PUPs and botnet bundled with 7-zip, according to Invincea

http://www.slideshare.net/Invincea/the-malware-economy-where-the-money-is

See slide 10.

Posting it because it appears a lot of posters on this forum are 7-zip users.

Zscaler rating is "Suspicious"

 

7zip from where, though? Just the name of the setup file is suspicious BTW - it doesn't match the installer name from the actual 7zip website.

 

I have found Invincea to be top-notch, so I'm assuming for now they would have taken the file from 7-zip's website. The Invincea presentation was made several months ago, so it is possible that the installer files have been updated or changed, which is very likely if there indeed was a botnet and the author found out he was "outed".

I did download the 7-zip installer on a travel PC about a year ago. I scanned the installer with Bitdefender, but it indicated clean. Upon installation, Bitdefender Intrusion Protection alerted and stopped the installation. I ended up reinstalling to that PC an image I had recently made "just in case". I recently ran across the Invincea presentation, which explained what I saw.

I ran ZScaler today on today's 7-zip installer package, so that scan is fully up to date. From my POV, that is more than enough.

It is each person's decision on what they believe. For me, I won't touch 7-zip with a 10' pole.

 

Has anyone uploaded the suspect file to VirusTotal?

On VT Blueliv and Quttera consider the 7zip site itself as a ‘Malicious’ and CLEAN MX as a ‘Suspicious’ site.

Everything else is clean.

I'm suspecting a false positive.

 

@JLD Easy on the accusations, okay? The slideshow does not make it at all clear where/who the 7zip_setup installed came from. Not using 7zip is your prerogative, but let's wait for more news before assuming Igor Pavlov has sold out.

BTW, charming bit of political bias creeping into that presentation there

Right, because it's the social justice crowd that does all the doxxing and stalking and hacking and stuff... oh wait. *bangs head on keyboard repeatedly*

And with that, Invincea joins the list of companies I will never do business with.

 

That is correct. It looks like a "7-zip" ripoff (just ab/using the name), and bundled with a load of rubbish.

The title of this thread is misleading imo, and is not what Invincea are actually saying.

 

Correct, this is totally misleading and the article/slideshow is poorly written.

Where did they get this suspicious "7-Zip_Setup.exe"?

Please don't be mislead by such article/slideshow. 7-Zip is Free and Open-Source software, anyone can look at the source code, build their own package and see if it matches with the publised version.

I'm 100% positive that this slideshow is wrong and that the author executed a tampered 7-Zip setup, probably because he/she lacks the knowledge to do such testing (and that's probably why a tampered 7-Zip was used).

The article lacks important info, is poorly written, and the author clearly doesn't know what he/she is doing.

-1/10

Are you sure this is Invincea? Because if it is than their reputation just got to -1 to me.

 

+1
Just run the 4 versions from the site and nothing to report.

 

Nothing misleading in the title, and no accusations were made. I reported facts: What Invincea found matches my personal experience. Zscaler reports the website and file as suspicious. Facts that don't seem to be appreciated by some of the posters. C'est la vie.

Was the version I downloaded clean? Almost certainly not. Is the current version clean? I don't know. But in the absence of an analysis similar to what Invincea did, my personal opinion is "stay away".

I was trying to do a public service here. If you want to use 7-Zip, then use 7-Zip. I thought some people on the forum would appreciate Invincea's analysis and my personal experience with the installer.

 

I have never seen PUP's bundled with 7zip in all the years I've been using it...

 

While I don't use 7-Zip, it is evident that they are not using the original installer.

 

I don't know why Zscaler would flag 7-Zip as "suspicious", but that could mean a business strategy so that people buy Win-RAR or WinZip Who knows.

Where did you download it from?

It's easy to verify. So far no proof of this claim has emerged.

Because of FUD.
And what "analysis" did they do on 7-Zip? LOL.

If their analysis was professional and well done, then I'm sure people would appreciate it. But when a company throws such poorly written material and says that a FOSS program has spyware, they better be doing a better analysis than what they did there.

What version of 7-Zip?
Where was it downloaded from?
What kind of PUP? How does it operate?
How was the botnet discovered?
What kinds of test did they do to discover it?

At first it looked like they downloaded a tampered version of 7-Zip. The slide says:
What was supposed to be 7zip was a pile of unwanted programs that each paid the installer cash. Incuded is 866.exe, a variant of botnet Kazy.

However, this next part of the slide says:
They did get 7zip.

This could indicate that Invincea said that 7-Zip developers accepted putting malware in 7-Zip in exchange for money. Is that true? I REALLY don't think so, they provided no evidence, no analysis, nothing, they just said that.

The worse part of all this is that there will be people reading this thread who will avoid 7-Zip hahahaha.

 

They could be flagging based on 7-Zip's site and downloads being hosted by dirty-Sourceforge, just a guess. But 7-Zip itself is clean and trusted.

 

That's what I was thinking, ublock auto blocks Souceforge..

 

@WildByDesign No they're not. They have downloaded a rogue installer, which bundles various other software with 7-Zip. If they had downloaded the installer from Sourceforge or the 7-Zip website they would have had a clean download.

 

ZScalers "Risky" rating is based on Geo-location of server: RU. URL "suspicious character score". And IP address iself said to be risky. All this for 7-zip.org. And has been stated, the downloads are hosted on Sourceforge, and any that I've checked (incl betas) are clean.

I really do think the thread title is incorrect, and the slide is showing how commonly seen software can be abused in this way. Invincea are not saying that the real 7-zip is dodgy, but showing how these things commonly happen.

http://zulu.zscaler.com/submission/show/6fa0a4dc4ef568a6147a7f12e8a5bb8e-1442792021

 

Huh. @JRViejo, think maybe the site got compromised at some point?

 

It's interesting that 124 people have voted that the first file is malicious, it makes me wonder what criteria they are using to define malicious. Yet all the scanners claim that the file is harmless.

I've had two separate AV programs flag FotoSketcher as malicious within days of each other, both times it was a false positive. I uploaded the FotoSketcher installer to VirusTotal and it found it clean.

I'm guessing this is something similar.

 

Hello All!
I'm the guy who wrote the Invincea presentation in question. A google alert brought me here. As such, I'd be happy to settle any questions about the presentation.

As far as the 7zip installer, this was a result of someone doing a google search for 7zip to download.
Bad people had gamed the google search results to get their PUP; bundleware download site to present itself as either a promoted ad or as the top rank for the download for 7zip.
One of our users downloaded this malicious bundleware and they got 7zip along with a ton of unwanted programs, each of which paid the bundler up to 5 dollars per installation for a referral bonus.
One of those unwanted programs was a definite botnet such as zbot.

 

@CyberMadHatter Thanks for the post. While it was clear to me that you used a rogue installer, it may clear things up for others.

 

Invincea provides the ultimate endpoint security from unwanted programs that autorun via downloads. The point of the presentation was to show the evolution of crimeware and threat actors and how they make money on the criminal internet underground, bundling malware along with referral bonus programs and how our software prevents exploitation via crimeware.

BTW, 7zip, the last time I checked, still pays referral bonuses to people to refer downloads and installation of their software. These referral bonuses inevitably lead to abuse, which contributes to botnets, crimeware, malware and more badness.

 

Change the title of this thread!!! Disgustingly misleading. An affront to a stellar program.