CNET Download a malware.

Please take note of these...
http://krebsonsecurity.com/2011/12/download-com-bundling-toolbars-trojans/
I come across with this before and somewhat true is some ways.
0 Like
This discussion has been closed.
Please take note of these...
http://krebsonsecurity.com/2011/12/download-com-bundling-toolbars-trojans/
I come across with this before and somewhat true is some ways.
Comments
Thanks for that heads up.
I've also noticed that Open Candy is becoming more prevalent. MSE and another AV detected it on the same installed software about 6 months ago, on 2 different PC's. I downloaded that file today, and submitted it to Virus Total, and it now no longer flags it. So I don't know if the vendor took it out, or the AV companies av definitions are now "allowing" it. I think more of the developers and maintainer's of free (and paid for) software versions are seeing it as a form of revenue to help offset expenses.
Here is a list of some of the software where that is included. I just had a couple days ago in the set up of free software, asked to allow (keep the box checked) Open Candy, so that he could continue to offer his software free.
Thanks for the infos.
I did get thing in CDXPBurner.
This is only occuring to Windows Platform.
There is also a similar problem to Mac Apps.
I generally cannot trust many of the third software being release in the Apple Apps store. Many of the users are not aware of the situation. That goes the same to Chrome.
Some of the developers just come and go. Some have making agreements with Advertising Companies for Money.
Well One thing for sure, an Advertising Companies gathers informations and sell it to their clients for money.
Even our Banks sectors are doing it!
The confusing part is, even a malware like this is considered illegally approved.
I've looked at download.com, the site of nmap.
There is no way to check whether the version has been tampered with.
On the original page with all versions of a SHA hash to verify the version offered.
I download a sample today...
see below.
not reviewed
Safety score: -
UPX compressed Win32 Executable (38.5%)
Win32 EXE Yoda's Crypter (33.4%)
Win32 Executable Generic (10.7%)
Win32 Dynamic Link Library (generic) (9.5%)
Win16/32 Executable Delphi generic (2.6%)
publisher....: CNET Download.com
copyright....: CBS Interactive
product......: CNET Download.com Installer
description..: CNET Download.com Install
original name: n/a
internal name: CNET Download.com Installer
file version.: v2.0.2.108
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
[[ basic data ]]
entrypointaddress: 0x101660
timedatestamp....: 0x2A425E19 (Fri Jun 19 22:22:17 1992)
machinetype......: 0x14c (I386)
[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
UPX0, 0x1000, 0x9B000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
UPX1, 0x9C000, 0x66000, 0x65A00, 7.92, 8550735f959374969c140f5eeb2b7574
.rsrc, 0x102000, 0xB000, 0xA400, 6.05, 032aad5249eb912d6d8d14dfbf315641
[[ 12 import(s) ]]
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
advapi32.dll: EqualSid
comctl32.dll: ImageList_Add
comdlg32.dll: GetOpenFileNameA
gdi32.dll: SaveDC
ole32.dll: OleDraw
oleaut32.dll: VarNot
shell32.dll: DragFinish
URLMON.DLL: CoInternetCreateZoneManager
user32.dll: GetDC
version.dll: VerQueryValueA
wininet.dll: FindNextUrlCacheEntryA
file metadata
CharacterSet: Unicode
CodeSize: 417792
CompanyName: CNET Download.com
EntryPoint: 0x101660
FileDescription: CNET Download.com Install
FileFlagsMask: 0x003f
FileOS: Win32
FileSize: 452 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: v2.0.2.108
FileVersionNumber: 0.0.2.108
ImageVersion: 0.0
InitializedDataSize: 45056
InternalName: CNET Download.com Installer
LanguageCode: Neutral
LegalCopyright: CBS Interactive
LinkerVersion: 2.25
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Dynamic link library
PEType: PE32
ProductName: CNET Download.com Installer
ProductVersion: v2.0.2.108
ProductVersionNumber: 0.0.2.108
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 1992:06:20 00:22:17+02:00
UninitializedDataSize: 634880
Warning: Possibly corrupt Version resource
ler: D
Now try this link.
The file name that is downloading starts with something like this....
For example:-
cnet_filename_exe.exe
The CBS interactive Malware starts with "cnet".
The file to download usually starts with cnet_somefilenametobedownloadfromcnet_exe.exe.
Here is the link to try out... and try to upload to virustotal for analysis.
http://download.cnet.com/System-Cleaner/3000-18512_4-10045285.html?tag=dropDownForm;productListing
Try the above posting with the cnet download.com link
and try to upload with virustotal.com
and you will get the similarity...
not reviewed
Safety score: -
UPX compressed Win32 Executable (38.5%)
Win32 EXE Yoda's Crypter (33.4%)
Win32 Executable Generic (10.7%)
Win32 Dynamic Link Library (generic) (9.5%)
Win16/32 Executable Delphi generic (2.6%)
publisher....: CNET Download.com
copyright....: CBS Interactive
product......: CNET Download.com Installer
description..: CNET Download.com Install
original name: n/a
internal name: CNET Download.com Installer
file version.: v2.0.2.108
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
[[ basic data ]]
entrypointaddress: 0x101660
timedatestamp....: 0x2A425E19 (Fri Jun 19 22:22:17 1992)
machinetype......: 0x14c (I386)
[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
UPX0, 0x1000, 0x9B000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
UPX1, 0x9C000, 0x66000, 0x65A00, 7.92, 8550735f959374969c140f5eeb2b7574
.rsrc, 0x102000, 0xB000, 0xA400, 6.05, 032aad5249eb912d6d8d14dfbf315641
[[ 12 import(s) ]]
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
advapi32.dll: EqualSid
comctl32.dll: ImageList_Add
comdlg32.dll: GetOpenFileNameA
gdi32.dll: SaveDC
ole32.dll: OleDraw
oleaut32.dll: VarNot
shell32.dll: DragFinish
URLMON.DLL: CoInternetCreateZoneManager
user32.dll: GetDC
version.dll: VerQueryValueA
wininet.dll: FindNextUrlCacheEntryA
file metadata
CharacterSet: Unicode
CodeSize: 417792
CompanyName: CNET Download.com
EntryPoint: 0x101660
FileDescription: CNET Download.com Install
FileFlagsMask: 0x003f
FileOS: Win32
FileSize: 452 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: v2.0.2.108
FileVersionNumber: 0.0.2.108
ImageVersion: 0.0
InitializedDataSize: 45056
InternalName: CNET Download.com Installer
LanguageCode: Neutral
LegalCopyright: CBS Interactive
LinkerVersion: 2.25
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Dynamic link library
PEType: PE32
ProductName: CNET Download.com Installer
ProductVersion: v2.0.2.108
ProductVersionNumber: 0.0.2.108
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 1992:06:20 00:22:17+02:00
UninitializedDataSize: 634880
Warning: Possibly corrupt Version resource
ler: D