PUPs: The Ultimate Pervasive Threat

How potentially unwanted programs (PUPs) are blowing networks wide open

AlphaSOC processes billions of network events each day to identify infected hosts and anomalies within customer environments. Our analytics engine scores DNS, IP, and HTTP telemetry to uncover malware implants, flag policy violations, and highlight gaps in existing security controls (e.g. Tor use).

In recent years we’ve spent a lot of time mapping PUP software publisher infrastructure. A product of this research is that we now automatically identify unwanted programs and browser extensions via our analytics stack.

Looking back over our data, not surprisingly, we find that unwanted programs consistently persist in every large environment we monitor. This happens for many reasons, including:

  • Users connecting personal / unmanaged devices to the network
  • Unauthorized installation of programs in particular regions (e.g. China)
  • Older systems existing on the network with bundled software packages
  • End users having the ability to install arbitrary browser extensions

Based on our internal research, if we consider the Fortune 500, it is highly likely that each of those businesses has a significant number of user systems and devices with PUPs installed. This worrying trend represents a policy violation that many enterprises are turning a blind eye to.

Unwanted programs become pervasive as security teams choose to focus efforts elsewhere. Although a PUP may not present a clear danger to your environment today, it represents significant security debt that accumulates over time.

Unwanted programs present many risks to enterprises. In particular they can:

  • Reduce integrity by intercepting web traffic and exposing user data
  • Change ownership (publishers are acquired unbeknownst to the user)
  • Be targeted by determined adversaries to compromise the environment

In a many ways the PUP is a perfect Trojan. It’s often an application or extension that is stealthily bundled with a legitimate package (or even is the legitimate package) and disregarded by the security team as a genuine threat. PUPs however are not developed with safety in mind and can be exploited with relative ease. These packages increase the available attack surface and significantly degrade the integrity of an otherwise robust enterprise network.


There ain’t no such thing as a free lunch!

Hola is a browser extension with over 166 million installs that allows users to proxy web traffic via a P2P VPN and masquerade their source IP to browse from a particular location and bypass geographic restrictions online (e.g. those enforced by Netflix and the BBC iPlayer). Many users elect to use the service for free — becoming a peer and introducing a number of risks.

Within the AlphaSOC dataset we find that 62% of the networks we monitor have 5+ user systems with the Hola browser extension installed.

In 2015, security researchers set up a page describing vulnerabilities they had uncovered within Hola (http://adios-hola.org). Significant risks include remote code execution via the extension itself, and use as a exit node through the Luminati commercial VPN service that the Hola peers support.

Luminati supports ASN exit node targeting along with use of the DNS resolver of the local peer itself, allowing for an adversary to proxy web traffic through an endpoint within a particular network and masquerade as a legitimate user.

A concern here is that enterprises running their own BGP infrastructure (e.g. Goldman Sachs, Microsoft, and Disney) could be targeted via unwitting peers using the Hola extension. An adversary could route web traffic through the Luminati service and into a particular environment with dire consequences.

If Luminati were to adjust or disable ASN targeting, a compromise of the service itself would still enable an adversary to route arbitrary traffic into environments.

Digital Supply Chain Attacks

State-sponsored adversaries and other groups have targeted digital supply chains in recent years. Within Ukraine, M.E.Doc is a popular piece of third-party accounting software that is widely installed. In 2017, the TeleBots group compromised the M.E.Doc update server and altered the software packages. This attack became the genesis of the widespread NotPetya ransomware outbreak.

Later that year, a PUP known as CCleaner was altered via a compromise of the publisher’s build infrastructure that went unnoticed until over 2 million users had downloaded the package, which included both C2 callback and keystroke logging capabilities.

Reducing Your Exposure

Security teams can reduce the exposure posed by these threats both actively hardening and passively monitoring networks, and empowering users.

Leveraging Hardened Platforms

Particular modern operating systems are safe as they run only signed packages that have gone through a degree of review and checking by the respective vendor. Consider using Windows 10 in S mode, Google Chromebooks, and Apple iOS devices within your environment to significantly reduce exposure from dangerous third-party packages.

Although requiring signed binaries raises this bar significantly, the exposure around browser extensions will likely persist. Be sure to run these devices in a managed fashion and prevent installation of unknown extensions.

Uncovering BYOD and PUPs in Your Environment

Using a tool such as Network Behavior Analytics for Splunk, security teams can quickly identify unmanaged devices and unwanted programs within an environment by processing DNS query logs and other telemetry, as below.

Empowering the User

Upon uncovering a user system with an unwanted program or browser extension, some AlphaSOC customers drop the corresponding alert material into a ticket and generate a self-service email to the user notifying them that:

  • The security organization detected unwanted software on their machine
  • PUPs impact system performance and degrade security
  • They are empowered tune-up their machine and address the issue
In modern computer networks where the perimeter has collapsed and there exist a blend of managed and unmanaged systems, security has become the responsibility of everyone within an organization.

Regarding user tune-up and adjustment, you can empower them to:

  • Review their browser configuration and extensions, and reset if necessary
  • Update and run a full system antivirus scan to identify any PUPs