What is a PUA (Potentially Unwanted Application) or PUP?

The 1990s saw the internet escape the academic world and become a mainstream resource. Though trojans, viruses, and malware were already around, there were significant differences. Most of that code was meant as a joke, excluding a few destructive ones. Additionally, the malware spread through shared computers in schools and universities (cyber-cafés were still in the future). The internet didn’t play a role in spreading malicious software in the beginning.

Most minds behind the initial viruses in the digital world were not evil. They just wanted to have some fun by making a computer do something unexpected — having a ping-pong ball bouncing around your screen, making your speakers sound like a cricket, opening your CD-ROM, etc.

The coding pranksters who pioneered that kind of software unwittingly created a type that would become infamous: the potentially unwanted application or program (PUA or PUP). The PUA evolved into a completely different thing. In our day and age, PUAs are far from innocent pranks that can be amusing even for the victim. So what are they, exactly? This article will answer all your questions in this area.

What is a Potentially Unwanted Application (PUA)?

Potentially Unwanted Application (PUA), also known as Potentially Unwanted Program (PUP), is a software category that includes apps with the potential for misuse by malicious external actors. They are so named because they often enter a user’s system without consent (that is, they undergo an unwanted download).

PUPs or PUAs are not malicious in themselves and don’t represent user risks. However, they have functionalities that can empower a threat actor to do evil against the system or its owner.

How does a PUA or PUP work?

Many programs can be PUA, depending on their functionality. System administration tools are good examples because they offer significant advantages to the system’s owner and allow for the resolution of various problems. But, at the same time, they need a degree of privilege to be effective, which often includes taking control of the app, system, or network in question.

So, for example, if you run into unexpected problems that require fast resolution, then some system administration suite or password recovery program and other such programs will help. They perform advanced tasks with much simplicity for a relatively inexpert user. However, they will also grant a high degree of power to an external agent that knows how to activate them.

Most users don’t take full advantage of these programs’ features. Mostly, they learn how to perform a handful of tasks and leave the rest unused. But the full power of the program remains there, available for malicious actors to exploit as they like.

Also, most attackers don’t write the code they use. Instead, they usually use third-party tools available on the internet that they inject into a system as a malicious payload. Some adversaries know how to modify the original contents of packers, crypters, and obfuscators so that an initially harmless installer includes the malicious payload and sneakily installs it.

Evading detection is the priority on a PUA’s agenda. Then, once installed, it remains silent until it can deliver the fundamental objective when an attack comes.

What is a PUA threat?

When a Potentially Unwanted Application reaches your system, it can execute various annoying activities with or without notice. Some common threats that PUAs pose include,

• Making your computer slow.
• Flooding you with unwanted ads.
• Installing other software you don’t want, or worse.
• Stealing your most sensitive data.

How do PUAs or PUPs reach your system?

Threat actors and criminal hackers frequently abuse legitimate tools with powerful functionalities. Since these tools belong to otherwise legit entities, they can potentially escape the target system’s user’s attention, even when flagged. At the same time, they will continue serving the attackers’ intended purposes. Therefore, while these tools can be helpful, most antivirus suites consider them PUAs.

A classic example of such PUPs or PUAs delivery sources is the NirSoft website. It offers a wide variety of system administration software. A whole category of its software focuses on recovering passwords in environments such as routers, wireless networks, mail clients, browsers, etc. Security Xploded is another site offering similar software.

The NirSoft “password recovery utilities” catalog includes 28 tools. These tools scan a piece of hardware or a virtual environment to find any stored log-in credentials. For example, the Windows registry was infamous in the past for storing every possible password without encryption.

The password recovery tools on offer at NirSoft are deceptively simple. Also, they work efficiently and can be run from the command line. The command line availability means you can invoke them from a script or a program, then collect the output and use it or save it for later processing.

So are these tools malicious? No, they’re useful. However, they may also facilitate an external attacker looking to steal your passwords. Due to this potential malicious capability, numerous antivirus software vendors often generate warnings upon detecting these tools.

Nir is aware of this. A 2015 post on NirBlog from the tool’s author admitted that various AV tools had marked his software malicious. He also explained that those apps should not be considered in such a poor fashion.

So what can we make about this apparent conflict between the developer and the AV industry? It’s natural. The developer’s point of view is correct but unique because nobody else can genuinely share his concerns as the software’s author.

The AV industry is also valid because of where they stand. The sheer usefulness of the software is not the only factor to consider, as it can be for the developer. A good antivirus must tell users anything that introduces risk to any given system. Also, NirSoft’s post recognizes that AV software began to warn users about password recovery tools as Potentially Unwanted Applications in 2004. Waiting eleven years to issue a complaint about it seems a bit too late.

Let’s consider a thought experiment. A computer is compromised, and the attacker loads “netcat” into it. It is a legitimate tool. It’s known for its capability to test networks and help with the troubleshooting process. However, it can also introduce backdoors in the system allowing access to the attacker. So even though there is a legitimate use case for netcat, the AVs still consider it a PUA because it includes some functionalities that can turn against its home system.

But, note that these antivirus programs label those tools merely as PUAs, not malware. Also, most AVs have a safelist, allowing users to exclude certain apps from AV detection. So, if Netcat, a password recovery tool or any other software is there because the system owner wants it there, the owner can mark the tool safe. That makes NirSoft’s concerns about AV tagging pointless.

Weaponizing a PUA

In 2018 the Emotet Banking Trojan went on a rampage, using legitimate freeware system tools to perpetrate some digital crimes. The US-CERT alerted the public about Emotet, including NirSoft’s password recovery tools in the list of unwilling offenders.

That has been malware’s standard practice almost since it began. But as time goes on, more and more users come online. And the use of these tools increases accordingly because the groups of hackers are also growing. For instance, Bitdefender found out about Netrepster (a cyberespionage group) launching a targeted attack using some third-party elements that could otherwise seem harmless.

The NirSoft tools and detecting them

Potentially unwanted applications and programs are commonly used in various malware campaigns active in the wild. Often, they come as part of the second stage, loaded by a component of the main malware launcher. At this point, most AV software can detect them and warn you about them. But, unfortunately, there is no standard jargon for these things. So, each vendor calls them something different, like Riskware, ChromePass, PstPAssword, NetPAss, and Dialupass, to name a few.

Running a fundamental descriptive statistical analysis of the incidence of these bugs, we found that the NetPass category is the most frequent one. It includes three tools: network password recovery, IE PassView, and Opera PassView.

We kept hunting and observing different scenarios until we found one that illustrates the situation very well. This .net software is legitimate and is not authored or distributed by any malicious group. The name is irrelevant, but you can identify it by its MD5 hash, 0fd18e3cc8887dc821a9f8c4e481a416. It is a good example because it uses NirSoft’s tools against a system’s security.

And remember that these things are not always so clear even to the best AV. Cybercriminals will try to conceal and obscure their code to stay under the radar for the longest time. They play an obfuscation game so that malware analysis doesn’t touch them.

The RDG packet detector told us that this software was protected by a commercial tool, the “Enigma protector.” It’s a service that protects executable binary files for licensing purposes –to avoid piracy. The thing is that malware authors also use it to protect their work.

So, the malware finds its way into a system. Then it executes the second stage attack by deploying the necessary tools. Then it runs them through command line calls and saves the collected data for later. The processes involved were “WebBrowserPassView.exe,” “mspass.exe,” and “ProduKey.exe.”

Once the malware has the data it wants, it sends it to the C&C server using an HTTP request.

So how much of the damage comes from NirSoft tools? And how much of it comes from the malware developer? We unpacked the sample to see its code and allocate responsibilities. The attack uses three NirSoft tools. However, there’s more. The attack’s author has additional code to steal other credentials from CoreFT, FileZilla, SmartFTP, and a few others.

The NirSoft tools recover passwords, but there is an additional layer: they will also provide the attacker with the Windows product key and the Office 2003/2007 product key.

So when the attacker gets its way, it collects data that includes the product key, current user, windows version, windows serial number, and some passwords and credentials. So if it’s successful, it gathers enough data to pinpoint you accurately on the internet and steal your digital identity in several cases.

How to avoid Potentially Unwanted Applications and Programs?

Stand-alone system tools are a legitimate resource for many in the IT industry, especially IT support. The tools can get the results they need quickly, be automatized, and make an IT man’s life easier overall.

Indeed, if you look at NirSoft’s tools and similar apps, they’re not malicious on their own. On the contrary, they are beneficial elements in the IT assistance process. However, if they’re installed in your system, you should know. It is especially true within digital corporate environments where security failures can have more sinister and damaging consequences.

And why do malware authors so easily misuse Potentially Unwanted Applications? It’s because they’re good! They’re helpful, powerful, versatile, well done, and excel at delivering an expected result. So a twisted mind can find them very helpful too because they are inherently so.

Emotet and other advanced malware threats are becoming more relevant as the increasing number of cybercriminal groups use them to carry out their activities.

Unlike those playful viruses of the early 90s that just played a prank on you, these current PUAs are here to stay because they’re helpful, versatile, and potent. They can harm you but also give you a valuable service when needed. And the bad guys will keep using them to their advantage.

FAQs