website, as an example of how Malwarebytes uses the PUP.Optional.Downloader detection name. This sample falls under the "other bundlers offered as downloaders" category. For clarification, the IDM program discussed was not obtained directly from https://www.internetdownloadmanager.com/.
[gallery type="slideshow" ids="14825,14826,14827,14828,14829,14830,14831"]
—and creates the following URL shortcut files for BestOffer Everyday and iStripper, as per the latest sample we have retrieved and tested.
[gallery type="slideshow" ids="14832,14833"]
After installation, the bundler promising to install IDM then visits two consecutive websites via the Opera browser, the first one triggering Malwarebytes to block a URL it has deemed malicious—
[gallery type="slideshow" ids="14834,14835,14836"]
Malwarebytes detects the IDM installer as PUP.Optional.Downloader. We also detect all dropped shortcut files as PUP.Optional.BestOffer.
Jovi Umawing (Thanks to Pieter for additional info)
COMMENTS