A site that pretends to promote the popular KeePass password management software is actually distributing malware on unsuspecting visitors. This site is part of a larger network of sites distributing adware bundles as free programs.

Last year, we reported that fake sites were created to promote popular software, but when we analyzed the distributed files, we found that they were pushing adware bundles on unsuspecting visitors.

These sites were promoting software such as 7zip, Inkscape, Gparted, Paint.Net, Scribus, Audacity, Stellarium, Celestia, CloneZilla, KeePass, Notepad2, UNetBootIn, Gimp, HandBrak, and many more.

One of these sites, keepass.com, was discovered again this week and it, and many of the other known sites, are still distributing malware a year later.

Deeper dive into keepass.com adware distribution

While many consider adware bundles more of a nuisance than actual malware, this is not true. Many of the adware bundles we see today include offers that include password stealing trojans, miners, ransomware, and backdoors.

Adware is commonly spread through fake sites that pretend to distribute cracks, warez, and legitimate software, but when users download the programs they discover that the bundles are filled with "offers" that are installed as well.

For example, keepass.com looks like a legitimate site that is promoting the KeePass password management software.

Keeepass.com Site

On this site are four prominent links for downloading a Windows, Windows Portable, Mac, and Linux version of KeePass.

Download Links

The first three links contain similar URLs and download adware bundles, while the fourth link for Linux goes to the legitimate keepass.info site.

The links pointing to cdndownloadapr.com are adware bundles whose file name is dynamically generated based on the values in the URL.

For example, in the following URL you can see a name= variable set to Keepass. Clicking on this link will download an adware bundle with the name Keepass-[random_numbers].exe, such as Keepass_2877757893.exe.

cdndownloadpr.com/dl/?z=5102&name=Keepass&file=https://jaist.dl.sourceforge.net/project/keepass/KeePass%202.x/2.41/KeePass-2.41-Setup.exe&typ=false

If we changed the url so that it contained &name=malware, the link would instead download a file such as malware_2877757893.exe.

For example, below are the three downloads from keepass.com plus two other downloads from similar sites pushing HandBrake and 7zip. Notice how all of the downloads are the same exact file with the same MD5, but use different names.

MD5s of Offered Downloads

Using links like this, adware purveyors can setup as many sites as they want to promote any product and simply change the download links so the downloads have different names.

The adware bundle

The distributed adware bundles are currently signed with a code signing certificate for a company named "In Profit Limited". The company names used in these certificates change quite often.

Code signing certificate

When run, the user will be shown an installer that utilizes the name before the _ in the filename as the title of the screen. So a file named Keepass_1085327657.exe, will have a screen title of Keepass.

Keepass Adware Bundle

If you click Next, you will be presented with a series of offers that could include "search offers", extensions, anti-malware PUPs, and a variety of other flavors of unwanted and potentially malicious software that is currently being offered.

Search offer

To make matters worse, as shown by Bart, when you run the adware bundle it will upload a ton of information about your computer, such as the hardware you are using, where you are located, if you are using a VPN, are you an admin, and much more.

This information is used to determine what offers should be sent to you or if your machine should be blacklisted. For example, a user running a virtual machine will be shown much tamer offers.

Ultimately, after installing the offers, the downloader will ask if you wish to install the expected program, which it will download and install for you.

As you can see, it is important to only download and install software from trusted, vetted, and official sites. Furthermore, if you are prompted to install offers other than the intended program, immediately shut down the program and do not let it continue.

Thx to MalwareHunterTeam for the tip.