In previous posts, I've shown how popular free software programs are repackaged and sold by scammers
, while containing spyware
, or are outright replaced by malware
. The number of web sites offering such repackaged software has been on the rise in the past weeks [LINK TO PREVIOUS POST]. The most popular repackaged software used to be Flash, antivirus programs and VLC (video player). The list has broadened to contain less-know software such as 7zip (free alternative to Winzip), WinSCP (SCP client for Windows), Filezilla (FTP client), GOM (media player), Notepad++ (powerful text editor), etc.
Here are some of the websites:
|Filezilla on http://filezilladownload.net/|
|VLC on http://downloadflashplayer.org/ advertised a s stand-alone Flash player|
|WinSCP on http://winscpdownload.com/|
|7zip on http://7zip-download.org/|
Here is a list of 9 similar websites responsible for distributing such malware:
The files that are downloaded use a similar naming convention - software-setup-win32.exe
, etc. Their size is always about 1.7MB.
The detection rate amongst AV vendors is very low: only NOD32 was able to find the spyware in the 3 samples I submitted to Virus Total: 1 2 3
|Software repackaged by Conversionads|
The software actually makes three changes: it installs the StartNow Toolbar
(from Zugo, a company associated with Spyware/Adware), sets MSN as the home page and then sets Bing as the default search engine. All steps are completed by default.
|Microsoft packages installed by default|
I've found most of these sites through spam comments in forums such as this one on carepages.com
|Links to repackaged software|
They are also well referenced by Google. For example, filezilladownload.net
shows up at #5 for filezilla download
, just after the four search result links to the official filezilla-project.org