CNET Download a malware.

RusliRusli Posts: 1,002 Adventurer
in F-Secure SAFE

Please take note of these...

 

http://krebsonsecurity.com/2011/12/download-com-bundling-toolbars-trojans/

 

I come across with this before and somewhat true is some ways.

 

 

 

 

Like

Comments

  • siramicsiramic Posts: 43

    Thanks for that heads up. Smiley Happy

     

    I've also noticed that Open Candy is becoming more prevalent. MSE and another AV detected it on the same installed software about 6 months ago, on 2 different PC's. I downloaded that file today, and submitted it to Virus Total, and it now no longer flags it. So I don't know if the vendor took it out, or the AV companies av definitions are now "allowing" it. I think more of the developers and maintainer's of free (and paid for) software versions are seeing it as a form of revenue to help offset expenses.

     

    Here is a list of some of the software where that is included. I just had  a couple days ago in the set up of free software, asked to allow (keep the box checked) Open Candy, so that he could continue to offer his software free.

    Like
  • RusliRusli Posts: 1,002 Adventurer

    Thanks for the infos. 

     

    I did get thing in CDXPBurner.

     

    This is only occuring to Windows Platform.

     

    There is also a similar problem to Mac Apps.

     

    I generally cannot trust many of the third software being release in the Apple Apps store. Many of the users are not aware of the situation. That goes the same to Chrome.

     

    Some of the developers just come and go. Some have making agreements with Advertising Companies for Money.

     

    Well One thing for sure, an Advertising Companies gathers informations and sell it to their clients for money.

     

    Even our Banks sectors are doing it!

     

    The confusing part is, even a malware like this is considered illegally approved. 

    Like
  • motec-datamotec-data Posts: 47

    I've looked at download.com, the site of nmap.

    There is no way to check whether the version has been tampered with.

    On the original page with all versions of a SHA hash to verify the version offered.

     

    Like
  • RusliRusli Posts: 1,002 Adventurer

    I download a sample today...

     

    see below.

     

    Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
     
    0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
    File name:
    cnet_EFRCSetup_exe.exe
    Submission date:
    2011-12-19 00:36:36 (UTC)
    Current status:
    queuedqueuedanalysingfinished
    Result:
    6/ 43 (14.0%)
    VT Community
    image
    not reviewed
    Safety score: -
    Antivirus Version Last Update Result
    AhnLab-V32011.12.18.002011.12.18-
    AntiVir7.11.19.1552011.12.18-
    Antiy-AVL2.0.3.72011.12.18-
    Avast6.0.1289.02011.12.18-
    AVG10.0.0.11902011.12.18-
    BitDefender7.22011.12.19-
    ByteHero1.0.0.12011.12.07Trojan.Backdoor.Gen.a
    CAT-QuickHeal12.002011.12.18-
    ClamAV0.97.3.02011.12.18Adware.Downloader-207
    Commtouch5.3.2.62011.12.17-
    Comodo110042011.12.18-
    DrWeb5.0.2.033002011.12.19Adware.Downware.130
    Emsisoft5.1.0.112011.12.18-
    eSafe7.0.17.02011.12.18Win32.Trojan
    eTrust-Vet37.0.96282011.12.16-
    F-Prot4.6.5.1412011.12.17-
    F-Secure9.0.16440.02011.12.19-
    Fortinet4.3.388.02011.12.18-
    GData222011.12.18-
    IkarusT3.1.1.109.02011.12.18-
    Jiangmin13.0.9002011.12.18-
    K7AntiVirus9.119.56962011.12.15-
    Kaspersky9.0.0.8372011.12.18-
    McAfee5.400.0.11582011.12.18-
    McAfee-GW-Edition2010.1E2011.12.19-
    Microsoft1.79032011.12.18-
    NOD3267222011.12.19a variant of Win32/InstallCore.D
    Norman6.07.132011.12.18-
    nProtect2011-12-18.012011.12.18-
    Panda10.0.3.52011.12.18-
    PCTools8.0.0.52011.12.19-
    Prevx3.02011.12.19-
    Rising23.88.03.022011.12.16Suspicious
    Sophos4.72.02011.12.18-
    SUPERAntiSpyware4.40.0.10062011.12.17-
    Symantec20111.2.0.822011.12.19-
    TheHacker6.7.0.1.3612011.12.18-
    TrendMicro9.500.0.10082011.12.18-
    TrendMicro-HouseCall9.500.0.10082011.12.19-
    VBA323.12.16.42011.12.14-
    VIPRE112722011.12.18-
    ViRobot2011.12.17.48312011.12.19-
    VirusBuster14.1.122.12011.12.18-
    Additional informationShow all
    MD5 : 8dddd3735c33607727ce0d5f66046a2b
    SHA1 : 0b799dea24610e02ae54eead4f6958c02c2c5f41
    SHA256: 9046a61c83f6ebbaea28fa45c62f514bc95e4ed282ec256d1244fda273899971
    ssdeep: 12288:lGFP4rsBRjSLvxZqWPo3jTza+YoH34kc9dtjkvi:UJw4iloja+Yp9dtjkvi
    File size : 463080 bytes
    First seen: 2011-10-28 13:16:01
    Last seen : 2011-12-19 00:36:36
    TrID:
    UPX compressed Win32 Executable (38.5%)
    Win32 EXE Yoda's Crypter (33.4%)
    Win32 Executable Generic (10.7%)
    Win32 Dynamic Link Library (generic) (9.5%)
    Win16/32 Executable Delphi generic (2.6%)
    sigcheck:
    publisher....: CNET Download.com
    copyright....: CBS Interactive
    product......: CNET Download.com Installer
    description..: CNET Download.com Install
    original name: n/a
    internal name: CNET Download.com Installer
    file version.: v2.0.2.108
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
    packers (F-Prot): UPX
    PEInfo: PE structure information

    [[ basic data ]]
    entrypointaddress: 0x101660
    timedatestamp....: 0x2A425E19 (Fri Jun 19 22:22:17 1992)
    machinetype......: 0x14c (I386)

    [[ 3 section(s) ]]
    name, viradd, virsiz, rawdsiz, ntropy, md5
    UPX0, 0x1000, 0x9B000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
    UPX1, 0x9C000, 0x66000, 0x65A00, 7.92, 8550735f959374969c140f5eeb2b7574
    .rsrc, 0x102000, 0xB000, 0xA400, 6.05, 032aad5249eb912d6d8d14dfbf315641

    [[ 12 import(s) ]]
    KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
    advapi32.dll: EqualSid
    comctl32.dll: ImageList_Add
    comdlg32.dll: GetOpenFileNameA
    gdi32.dll: SaveDC
    ole32.dll: OleDraw
    oleaut32.dll: VarNot
    shell32.dll: DragFinish
    URLMON.DLL: CoInternetCreateZoneManager
    user32.dll: GetDC
    version.dll: VerQueryValueA
    wininet.dll: FindNextUrlCacheEntryA
    ExifTool:
    file metadata
    CharacterSet: Unicode
    CodeSize: 417792
    CompanyName: CNET Download.com
    EntryPoint: 0x101660
    FileDescription: CNET Download.com Install
    FileFlagsMask: 0x003f
    FileOS: Win32
    FileSize: 452 kB
    FileSubtype: 0
    FileType: Win32 EXE
    FileVersion: v2.0.2.108
    FileVersionNumber: 0.0.2.108
    ImageVersion: 0.0
    InitializedDataSize: 45056
    InternalName: CNET Download.com Installer
    LanguageCode: Neutral
    LegalCopyright: CBS Interactive
    LinkerVersion: 2.25
    MIMEType: application/octet-stream
    MachineType: Intel 386 or later, and compatibles
    OSVersion: 4.0
    ObjectFileType: Dynamic link library
    PEType: PE32
    ProductName: CNET Download.com Installer
    ProductVersion: v2.0.2.108
    ProductVersionNumber: 0.0.2.108
    Subsystem: Windows GUI
    SubsystemVersion: 4.0
    TimeStamp: 1992:06:20 00:22:17+02:00
    UninitializedDataSize: 634880
    Warning: Possibly corrupt Version resource
    ler: D

     

    VT Community

     

    0
    This file has never been reviewed by any VT Community member. Be the first one to comment on it!
    VirusTotal Team
    Add your comment... Remember that when you write comments as an anonymous user they receive the lowest possible reputation. So if you have not signed in yet don't forget to do so. How to markup your comments?
    You can add basic styles to your comments using the following accepted bbcode tags:
    Like
  • RusliRusli Posts: 1,002 Adventurer

    Now try this link.

     

    The file name that is downloading starts with something like this....

     

    For example:- 

     

    cnet_filename_exe.exe 

     

    The CBS interactive Malware starts with "cnet".

     

    The file to download  usually starts with cnet_somefilenametobedownloadfromcnet_exe.exe.

     

    Here is the link to try out... and try to upload to virustotal for analysis.

     

    http://download.cnet.com/System-Cleaner/3000-18512_4-10045285.html?tag=dropDownForm;productListing

     

     

     

     

     

    Like
  • RusliRusli Posts: 1,002 Adventurer

    Try the above posting with the cnet download.com link

     

    and try to upload with virustotal.com

     

    and you will get the similarity...

     

    0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
    File name:
    cnet2_SystemCleanerSetup_a1100_exe.exe
    Submission date:
    2011-12-19 01:18:10 (UTC)
    Current status:
    queued (#2)queuedanalysingfinished
    Result:
    4/ 42 (9.5%)
    VT Community
    image
    not reviewed
    Safety score: -
    Antivirus Version Last Update Result
    AhnLab-V32011.12.18.002011.12.18-
    AntiVir7.11.19.1552011.12.18-
    Antiy-AVL2.0.3.72011.12.18-
    Avast6.0.1289.02011.12.18-
    AVG10.0.0.11902011.12.18-
    BitDefender7.22011.12.19-
    ByteHero1.0.0.12011.12.07-
    CAT-QuickHeal12.002011.12.18-
    ClamAV0.97.3.02011.12.18Adware.Downloader-207
    Commtouch5.3.2.62011.12.17-
    Comodo110082011.12.19-
    DrWeb5.0.2.033002011.12.19Adware.Downware.130
    Emsisoft5.1.0.112011.12.19-
    eSafe7.0.17.02011.12.18-
    eTrust-Vet37.0.96282011.12.16-
    F-Prot4.6.5.1412011.12.17-
    F-Secure9.0.16440.02011.12.19-
    Fortinet4.3.388.02011.12.18-
    GData222011.12.19-
    IkarusT3.1.1.109.02011.12.18-
    Jiangmin13.0.9002011.12.18-
    K7AntiVirus9.119.56962011.12.15-
    Kaspersky9.0.0.8372011.12.18-
    McAfee5.400.0.11582011.12.19-
    McAfee-GW-Edition2010.1E2011.12.19-
    Microsoft1.79032011.12.18-
    NOD3267222011.12.19a variant of Win32/InstallCore.D
    Norman6.07.132011.12.18-
    nProtect2011-12-18.012011.12.18-
    Panda10.0.3.52011.12.18-
    PCTools8.0.0.52011.12.19-
    Prevx3.02011.12.19-
    Rising23.88.03.022011.12.16Suspicious
    Sophos4.72.02011.12.18-
    SUPERAntiSpyware4.40.0.10062011.12.17-
    TheHacker6.7.0.1.3612011.12.18-
    TrendMicro9.500.0.10082011.12.18-
    TrendMicro-HouseCall9.500.0.10082011.12.19-
    VBA323.12.16.42011.12.14-
    VIPRE112722011.12.18-
    ViRobot2011.12.17.48312011.12.19-
    VirusBuster14.1.122.12011.12.18-
    Additional informationShow all
    MD5 : ccb84c353bfb64d570575f0512415a2b
    SHA1 : 0e829e509193b346bcf92ea2d754c0a8d18bc917
    SHA256: 33c40c6affe44a27b55b28ededfa6ef401e4b9107ee437d6832c091f17e46e7b
    ssdeep: 12288Smiley Very HappyGFP4rsBRjSLvxZqWPo3jTza+YoH34kc9dtjkvi:KJw4iloja+Yp9dtjkvi
    File size : 463080 bytes
    First seen: 2011-12-19 01:18:10
    Last seen : 2011-12-19 01:18:10
    TrID:
    UPX compressed Win32 Executable (38.5%)
    Win32 EXE Yoda's Crypter (33.4%)
    Win32 Executable Generic (10.7%)
    Win32 Dynamic Link Library (generic) (9.5%)
    Win16/32 Executable Delphi generic (2.6%)
    sigcheck:
    publisher....: CNET Download.com
    copyright....: CBS Interactive
    product......: CNET Download.com Installer
    description..: CNET Download.com Install
    original name: n/a
    internal name: CNET Download.com Installer
    file version.: v2.0.2.108
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
    packers (F-Prot): UPX
    PEInfo: PE structure information

    [[ basic data ]]
    entrypointaddress: 0x101660
    timedatestamp....: 0x2A425E19 (Fri Jun 19 22:22:17 1992)
    machinetype......: 0x14c (I386)

    [[ 3 section(s) ]]
    name, viradd, virsiz, rawdsiz, ntropy, md5
    UPX0, 0x1000, 0x9B000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
    UPX1, 0x9C000, 0x66000, 0x65A00, 7.92, 8550735f959374969c140f5eeb2b7574
    .rsrc, 0x102000, 0xB000, 0xA400, 6.05, 032aad5249eb912d6d8d14dfbf315641

    [[ 12 import(s) ]]
    KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
    advapi32.dll: EqualSid
    comctl32.dll: ImageList_Add
    comdlg32.dll: GetOpenFileNameA
    gdi32.dll: SaveDC
    ole32.dll: OleDraw
    oleaut32.dll: VarNot
    shell32.dll: DragFinish
    URLMON.DLL: CoInternetCreateZoneManager
    user32.dll: GetDC
    version.dll: VerQueryValueA
    wininet.dll: FindNextUrlCacheEntryA
    ExifTool:
    file metadata
    CharacterSet: Unicode
    CodeSize: 417792
    CompanyName: CNET Download.com
    EntryPoint: 0x101660
    FileDescription: CNET Download.com Install
    FileFlagsMask: 0x003f
    FileOS: Win32
    FileSize: 452 kB
    FileSubtype: 0
    FileType: Win32 EXE
    FileVersion: v2.0.2.108
    FileVersionNumber: 0.0.2.108
    ImageVersion: 0.0
    InitializedDataSize: 45056
    InternalName: CNET Download.com Installer
    LanguageCode: Neutral
    LegalCopyright: CBS Interactive
    LinkerVersion: 2.25
    MIMEType: application/octet-stream
    MachineType: Intel 386 or later, and compatibles
    OSVersion: 4.0
    ObjectFileType: Dynamic link library
    PEType: PE32
    ProductName: CNET Download.com Installer
    ProductVersion: v2.0.2.108
    ProductVersionNumber: 0.0.2.108
    Subsystem: Windows GUI
    SubsystemVersion: 4.0
    TimeStamp: 1992:06:20 00:22:17+02:00
    UninitializedDataSize: 634880
    Warning: Possibly corrupt Version resource
    ler: D
    Like
This discussion has been closed.