Warning about Auslogic Defrag Free.

Discussion in 'backup, imaging & disk mgmt' started by DoctorPC, Jan 19, 2014.

  1. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    Latest version of Auslogic, installs fine, but after the install it drops a trojan into a temp folder, and tries to offload payload onto your system. Verified the MD5, and download location is Auslogic themselves, on their server directly, with no MTM or diversion.

    Trojan hits an IP address in Reston, VA which my sources claim is a CIA front server. When I do a deeper search I find the server is named MOE, which is a once famous CIA agent named "Moe Burg", sort of a legend within the CIA I hear. So I wonder.. Why is Auslogics offloading a trojan? Why does it call home to the CIA's MOE server? If you wanted a 'catalog' of every file on someones system, a defragger that dials home would be a WONDERFUL tool.

    Check yourself, but be careful!
    -http://www.auslogics.com/en/software/disk-defrag/download/-

    The link below that says: Alternatively, click here to download from our website

    is the one that offloads the trojan. Note, I am not linking the trojan, as this website is a WELL KNOWN defragmentation vendor. I am merely pointing out that they appear to be compromised, either knowingly, or unknowingly.. Whichever, but people should be wanted. Unless you are port monitoring, you may not see what is going on.
     
    Last edited by a moderator: Jan 19, 2014
  2. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    Out of 22 products(including Webroot on execution miss), only NOD32 and MBAM/CHICA detect it so far, it's new, and is detected as a 'gen'. I am submitting samples to the other vendors as I type this. These aren't endorsements for those products, merely stating that for the record.

    Sadly, I didn't have ShadowDefender running on the install on my main machine for the simple reason I have always used, and trusted Auslogic. Lesson learned I guess, SD every installation to test them out.. <sigh> At least I snagged it before rolling Auslogic out to several other boxes I am working on..
     
  3. aztony

    aztony Registered Member

    Joined:
    Sep 9, 2012
    Posts:
    547
    Location:
    USA Southwest
    Although I haven't used Auslogic defrag for maybe a year or so, for a number of years it was my go to defragger. This is really disappointing news.
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    That's why I don't completely rely on manual solutions. Real-time products still have their uses as another layer.
     
  5. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    I did some investigation into this. I found from 3.6.0.0 and prior, there are not any trojans in their installer. Just the ASK toolbar with a confirmation of installation. So at least for now, it appears that version is safe, and probably totally viable to keep running, or to install without the payloads.

    -http://www.oldapps.com/auslogics_disk_defrag.php?old_auslogics_disk_defrag=8598-

    Only an 'optional' toolbar (ask), and the file/program seems to be totally clean across the board. For me this is the answer to the issue because I love Auslogic's free defragger, and I can live with an older version as long as it supports Windows 8 and on - which this one does.

    Sadly, I end up doing this with a lot of products. Advanced Uninstaller Pro is very nice, but only prior to version 11.23, after that they add a nagware, perma-running 'system checker' application in your tray. Even disabling it seems to not solve the issue. So I am perpetually locked into version 11.23 or earlier on that program as well. Sucks, but what do you do?
     
  6. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    so this is signed malware?

    edit- i notice that mbam does not detect the file in question, eset is the only one
     
    Last edited: Jan 19, 2014
  7. Solemn

    Solemn Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    36
    Location:
    Canada
    I noticed this strange behaviour as well after the 4.4.2.0 update and wasn't quite sure what it was. Glad to see some clarification/attention on this.

    ESET blocked it immediately for me, but this went through on different PCs running Avast. Apparently a strange pop-up suddenly appears after installation. It asks for confirmation on a Terms of Service. You can decline and it appears to vanish. Not sure if it sticks around...seems quite odd..

    I haven't tried full scans yet, but quick scans with Avast and SuperAntispyware found nothing on those PC's. Already cleared temp files, but I'll try a deeper sweep.

    Has anybody had this happen with the portable version?
     
  8. sm1

    sm1 Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    520
    I also got some warning from Eset when trying Auslogics registry cleaner. I don't remember exactly what it is. When the setting for `potentially unsafe programs' is turned on Eset detects many more. For instance it blocks websites of products claiming to speedup systems by 500%
     
  9. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    seems to be a PUP (adware) and not a file indexing malware for the CIA

    offending file within the installation package is "itdownload_stub.exe"

    location- C:\Users\'username'\AppData\Local\Temp\is-3KR8H.tmp\itdownload_stub.exe
     
  10. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    Is the portable version "clean"?
     
  11. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    seems to be clean as of right now
     
  12. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    i dont think this is a actual trojan. i had the same pop up from the pro version. and eset blocked it. im pretty sure its just like one of those things many companies do after a install that opens your web browser and says you installed it but this just gives you the small pop up instead. it was only detected on the systems i have that run eset no others.
     
  13. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    i agree :thumb:
     
  14. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    MBAM/Chica blocks the domains it tries to connect to as 'malicious'.

    Given the popup either doesn't show, or shows without identification so most people click 'accept', then it proceeds to dial home, and download other things - to me it feels more like malware, but that's my opinion. I'm reverting back to 3.6.0.0, which didn't have this payload regardless, or the portable edition if that proves clear.
     
  15. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    If what you say is true, it's not really a matter of opinion... it is. I only use Auslogics registry cleaner and haven't updated it since v 2.2, because nothing about it has changed since then as regards to XP go. And this is why I don't upgrade apps if it's not necessary, and am content with a version that runs great and has no vulnerabilities. With each new version the potential for stuff like this, or at the least adware/bloat increases. When you find a good version of a program backup the installer. Don't delete it when a new version comes out.
     
  16. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    the popup does show and you have the option to decline or accept, it clearly pops up after the installation once the defrag program is open so that is a clear indicator clicking 'accept' will download a different program.

    "What is malware? Short for "malicious software," malware refers to software programs designed to damage or do other unwanted actions on a computer system. Common examples of malware include viruses, worms, trojan, rootkits and spyware."

    seeing as we have a choice of not clicking 'accept' and therefore no extra programs get installed to the computer, i think it's more of a PUP than actual malware (dr.web flags it as such).

    regardless, there are better ways to make money from non-paying customers than the above situation
     
  17. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    4,095
  18. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    tested the latest install version again and it seems to have changed hash.

    this new version is now being bundled with opencandy (optional install).

    maybe the website randomizes the installer or they have changed the install file.

    4 hits on virustotal all marked as PUP (offending file= OCSetupHlp.dll)

    hit1- a variant of Win32/OpenCandy.A
    hit2- PUP.Optional.OpenCandy
    hit3- PE:pUF.OpenCandy!1.9DE5
    hit4- Opencandy (fs)

    edit- the smily face is not intentional and is part of the PUP naming scheme
     
  19. Banzi

    Banzi Registered Member

    Joined:
    Oct 21, 2013
    Posts:
    368
    Location:
    Scotland
    I had this when updating to the latest version of the pro version 4.3.6.0

    After the defrag app was installed & then opens automatically Comodo Defense+ prompted me that C:\Users\'username'\AppData\Local\Temp\is-3KR8H.tmp\itdownload_stub.exe wanted to run itself & another process & then asked for net access, another installer window opened with no accept or decline options or info on what it was downloading & said your software has downloaded & been installed.

    Full scans with Bitdefender AV+ & MBAM Pro don't show any infections but this is still a very worrying development for a paid app, this will most likely put me of Auslogics software for good & I can no longer recommend it to friends & family.

    When trying to right click the itdownload_stub.exe to get the details windows explorer then crashed which has never happened before on this PC (Win7 x64)

    I stopped using Avira Premium due to business practices like this with it's toolbar etc
     
  20. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    This certainly is an alarming development. From what I can gather at this point, thanks to you guys helping;

    1) Portable version has no bundled trash.
    2) Version 3.6.0.0 only has an optional ASK toolbar (very clearly marked during install)
    3) ALL non-portable versions after 3.6.0.0 have malware payloading tools.

    So the options for me are to run portable, and trust that, run 3.6.0.0 and trust that, or to find a different product. I discovered most of the machines I work on had an OLDER version of Auslogic (3.6 or back), without the malware, so we are fine there. But from going forward it's clear I need to make some decisions about this product.

    I am thinking I will just stick with 3.6.0.0 as the last workable version - it works on all windows versions, the toolbar is easily avoided, and there isn't anything nefarious about it. :'(
     
  21. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    Looks like 3.6.1.0 is the last version without the payloaded malware. Sorry.

    -http://www.oldapps.com/auslogics_disk_defrag.php?old_auslogics_disk_defrag=8718-

    But it does contain an optional, and clearly marked ASK toolbar. Otherwise it appears to be totally clean. I will likely revert to this version, as it works on all windows versions (including 8.1 64 bit)
     
  22. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    This is a good practice, and is generally my practice - generally. But now it will become my top priority..

    Now we find Chrome users are being offloaded malware by 'trusted' chrome extensions during the update process of those very extensions! So you cannot even trust updates of known, popular extensions in browsers.. If what you have works - leave it at that!

    http://www.cso.com.au/article/536285/malware_infects_users_through_trusted_chrome_extensions/

    I even keep Windows Updates off, and 'personally' evaluate every potential update, on a file by file basis.
     
  23. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    That's the version I've been running and apparently the last one for the foreseeable future.
     
  24. Banzi

    Banzi Registered Member

    Joined:
    Oct 21, 2013
    Posts:
    368
    Location:
    Scotland
    My thanks go to DoctorPC & other posters in this thread, at first I thought it was a new of Auslogics checking serials, now I can see it was for more dodgy practices.

    Have sent their support a email telling them that I'm not happy they are now doing this with the paid version as well, will post when I get a reply.
     
  25. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    4,095
    You will not receive any reply.

    fyi: I have already sent 3 emails, no one bothers to answer.
     
Loading...