PUPs and botnet bundled with 7-zip, according to Invincea

Discussion in 'malware problems & news' started by JLD, Sep 20, 2015.

  1. JLD

    JLD Guest

  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    7zip from where, though? Just the name of the setup file is suspicious BTW - it doesn't match the installer name from the actual 7zip website.
     
  3. JLD

    JLD Guest

    I have found Invincea to be top-notch, so I'm assuming for now they would have taken the file from 7-zip's website. The Invincea presentation was made several months ago, so it is possible that the installer files have been updated or changed, which is very likely if there indeed was a botnet and the author found out he was "outed".

    I did download the 7-zip installer on a travel PC about a year ago. I scanned the installer with Bitdefender, but it indicated clean. Upon installation, Bitdefender Intrusion Protection alerted and stopped the installation. I ended up reinstalling to that PC an image I had recently made "just in case". I recently ran across the Invincea presentation, which explained what I saw.

    I ran ZScaler today on today's 7-zip installer package, so that scan is fully up to date. From my POV, that is more than enough.

    It is each person's decision on what they believe. For me, I won't touch 7-zip with a 10' pole.
     
  4. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,029
    Location:
    Lloegyr
    Has anyone uploaded the suspect file to VirusTotal?

    On VT Blueliv and Quttera consider the 7zip site itself as a ‘Malicious’ and CLEAN MX as a ‘Suspicious’ site.

    Everything else is clean.

    I'm suspecting a false positive.
     
    Last edited: Sep 20, 2015
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    @JLD Easy on the accusations, okay? The slideshow does not make it at all clear where/who the 7zip_setup installed came from. Not using 7zip is your prerogative, but let's wait for more news before assuming Igor Pavlov has sold out.

    BTW, charming bit of political bias creeping into that presentation there

    Right, because it's the social justice crowd that does all the doxxing and stalking and hacking and stuff... oh wait. *bangs head on keyboard repeatedly*

    And with that, Invincea joins the list of companies I will never do business with.
     
  6. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    That is correct. It looks like a "7-zip" ripoff (just ab/using the name), and bundled with a load of rubbish.

    The title of this thread is misleading imo, and is not what Invincea are actually saying.
     
  7. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,983
    Location:
    Brasil
    Correct, this is totally misleading and the article/slideshow is poorly written.

    Where did they get this suspicious "7-Zip_Setup.exe"?

    Please don't be mislead by such article/slideshow. 7-Zip is Free and Open-Source software, anyone can look at the source code, build their own package and see if it matches with the publised version.

    I'm 100% positive that this slideshow is wrong and that the author executed a tampered 7-Zip setup, probably because he/she lacks the knowledge to do such testing (and that's probably why a tampered 7-Zip was used).

    The article lacks important info, is poorly written, and the author clearly doesn't know what he/she is doing.

    -1/10

    Are you sure this is Invincea? Because if it is than their reputation just got to -1 to me.
     
  8. Kobayashi maru

    Kobayashi maru Registered Member

    Joined:
    Nov 7, 2009
    Posts:
    124
    Location:
    Drivin' all night my hands wet on the wheel....
    +1
    Just run the 4 versions from the site and nothing to report.
     
  9. JLD

    JLD Guest

    Nothing misleading in the title, and no accusations were made. I reported facts: What Invincea found matches my personal experience. Zscaler reports the website and file as suspicious. Facts that don't seem to be appreciated by some of the posters. C'est la vie.

    Was the version I downloaded clean? Almost certainly not. Is the current version clean? I don't know. But in the absence of an analysis similar to what Invincea did, my personal opinion is "stay away".

    I was trying to do a public service here. If you want to use 7-Zip, then use 7-Zip. I thought some people on the forum would appreciate Invincea's analysis and my personal experience with the installer.
     
  10. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    I have never seen PUP's bundled with 7zip in all the years I've been using it...
     
  11. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,242
    While I don't use 7-Zip, it is evident that they are not using the original installer.
     
  12. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,983
    Location:
    Brasil
    I don't know why Zscaler would flag 7-Zip as "suspicious", but that could mean a business strategy so that people buy Win-RAR or WinZip :p Who knows.

    Where did you download it from?

    It's easy to verify. So far no proof of this claim has emerged.

    Because of FUD.
    And what "analysis" did they do on 7-Zip? LOL.

    If their analysis was professional and well done, then I'm sure people would appreciate it. But when a company throws such poorly written material and says that a FOSS program has spyware, they better be doing a better analysis than what they did there.

    What version of 7-Zip?
    Where was it downloaded from?
    What kind of PUP? How does it operate?
    How was the botnet discovered?
    What kinds of test did they do to discover it?

    At first it looked like they downloaded a tampered version of 7-Zip. The slide says:
    What was supposed to be 7zip was a pile of unwanted programs that each paid the installer cash. Incuded is 866.exe, a variant of botnet Kazy.

    However, this next part of the slide says:
    They did get 7zip.

    This could indicate that Invincea said that 7-Zip developers accepted putting malware in 7-Zip in exchange for money. Is that true? I REALLY don't think so, they provided no evidence, no analysis, nothing, they just said that.

    The worse part of all this is that there will be people reading this thread who will avoid 7-Zip hahahaha.
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,633
    Location:
    Toronto, Canada
    They could be flagging based on 7-Zip's site and downloads being hosted by dirty-Sourceforge, just a guess. But 7-Zip itself is clean and trusted.
     
  14. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    That's what I was thinking, ublock auto blocks Souceforge..
     
  15. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,242
    @WildByDesign No they're not. They have downloaded a rogue installer, which bundles various other software with 7-Zip. If they had downloaded the installer from Sourceforge or the 7-Zip website they would have had a clean download.
     
  16. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,956
    Location:
    U.S.A.
  17. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    ZScalers "Risky" rating is based on Geo-location of server: RU. URL "suspicious character score". And IP address iself said to be risky. All this for 7-zip.org. And has been stated, the downloads are hosted on Sourceforge, and any that I've checked (incl betas) are clean.

    I really do think the thread title is incorrect, and the slide is showing how commonly seen software can be abused in this way. Invincea are not saying that the real 7-zip is dodgy, but showing how these things commonly happen.

    http://zulu.zscaler.com/submission/show/6fa0a4dc4ef568a6147a7f12e8a5bb8e-1442792021
     
  18. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,956
    Location:
    U.S.A.
    Last edited: Sep 20, 2015
  19. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Huh. @JRViejo, think maybe the site got compromised at some point?
     
  20. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,029
    Location:
    Lloegyr
    It's interesting that 124 people have voted that the first file is malicious, it makes me wonder what criteria they are using to define malicious. Yet all the scanners claim that the file is harmless.

    I've had two separate AV programs flag FotoSketcher as malicious within days of each other, both times it was a false positive. I uploaded the FotoSketcher installer to VirusTotal and it found it clean.

    I'm guessing this is something similar.
     
  21. CyberMadHatter

    CyberMadHatter Registered Member

    Joined:
    Sep 20, 2015
    Posts:
    2
    Hello All!
    I'm the guy who wrote the Invincea presentation in question. A google alert brought me here. As such, I'd be happy to settle any questions about the presentation.

    As far as the 7zip installer, this was a result of someone doing a google search for 7zip to download.
    Bad people had gamed the google search results to get their PUP; bundleware download site to present itself as either a promoted ad or as the top rank for the download for 7zip.
    One of our users downloaded this malicious bundleware and they got 7zip along with a ton of unwanted programs, each of which paid the bundler up to 5 dollars per installation for a referral bonus.
    One of those unwanted programs was a definite botnet such as zbot.
     
  22. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,242
    @CyberMadHatter Thanks for the post. While it was clear to me that you used a rogue installer, it may clear things up for others.
     
  23. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,956
    Location:
    U.S.A.
    Gullible Jones, given the dates of the Scumware's Query Results, that's my guess as well.
     
  24. CyberMadHatter

    CyberMadHatter Registered Member

    Joined:
    Sep 20, 2015
    Posts:
    2
    Invincea provides the ultimate endpoint security from unwanted programs that autorun via downloads. The point of the presentation was to show the evolution of crimeware and threat actors and how they make money on the criminal internet underground, bundling malware along with referral bonus programs and how our software prevents exploitation via crimeware.

    BTW, 7zip, the last time I checked, still pays referral bonuses to people to refer downloads and installation of their software. These referral bonuses inevitably lead to abuse, which contributes to botnets, crimeware, malware and more badness.
     
  25. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    Change the title of this thread!!! Disgustingly misleading. An affront to a stellar program.
     
Loading...