By: Julien Sobrier

More Free Software Repackaged For Money


In previous posts, I've shown how popular free software programs are repackaged and sold by scammers, while containing spyware, or are outright replaced by malware. The number of web sites offering such repackaged software has been on the rise in the past weeks [LINK TO PREVIOUS POST]. The most popular repackaged software used to be Flash, antivirus programs and VLC (video player). The list has broadened to contain less-know software such as 7zip (free alternative to Winzip), WinSCP (SCP client for Windows), Filezilla (FTP client), GOM (media player), Notepad++ (powerful text editor), etc.

Here are some of the websites:

Filezilla on
VLC on advertised a s stand-alone Flash player
WinSCP on
7zip on

Here is a list of 9 similar websites responsible for distributing such malware:
  1. hxxp://
  2. hxxp://
  3. hxxp://
  4. hxxp://
  5. hxxp://
  6. hxxp://
  8. hxxp://
  9. hxxp://

The files that are downloaded use a similar naming convention - software-setup-win32.exe or software-setup-win32_us.exe: aviplayer-setup-win32.exe, winscp-setup-win32_us.exe, flashplayer-setup-win32,exe, filezilla-setup-win32_us.exe, etc. Their size is always about 1.7MB.

The detection rate amongst AV vendors is very low: only NOD32 was able to find the spyware in the 3 samples I submitted to Virus Total: 1 2 3.

Software repackaged by Conversionads

The software actually makes three changes: it installs the StartNow Toolbar (from Zugo, a company associated with Spyware/Adware), sets MSN as the home page and then sets Bing as the default search engine. All steps are completed by default.

Microsoft packages installed by default

I've found most of these sites through spam comments in forums such as this one on

Links to repackaged software

They are also well referenced by Google. For example, shows up at #5 for filezilla download, just after the four search result links to the official website

-- Julien

Learn more about Zscaler.