Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Download CNet Website FULL of Virii / Trojans


  • Please log in to reply
9 replies to this topic

#1 ubernetworkgeek

ubernetworkgeek

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix AZ
  • Local time:12:48 PM

Posted 04 September 2015 - 01:21 PM

So not too long ago I wanted to go ahead and grab a copy of FileZilla and put it on my machine.  Unfortunatley for me FileZilla has it's download hosted on the Download Cnet website.  I very carefully followed the link - and clicked on download for file zilla.  However and unfortunately since I do not frequent the website that much - I clicked on the Wrong download button and it put the most evil root kit on my machine I have ever bleep seen!  This bullbleep even went in and deleted all of my saved system restore points (I had over 20, yes I allocated extra space just so I could accommodate more of them!)  Yet this rootkit swept that under the rug easily bleep you very much. 

 

I did find the correct link to download and install File Zilla. 

 

However I had a huge nasty piggy backer along with it.  This is the bullbleep I am talking about.  Why do I even have to go through this bullbleep / worry about what download link I am clicking on, ON AN OFFICIAL DOWNLOAD SITE.  This "Official" download site purposely allows this kind of bullbleep on their site - and I would not be surprised if the moderators themselves are the culprits for allowing such bullbleep to happen.

 

DO NOT TRUST THAT WEBSITE - BOYCOT THE bleep OUT OF IT. 

 

Thankfully I keep ALL of my sensitive data stored on my external hard drive AND encrypted on top of that.  I also use special software that encrypts my keyboard entries that operates at the lowest level (so even if they had a key logger - it didn't capture bleep).  I also keep ALL my encryption keys on protected USB drives only that remain in a safe.  I also have a really nice version of Norton Ghost that works perfectly from back in the day and I keep a rolling backup copy of my computer after all the drivers are installed / and updates are updated completely with everything I want excluding games on my:  http://www.sandisk.com/products/usb/drives/extremepro3/

 

I am able to "Format the hard drive and reinstall windows" in a matter of minutes.

 

However why should I have to go through such bullbleep just to get a legit copy of software?  The answer is that I shouldn't and neither should anyone else - so bleep you Download Cnet that was the last straw - not only am I going to boycott the hell out of your bleep I am going to encourage others to stay the bleep away whenever I get the chance.

 

I've been in IT for over 20 years now this bleep still boggles my mind.  How can these bleeps be getting away with this bleep?  I can't wait for the day where a web host is held responsible for Virii THEY ALLOW to be disseminated on their website - maybe then bleep will finally start to clean up.  Things don't usually change until you start hitting people in their wallets.  Only time will tell... but with people like 0bummer taking office and pushing their socialistic big brother reforms I doubt it will take long to occur.



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 PM

Posted 04 September 2015 - 01:49 PM

Are you sure you tried to download Filezilla from the official website? I just checked and the downloads are still hosted on SourceForge, like they were months, even years ago. Also, it's a known fact that CNET uses bundled installers with their downloads (it's been like that for years). However, Google Chrome users will receive vanilla installers, without any bundled programs in them.

Also, BleepingComputer is a family friendly website, so it would be appreciated if you could slow down on the usage of words that get changed to "bleep" :)

Edited by Aura, 04 September 2015 - 01:50 PM.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:01:18 AM

Posted 04 September 2015 - 02:03 PM

Perhaps, you were mistaken by an ad or banner on the filezilla website that rime.
 

Things don't usually change until you start hitting people in their wallets.

Almost all free file hosting sites make 'revenue' via these little nasties, which are real pain in back for newbie users. A lot of threads on various security forums discuss that issue.


Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:48 PM

Posted 04 September 2015 - 03:22 PM

With CNET, Download.com, BrotherSoft, Softonic, FreewareFiles and Tucows and similar third-party download hosting sites, you always have to be careful with deceptive download links and bundling of unwanted software.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 rp88

rp88

  • Members
  • 3,082 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:48 PM

Posted 05 September 2015 - 12:10 PM

This could have been a matter of an advert on the page creating a "fake download button", a bigger more enticiing looking button which links to a piece of malware or a PUP rather than the thing you are trying to download (the real download link is small and well hidden). Running an adblocker and something like NoScript would let you ensure that such fake download buttons would be unable to load, that way the only download link visible wuld be that small real one. Many of the adverts displaying on dpwnload sites are fake download buttons, designed purposely to trick you into clicking them instead of the real download link, but as these almost always come from third party advert networks (they are not hosted on the download site itself, they come from other sites and are shown as parts of the page, often as iframes) a script blocker or an adblocker (or both) allow them to be defeated.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,753 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:48 PM

Posted 05 September 2015 - 01:15 PM

Can you upload that rootkit to virustotal.com and report the link of the analysis here? Thanks!


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Riemann

Riemann

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 18 September 2015 - 09:33 PM

Just FYI, SourceForge also does the same; has for some time now: http://www.theregister.co.uk/2015/06/03/sourceforge_to_offer_only_optin_adware_after_gimp_grump/

 

At work we've had to de-whitelist some applications with 'custom' Sourceforge installers b/c they were being packaged with all sorts of junkware, toolbars, etc.



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 PM

Posted 19 September 2015 - 11:27 AM

What SourceFourge applications are you talking about? Some programs like FileZilla have an "official" installer on SourceForge that is bundled, but they also offer non-bundled installer (or even .zip downloads) on their main website.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Riemann

Riemann

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 19 September 2015 - 11:54 AM

I wasn't talking about FIleZilla specifically, just adding SourceForge to quietman7's list. Some applications were being installed using a "SourceForge installer," which contained adware and toolbars, and though they may have offered the option to decline, the behavior of some of the software was pretty bad, intentionally redirecting traffic, injecting ads, etc.

 

It's been a while since we've seen one, but the link I posted above talks about it happening with GIMP and it appears the same has happened before with FileZilla, though I don't know if that's still the case: https://forum.filezilla-project.org/viewtopic.php?t=30240. Also this (Google Chrome blocking FileZilla install download on SourceForge b/c of the installer): http://www.howtogeek.com/218764/warning-don%E2%80%99t-download-software-from-sourceforge-if-you-can-help-it/.

 

Obviously if there is an unbundled .zip, that would definitely be the recommendation. I agree with OP. I mean, has anyone ever, in the history of the developed world, intentionally gone out and installed (for example) the conduit toolbar on their machine?



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:48 PM

Posted 19 September 2015 - 04:31 PM

I only use zipped versions of anything from SourceForge so there is nothing to install.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users