Blog de Zscaler

Reciba en su bandeja de entrada las últimas actualizaciones del blog de Zscaler

Suscríbase
Security Research

More Free Software Repackaged For Money

image
JULIEN SOBRIER
noviembre 15, 2011 - 2 Min de lectura
Security Insights

Contenido

  1. Article
  2. Más blogs
In previous posts, I've shown how popular free software programs are repackaged and sold by scammers, while containing spyware, or are outright replaced by malware. The number of web sites offering such repackaged software has been on the rise in the past weeks [LINK TO PREVIOUS POST]. The most popular repackaged software used to be Flash, antivirus programs and VLC (video player). The list has broadened to contain less-know software such as 7zip (free alternative to Winzip), WinSCP (SCP client for Windows), Filezilla (FTP client), GOM (media player), Notepad++ (powerful text editor), etc.

Here are some of the websites:
 
Image
Filezilla on http://filezilladownload.net/
Image
VLC on http://downloadflashplayer.org/ advertised a s stand-alone Flash player
Image
WinSCP on http://winscpdownload.com/
Image
7zip on http://7zip-download.org/

Here is a list of 9 similar websites responsible for distributing such malware:
  1. hxxp://filezilladownload.net/
  2. hxxp://downloadflashplayer.org/
  3. hxxp://avi-player.net/
  4. hxxp://flv-player.org/
  5. hxxp://gom-player.org/
  6. hxxp://photoshopfreedownload.net/
  7. http://winscpdownload.com/
  8. hxxp://7zip-download.org/
  9. hxxp://notepaddownload.net/

The files that are downloaded use a similar naming convention - software-setup-win32.exe or software-setup-win32_us.exe: aviplayer-setup-win32.exe, winscp-setup-win32_us.exe, flashplayer-setup-win32,exe, filezilla-setup-win32_us.exe, etc. Their size is always about 1.7MB.

The detection rate amongst AV vendors is very low: only NOD32 was able to find the spyware in the 3 samples I submitted to Virus Total: 1 2 3.
 
Image
Software repackaged by Conversionads


The software actually makes three changes: it installs the StartNow Toolbar (from Zugo, a company associated with Spyware/Adware), sets MSN as the home page and then sets Bing as the default search engine. All steps are completed by default.
 
Image
Microsoft packages installed by default


I've found most of these sites through spam comments in forums such as this one on carepages.com:
 
Image
Links to repackaged software

They are also well referenced by Google. For example, filezilladownload.net shows up at #5 for filezilla download, just after the four search result links to the official filezilla-project.org website
 
Image




-- Julien
form submtited
Gracias por leer

¿Este post ha sido útil?

vote yes
Sí, ¡Muy útil!
vote no
La verdad, no

Explorar más blogs de Zscaler

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Leer el blog
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Leer el blog
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Leer el blog
TOITOIN Trojan
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Leer el blog

01 / 02

Reciba en su bandeja de entrada las últimas actualizaciones del blog de Zscaler

Al enviar el formulario, acepta nuestra política de privacidad.