Downloading from SourceForge? Official links deliver fakes also

Status
Not open for further replies.
S

sinu

Thread author
SourceForge was once considered a trustworthy provider of open source software, but has gradually turned into a shady resource where it tries tricking users into installing Adware. In recent years it has presented advertising with fake download buttons and recently caused major open source products such as GIMP, VLC and NotePad++ to abandon SourceForge for wrapping installers with unwanted adware.

To get an idea of how SourceForge sneakily delivers its Adware, we attempted to download the popular FTP client FileZilla. Sure enough, the default download link on FileZilla’s website delivered its Adware-infected installer, confirmed by VirusTotal. One thing that caught us by surprise was that VirusTotal showed the downloaded file as being not scanned before. So I downloaded it again and did a byte-for-byte comparison using the command line binary compare utility ‘fc /b’.

Each time I attempted to download FileZilla, it gave us a file that was four bytes different. It’s not clear whether this is to try defeating Antivirus products or if the bytes specify what third party products the installer should install. However, regardless of how we tried downloading FileZilla from SourceForge in Firefox, it always delivered the same executable file apart from the following mismatched bytes:



The following video is a demonstration of some of our attempts to download FileZilla from SourceForge:


From further testing, we discovered that when SourceForge is accessed using the Chrome browser, it consistently delivers the proper file whether we let it automatically download or manually choose a file. However, when we use either Internet Explorer or Firefox, it nearly always delivers the Adware-wrapped installer, at least for FileZilla.

So if there is a need to download a product that is only available on SourceForge, try downloading it using the Chrome browser if possible and be sure to scan it with VirusTotal. Another tip is to download the Zip version and check the file size. If it delivers an executable file or a file with a noticeably different file size, it is probably that Adware wrapped installer.

If still uncertain about whether the downloaded executable file is the genuine product, consider running it in a Sandbox such as Sandboxie. Many Adware wrapped installers will download the official installer after trying to install their potentially unwanted products first, in which case it should be possible to extract the official installer from the Sandbox and destroy the sandbox’s content along with any dodgy software the unofficial installer tried silently installing.

Finally, check what is says for the Publisher in the Security Warning dialogue. The Adware-wrapped installer SourceForge kept delivering to us has the publisher “FlashFunnel (Fried Cookie Ltd)”:
 
Last edited by a moderator:

WinXPert

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Jan 9, 2013
1,457
That's why I always DL from Softpedia as much as possible. Last I used Sourceforge is when PortableApps.com redirects me there. SO far no adware encountered.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
The only problem at all which will never ever be vanish as for the sake of revenues of advertising is through bundled installer or modified. In order to maintain the site, then revenues should be circulated.

So far Softpedia and Majorgeeks are the ones who manage very well as 3rd party distributor download program sites.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top