Brothersoft serving up a Fake AV

Discussion in 'malware problems & news' started by CloneRanger, Aug 1, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yet another instance of a major player in the DL department, actively promoting and serving up a Fake AV. I'm not suggesting they are purposefully doing this, but it's happening right now.

    bs.gif

    Direct link :D

    ap.gif

    av.gif

    AdWare Pro has been available on here -brothersoft . com / publisher / adware - pro . html- from 11 Mar 2010. That's nearly 5 months :eek: Amazing they havn't noticed, or been made aware, or should that be AdWare :D

    I'm in the process of trying to alert them ;)
     
  2. denniz

    denniz Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    431
    Location:
    The Netherlands
    Both WOT and Norton Safeweb are flagging Brothersoft as a bad website and this has been the case for a very long time now. I never use Brothersoft because of it's dubious reputation.
     
  3. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    Brothersoft - dicey. Try Filehippo.
     
  4. littlebits

    littlebits Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    262
    I sad thing is a lot of trusted free products use Brothersoft as their default file download site.
    It is best to try to avoid Brothersoft because it has a history of listing rogue products and some are the site's picks.

    Thanks.:)
     
  5. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    All the three links are still alive. Just reported the links to Google and Kaspersky Lab for review.
     
    Last edited: Aug 1, 2010
  6. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Screw filehippo. They've went downhill recently. They used to not host products that installed adware without user consent but that has changed. Softpedia or Majorgeeks are probably better download sites for now.
     
  7. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    Filehippo has a very small number of choices, albeit a safe site, but I agree, Majorgeeks and Softpedia are best. Have never ever used Brothersoft, think it's had a dubious reputation for quite a time.
     
  8. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    I also use Majorgeeks and Softpedia as well as Filehippo. Some very reputable vendor sites divert to Download.cnet and I go for it when that happens.

    John B
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Why can't you just download programs from the official vendor's sites?

    ----
    rich
     
  10. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    Yes, of course, forgot to say this . Usually use MGs et al for the update alert.
     
  11. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    Brothersoft has posted Fake AV's before.

    Anyway can someone post the MD5 of the fake av?
     
  12. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    AdWare Pro 2010

    md5 9A27A775199BA1B3698102F439067066

    Only one scanner on VT detect it- Panda as Application/PrivacyCrusader
     
  13. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    It must be a Virus Total's "fault" again or your fault because you did a hash search.
    Your MD5 search goes to one file . The one I downloaded from the site is completely different
    ~ Virus Total Results Removed per Policy ~
     

    Attached Files:

    • 1.PNG
      1.PNG
      File size:
      10.5 KB
      Views:
      520
    • 2.PNG
      2.PNG
      File size:
      79 KB
      Views:
      522
    Last edited by a moderator: Aug 2, 2010
  14. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    No idea what you are chirping about. I downloaded from brothersoft. I was not able to download from the adwarepronow.com site. Besides, since this thread is about Brothersoft hosting a fake av it would seem to be more relevant to download from brothersoft- not www.financeprogramm.com or where ever you got your download.
     
    Last edited by a moderator: Aug 2, 2010
  15. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    I am chirping . Wow , really ?


    Me,too.

    I also downloaded the one from Brothersoft . By the way , it offered me more than one variants but only one was working . The MSI which I started and the program I installed didn't seem like a typical rogue program. I performed full scan with it , it didn't find any threats on my computer (I was running a trial version of it) . Additionally , it asked me to buy it but the URL it opened said the program is not longer being sold (or something like this). I submitted it to Symantec and Microsoft for further inspection
     
  16. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    Thanks I submitted to a few vendors for more research also.
     
  17. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    Got one response, from what I have been told it contains no malware code.
     
  18. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    @Rmus

    Sandboxie is a developer and they host on Brothersoft. Ohnos!

    @Ibrad

    Update your signature before you get infected with Ohnos!
     
  19. littlebits

    littlebits Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    262
    That doesn't surprise me because many rogue products are not considered to be malware by a lot of security vendors.
    To me if it involves phishing, scamming, hijacking, faking protection or not providing trusted protection then I would expect all security vendors to detect me from them.

    This is where a lot of commercial vendors makes deals with these type of products to allow them to escape detection.
    That is why many free vendors will do better at detecting these type of rogue products like MBAM, Spybot S&D, SuperAntiSpyware, NoVirusThanks Malware Remover, etc. Because they don't made deals with these rogue vendors.

    Because if you want to submit rogue products, start with the free vendors, you will get a better response.

    Thanks.:)
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    But they also host on their own site:

    sandboxieDLsite.gif


    However, one would be normally inclined to trust a DL mirror site recommended by the vendor. To force the DL of tampered product would be quite difficult, it seems to me. This is a bit different than browsing a DL site before checking with a vendor's site.

    However, to be safe, one could ask the vendor for the MD5 number to check against the DL site.

    Now, all of this triggered something from earlier this summer, and I can't find the thread, but if I search for Sandboxie on the Brothersoft site, I'm taken to an HTML page, where I would expect to read about the software. Note that there is a Download button to click. However, a script on the page starts the DL of the executable automatically, which my security flagged. This isn't good etiquette in my book! (Having heard about this, I enabled scripting just to check.)

    sandboxie.gif


    ----
    rich
     
    Last edited: Aug 3, 2010
  21. wat0114

    wat0114 Guest

    Always the best first approach, and there are decent, if not perfect, sites like Softpedia as alternatives. I agree with others who question Brothersoft's reputation. I don't even need WOT or anything else to to warn me about it; just one look at the main page with all its gratuitous cheesy advertising belies any modicum of credibility it might attempt to portray. When something doesn't seem right, avoid it like the plague.
     
  22. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    452
    brothersoft I always thought of as a trash site.
     
  23. wat0114

    wat0114 Guest

    Same thing happens with the sandboxie.com d/load link... Actually, does this start the download automatically? I ask because it's still necessary to click the Save file button for the file to download to the machine.
     

    Attached Files:

  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, depending on the browser, the file will start to DL but pause until OKed by the user. I think FF starts a null file in the cache; Opera starts a .com file in the cache.

    Browsers are configured by default to prompt for the direct download of .exe. My security intercepted before the DL prompt box could display.

    There is no danger, of course, that the file could download/execute without user permission, but for the uninitiated, seeing the prompt box pop up before clicking can be unerving. That's why I suggested that it's not good etiquette for a site to do that.

    If it were to be a direct download, the link URL should end in .../file.exe and not .../file.html so that there are no surprises.

    Note that the Download link on the Sandboxie page is a direct link to the .exe file.

    ----
    rich
     
  25. wat0114

    wat0114 Guest

    Okay, I understand now. Interesting stuff, thanks :) One thing, though, I wonder if this surprises most people? Maybe not. Admittedly it did not surprise me because the button is to download a file, so I kind of expect the prompt to pop-up, but I see now after your explanation why it shouldn't, at least with the Brothersoft one.
     
Loading...
Thread Status:
Not open for further replies.