Zenith Live is coming to Europe in October. Join us! Register
Zenith Live is coming to Europe in October. Join us!

More Free Software Repackaged For Money

By: Julien Sobrier


More Free Software Repackaged For Money

In previous posts, I've shown how popular free software programs are repackaged and sold by scammers, while containing spyware, or are outright replaced by malware. The number of web sites offering such repackaged software has been on the rise in the past weeks [LINK TO PREVIOUS POST]. The most popular repackaged software used to be Flash, antivirus programs and VLC (video player). The list has broadened to contain less-know software such as 7zip (free alternative to Winzip), WinSCP (SCP client for Windows), Filezilla (FTP client), GOM (media player), Notepad++ (powerful text editor), etc.

Here are some of the websites:
Filezilla on http://filezilladownload.net/
VLC on http://downloadflashplayer.org/ advertised a s stand-alone Flash player
WinSCP on http://winscpdownload.com/
7zip on http://7zip-download.org/

Here is a list of 9 similar websites responsible for distributing such malware:
  1. hxxp://filezilladownload.net/
  2. hxxp://downloadflashplayer.org/
  3. hxxp://avi-player.net/
  4. hxxp://flv-player.org/
  5. hxxp://gom-player.org/
  6. hxxp://photoshopfreedownload.net/
  7. http://winscpdownload.com/
  8. hxxp://7zip-download.org/
  9. hxxp://notepaddownload.net/

The files that are downloaded use a similar naming convention - software-setup-win32.exe or software-setup-win32_us.exe: aviplayer-setup-win32.exe, winscp-setup-win32_us.exe, flashplayer-setup-win32,exe, filezilla-setup-win32_us.exe, etc. Their size is always about 1.7MB.

The detection rate amongst AV vendors is very low: only NOD32 was able to find the spyware in the 3 samples I submitted to Virus Total: 1 2 3.
Software repackaged by Conversionads

The software actually makes three changes: it installs the StartNow Toolbar (from Zugo, a company associated with Spyware/Adware), sets MSN as the home page and then sets Bing as the default search engine. All steps are completed by default.
Microsoft packages installed by default

I've found most of these sites through spam comments in forums such as this one on carepages.com:
Links to repackaged software

They are also well referenced by Google. For example, filezilladownload.net shows up at #5 for filezilla download, just after the four search result links to the official filezilla-project.org website

-- Julien

Suggested Blogs

Anti-Coinminer Mining Campaign

By: Atinderpal Singh