In previous posts, I've shown how popular free software programs are repackaged and
sold by scammers, while containing
spyware, or are outright
replaced by malware. The number of web sites offering such repackaged software has been on the rise in the past weeks [LINK TO PREVIOUS POST]. The most popular repackaged software used to be Flash, antivirus programs and VLC (video player). The list has broadened to contain less-know software such as 7zip (free alternative to Winzip), WinSCP (SCP client for Windows), Filezilla (FTP client), GOM (media player), Notepad++ (powerful text editor), etc.
Here are some of the websites:
 |
| Filezilla on http://filezilladownload.net/ |
 |
| VLC on http://downloadflashplayer.org/ advertised a s stand-alone Flash player |
 |
| WinSCP on http://winscpdownload.com/ |
 |
| 7zip on http://7zip-download.org/ |
Here is a list of 9 similar websites responsible for distributing such malware:
- hxxp://filezilladownload.net/
- hxxp://downloadflashplayer.org/
- hxxp://avi-player.net/
- hxxp://flv-player.org/
- hxxp://gom-player.org/
- hxxp://photoshopfreedownload.net/
- http://winscpdownload.com/
- hxxp://7zip-download.org/
- hxxp://notepaddownload.net/
The files that are downloaded use a similar naming convention -
software-setup-win32.exe or
software-setup-win32_us.exe:
aviplayer-setup-win32.exe,
winscp-setup-win32_us.exe,
flashplayer-setup-win32,exe,
filezilla-setup-win32_us.exe, etc. Their size is always about 1.7MB.
The detection rate amongst AV vendors is very low: only NOD32 was able to find the spyware in the 3 samples I submitted to Virus Total:
1 2 3.
 |
| Software repackaged by Conversionads |
The software actually makes three changes: it installs the StartNow Toolbar (from Zugo, a company associated with Spyware/Adware), sets MSN as the home page and then sets Bing as the default search engine. All steps are completed by default.
 |
| Microsoft packages installed by default |
I've found most of these sites through spam comments in forums such as this one on
carepages.com:
 |
| Links to repackaged software |
They are also well referenced by Google. For example,
filezilladownload.net shows up at #5 for
filezilla download, just after the four search result links to the official
filezilla-project.org website
-- Julien
