Over the weekend a fire storm was unleashed after users started posting on Reddit about how the installer for the popular FileZilla FTP software was being tagged as adware by VirusTotal. These detections are caused by the installer, which is monetized to display offers to users as they install the software.

When downloading installers for FileZilla, the web site contains two different downloads. The main promoted download is the one that pushes offers and is named in a format similar to FileZilla_3.34.0_win64-setup_bundled.exe. FileZilla also offers a download that does not provide offers at this page and will be named similar to FileZilla_3.34.0_win64-setup.exe. 

The key word that indicates whether the installer will display offers is the word "bundled". If you download FileZilla from the main site and it includes the word "bundled" then you will be presented with offers.

There is also a stark contrast between the installers in terms of how they are detected by antivirus vendors. For example, the bundled installer has a 8/68 detections on VirusTotal, with most detecting it as an adware installer.  The clean version, on the other hand, has 0/68 detections

VirusTotal Detects for the Bundled Installer
VirusTotal Detects for the Bundled Installer

According to FileZilla author Tim Kosse, these monetized installers have been in use for five years.

"In order to support the continuous development of FileZilla, we started to bundle third party offer in the installer about five years ago," FileZilla author Tim Kosse told BleepingComputer. "It has allowed us to boost the development process so that we can now release a new version bringing bugfixes and new features almost every month."

"We do not hide the fact that offers are shown during the installation. This is mentioned on both the website and in the installer as well, before any offers are shown," Kosse further told BleepingComputer. "While the offer-enabled installer is our primary download link, we at the same place also link to a page containing all installers without offers.

So what really happens when you install the bundled version of FileZilla?

When the bundled version of the FileZilla installer is executed it will connect to the http://rp.tourtodaylaboratory.com/ web site and download a list of offers to show the user. The downloaded information will include the offer text, links to files that should be downloaded, and images that should be displayed as part of the offer.

During the installation process, the installer will then display an offer and ask if the user would like to install it. When the offers are displayed they are automatically configured to be opted into, which could lead to people installing the offer as they quickly go through the installation steps.

Avast Offer
Avast Offer

If the user opts into the offer, which means they don't actively uncheck it, the installer will download and install the program from a remote site such as opera.com or avast's web site.

When testing the installer, I saw offers from Avast, a search offer, and Opera.  When questioning Kosse about whether they or their monetization partner IronSource has control over the offers, I was told that FileZilla has full control.

"Back when we started with bundling, while we were able to influence how the install flow was supposed to work, we had limited ability to influence which offers were presented and we occasionally had to face some issues," Kosse explained. "In 2016 however we took full control on how and which offers are presented: * We redesigned the installation flow in order to make it compliant withthe guidelines of the CSA (http://cleansoftware.net/services/) and * we also decide which offers are displayed."

"We are proud to present only premium offers like Avast, McAfee WebAdvisor, Opera, Firefox, both for Win and Mac," Kosse further told BleepingComputer. "In any case, even if a user has accidentally agreed to an offer, we test that each offered product can easily and fully be uninstalled."

Not all offers are created equal.

While the Opera and Avast offers that I encountered were easily uninstalled and what I would considered more "legitimate" programs, there was one offer that I felt was more like adware. This offer is called "Search Offer powered by Bing" and was displayed on every bundle install I performed of FileZilla.

Search Offer powered by Bing
Search Offer powered by Bing

This offer is downloaded as individual .dat files into the %Temp% folder. A command is then executed to stitch these .dat files into a random looking executable, which is then executed.  This use of partial files almost makes it feel like they are doing it to avoid detecting by web protection components of security software.

You can see a live demonstration of the bundled installer installing the search offer in this Any.Run session.

cmd.exe /d /c TIMEOUT 1 & cmd /d /c copy /B /Y "C:\Users\admin\AppData\Local\Temp\D90614~1.DAT"+"C:\Users\admin\AppData\Local\Temp\D90614~2.DAT" "C:\Users\admin\AppData\Local\Temp\tmp8866772\gefada.exe" & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\D90614~1.DAT" & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\D90614~2.DAT"

According to the offer's description, it will install the Search Manager extension in Chrome and make Bing the default search, homepage, and new tab provider in Firefox and Internet Explorer. In my tests, it only affected Firefox and no extensions were installed into Chrome.

The gefada.exe file that installs this offer, though, has a whopping 37/65 on VirusTotal and the mentioned Search Manager is a known extension that is commonly installed by Adware bundlers.

Furthermore, this offer does not provide an uninstall routine from the Uninstall Programs control panel and thus users need to figure out how to remove the search provider and change their home page. 

BleepingComputer has asked for further comment from Kosse regarding this offer, but had not heard back by the time of this publication.

Security professionals advise against using FileZilla

While the current offers being displayed by FileZilla do not appear to be currently malicious in nature, adware bundles are known to cross the line in the past. We have reported on numerous cases of other adware bundles installing miners, rootkits, password-stealing Trojans, or downloading more unwanted programs at a later time.

Due to this, the fact that some of the offers are using unsigned executables from unknown companies, and the developer's replies in a FileZilla support topic, security researchers have stated that users should avoid using FileZilla.

In closing, FileZilla author Tim Kosse wanted to share the following statement about their program and their use of a monetized installer.

"1. It's safe to use the offer-enabled installer, nothing is installed the user doesn't agree to. In case an offer has been accidentally accepted, it can easily be uninstalled again. Alternatively our users can also download an unbundled installer from the FileZilla website.

2. In order to sustain our project, which is a full-time job for several people, we have started selling a Pro version that goes beyond FTP/SFTP, offering access to cloud services like Amazon S3, Google Cloud Storage, Microsoft Azure, OpenStack Swift and WebDAV. While this is not sufficient to fund all our effort, we kept an hard line to avoid trying to upsell our own community and we do not push our users to buy it. The free version is still fully supported, receiving regular updates with new features.

3. We understand advertising is rarely welcome, for this very reason we adopted a strict rule of conduct on how we promote other products and services, please check our "Ethical Ads" page (https://filezilla-project.org/ethical_ads.php), and when it comes to bundled offers we do our best to choose meaningful offers, check them and work only with primary players like ironSource who can manage to run a professional testing and security environment. In this respect please note ironSource gave a great talk at the recent CSA held at Google explaining how they manage to keep users secure thanks to their lab, see the agenda https://sites.google.com/site/cssummit18/summit-agenda and feel free to contact them to know more."

Update 6/26/18: Tim Kosse of FileZilla told us that their monetization provider would be checking the search offer.

Related Articles:

All-Radio 4.27 Portable Can't Be Removed? Then Your PC is Severely Infected

Malwarebytes Browser Extension Blocks Malware, Scams, Ads, & Trackers

Fake Websites for Keepass, 7Zip, Audacity, Others Found Pushing Adware

Fake Adult Sites Pushing Unwanted Extensions, Miners, and Adware

Rootkit-Based Adware Wreaks Havoc Among Windows 10 Users in the US