CNET Download a malware.

Senior Advisor

CNET Download a malware.

Please take note of these...

 

http://krebsonsecurity.com/2011/12/download-com-bundling-toolbars-trojans/

 

I come across with this before and somewhat true is some ways.

 

 

 

 

6 REPLIES 6
Highlighted
Supporter

Re: CNET Download a malware.

Thanks for that heads up. Smiley Happy

 

I've also noticed that Open Candy is becoming more prevalent. MSE and another AV detected it on the same installed software about 6 months ago, on 2 different PC's. I downloaded that file today, and submitted it to Virus Total, and it now no longer flags it. So I don't know if the vendor took it out, or the AV companies av definitions are now "allowing" it. I think more of the developers and maintainer's of free (and paid for) software versions are seeing it as a form of revenue to help offset expenses.

 

Here is a list of some of the software where that is included. I just had  a couple days ago in the set up of free software, asked to allow (keep the box checked) Open Candy, so that he could continue to offer his software free.

Senior Advisor

Re: CNET Download a malware.

Thanks for the infos. 

 

I did get thing in CDXPBurner.

 

This is only occuring to Windows Platform.

 

There is also a similar problem to Mac Apps.

 

I generally cannot trust many of the third software being release in the Apple Apps store. Many of the users are not aware of the situation. That goes the same to Chrome.

 

Some of the developers just come and go. Some have making agreements with Advertising Companies for Money.

 

Well One thing for sure, an Advertising Companies gathers informations and sell it to their clients for money.

 

Even our Banks sectors are doing it!

 

The confusing part is, even a malware like this is considered illegally approved. 

Supporter

Re: CNET Download a malware.

I've looked at download.com, the site of nmap.

There is no way to check whether the version has been tampered with.

On the original page with all versions of a SHA hash to verify the version offered.

 

Senior Advisor

Re: CNET Download a malware.

I download a sample today...

 

see below.

 

Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
 
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
cnet_EFRCSetup_exe.exe
Submission date:
2011-12-19 00:36:36 (UTC)
Current status:
queuedqueuedanalysingfinished
VT Community

not reviewed
Safety score: -
Antivirus Version Last Update Result
AhnLab-V32011.12.18.002011.12.18-
AntiVir7.11.19.1552011.12.18-
Antiy-AVL2.0.3.72011.12.18-
Avast6.0.1289.02011.12.18-
AVG10.0.0.11902011.12.18-
BitDefender7.22011.12.19-
ByteHero1.0.0.12011.12.07Trojan.Backdoor.Gen.a
CAT-QuickHeal12.002011.12.18-
ClamAV0.97.3.02011.12.18Adware.Downloader-207
Commtouch5.3.2.62011.12.17-
Comodo110042011.12.18-
DrWeb5.0.2.033002011.12.19Adware.Downware.130
Emsisoft5.1.0.112011.12.18-
eSafe7.0.17.02011.12.18Win32.Trojan
eTrust-Vet37.0.96282011.12.16-
F-Prot4.6.5.1412011.12.17-
F-Secure9.0.16440.02011.12.19-
Fortinet4.3.388.02011.12.18-
GData222011.12.18-
IkarusT3.1.1.109.02011.12.18-
Jiangmin13.0.9002011.12.18-
K7AntiVirus9.119.56962011.12.15-
Kaspersky9.0.0.8372011.12.18-
McAfee5.400.0.11582011.12.18-
McAfee-GW-Edition2010.1E2011.12.19-
Microsoft1.79032011.12.18-
NOD3267222011.12.19a variant of Win32/InstallCore.D
Norman6.07.132011.12.18-
nProtect2011-12-18.012011.12.18-
Panda10.0.3.52011.12.18-
PCTools8.0.0.52011.12.19-
Prevx3.02011.12.19-
Rising23.88.03.022011.12.16Suspicious
Sophos4.72.02011.12.18-
SUPERAntiSpyware4.40.0.10062011.12.17-
Symantec20111.2.0.822011.12.19-
TheHacker6.7.0.1.3612011.12.18-
TrendMicro9.500.0.10082011.12.18-
TrendMicro-HouseCall9.500.0.10082011.12.19-
VBA323.12.16.42011.12.14-
VIPRE112722011.12.18-
ViRobot2011.12.17.48312011.12.19-
VirusBuster14.1.122.12011.12.18-
Additional informationShow all
MD5 : 8dddd3735c33607727ce0d5f66046a2b
SHA1 : 0b799dea24610e02ae54eead4f6958c02c2c5f41
SHA256: 9046a61c83f6ebbaea28fa45c62f514bc95e4ed282ec256d1244fda273899971
ssdeep: 12288:lGFP4rsBRjSLvxZqWPo3jTza+YoH34kc9dtjkvi:UJw4iloja+Yp9dtjkvi
File size : 463080 bytes
First seen: 2011-10-28 13:16:01
Last seen : 2011-12-19 00:36:36
TrID:
UPX compressed Win32 Executable (38.5%)
Win32 EXE Yoda's Crypter (33.4%)
Win32 Executable Generic (10.7%)
Win32 Dynamic Link Library (generic) (9.5%)
Win16/32 Executable Delphi generic (2.6%)
sigcheck:
publisher....: CNET Download.com
copyright....: CBS Interactive
product......: CNET Download.com Installer
description..: CNET Download.com Install
original name: n/a
internal name: CNET Download.com Installer
file version.: v2.0.2.108
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
packers (F-Prot): UPX
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x101660
timedatestamp....: 0x2A425E19 (Fri Jun 19 22:22:17 1992)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
UPX0, 0x1000, 0x9B000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
UPX1, 0x9C000, 0x66000, 0x65A00, 7.92, 8550735f959374969c140f5eeb2b7574
.rsrc, 0x102000, 0xB000, 0xA400, 6.05, 032aad5249eb912d6d8d14dfbf315641

[[ 12 import(s) ]]
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
advapi32.dll: EqualSid
comctl32.dll: ImageList_Add
comdlg32.dll: GetOpenFileNameA
gdi32.dll: SaveDC
ole32.dll: OleDraw
oleaut32.dll: VarNot
shell32.dll: DragFinish
URLMON.DLL: CoInternetCreateZoneManager
user32.dll: GetDC
version.dll: VerQueryValueA
wininet.dll: FindNextUrlCacheEntryA
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 417792
CompanyName: CNET Download.com
EntryPoint: 0x101660
FileDescription: CNET Download.com Install
FileFlagsMask: 0x003f
FileOS: Win32
FileSize: 452 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: v2.0.2.108
FileVersionNumber: 0.0.2.108
ImageVersion: 0.0
InitializedDataSize: 45056
InternalName: CNET Download.com Installer
LanguageCode: Neutral
LegalCopyright: CBS Interactive
LinkerVersion: 2.25
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Dynamic link library
PEType: PE32
ProductName: CNET Download.com Installer
ProductVersion: v2.0.2.108
ProductVersionNumber: 0.0.2.108
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 1992:06:20 00:22:17+02:00
UninitializedDataSize: 634880
Warning: Possibly corrupt Version resource
ler: D

 

VT Community

 

0
This file has never been reviewed by any VT Community member. Be the first one to comment on it!
VirusTotal Team
Add your comment... Remember that when you write comments as an anonymous user they receive the lowest possible reputation. So if you have not signed in yet don't forget to do so. How to markup your comments?
You can add basic styles to your comments using the following accepted bbcode tags:
Senior Advisor

Re: CNET Download a malware.

Now try this link.

 

The file name that is downloading starts with something like this....

 

For example:- 

 

cnet_filename_exe.exe 

 

The CBS interactive Malware starts with "cnet".

 

The file to download  usually starts with cnet_somefilenametobedownloadfromcnet_exe.exe.

 

Here is the link to try out... and try to upload to virustotal for analysis.

 

http://download.cnet.com/System-Cleaner/3000-18512_4-10045285.html?tag=dropDownForm;productListing

 

 

 

 

 

Senior Advisor

Re: CNET Download a malware.

Try the above posting with the cnet download.com link

 

and try to upload with virustotal.com

 

and you will get the similarity...

 

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
cnet2_SystemCleanerSetup_a1100_exe.exe
Submission date:
2011-12-19 01:18:10 (UTC)
Current status:
queued (#2)queuedanalysingfinished
VT Community

not reviewed
Safety score: -
Antivirus Version Last Update Result
AhnLab-V32011.12.18.002011.12.18-
AntiVir7.11.19.1552011.12.18-
Antiy-AVL2.0.3.72011.12.18-
Avast6.0.1289.02011.12.18-
AVG10.0.0.11902011.12.18-
BitDefender7.22011.12.19-
ByteHero1.0.0.12011.12.07-
CAT-QuickHeal12.002011.12.18-
ClamAV0.97.3.02011.12.18Adware.Downloader-207
Commtouch5.3.2.62011.12.17-
Comodo110082011.12.19-
DrWeb5.0.2.033002011.12.19Adware.Downware.130
Emsisoft5.1.0.112011.12.19-
eSafe7.0.17.02011.12.18-
eTrust-Vet37.0.96282011.12.16-
F-Prot4.6.5.1412011.12.17-
F-Secure9.0.16440.02011.12.19-
Fortinet4.3.388.02011.12.18-
GData222011.12.19-
IkarusT3.1.1.109.02011.12.18-
Jiangmin13.0.9002011.12.18-
K7AntiVirus9.119.56962011.12.15-
Kaspersky9.0.0.8372011.12.18-
McAfee5.400.0.11582011.12.19-
McAfee-GW-Edition2010.1E2011.12.19-
Microsoft1.79032011.12.18-
NOD3267222011.12.19a variant of Win32/InstallCore.D
Norman6.07.132011.12.18-
nProtect2011-12-18.012011.12.18-
Panda10.0.3.52011.12.18-
PCTools8.0.0.52011.12.19-
Prevx3.02011.12.19-
Rising23.88.03.022011.12.16Suspicious
Sophos4.72.02011.12.18-
SUPERAntiSpyware4.40.0.10062011.12.17-
TheHacker6.7.0.1.3612011.12.18-
TrendMicro9.500.0.10082011.12.18-
TrendMicro-HouseCall9.500.0.10082011.12.19-
VBA323.12.16.42011.12.14-
VIPRE112722011.12.18-
ViRobot2011.12.17.48312011.12.19-
VirusBuster14.1.122.12011.12.18-
Additional informationShow all
MD5 : ccb84c353bfb64d570575f0512415a2b
SHA1 : 0e829e509193b346bcf92ea2d754c0a8d18bc917
SHA256: 33c40c6affe44a27b55b28ededfa6ef401e4b9107ee437d6832c091f17e46e7b
ssdeep: 12288Smiley Very HappyGFP4rsBRjSLvxZqWPo3jTza+YoH34kc9dtjkvi:KJw4iloja+Yp9dtjkvi
File size : 463080 bytes
First seen: 2011-12-19 01:18:10
Last seen : 2011-12-19 01:18:10
TrID:
UPX compressed Win32 Executable (38.5%)
Win32 EXE Yoda's Crypter (33.4%)
Win32 Executable Generic (10.7%)
Win32 Dynamic Link Library (generic) (9.5%)
Win16/32 Executable Delphi generic (2.6%)
sigcheck:
publisher....: CNET Download.com
copyright....: CBS Interactive
product......: CNET Download.com Installer
description..: CNET Download.com Install
original name: n/a
internal name: CNET Download.com Installer
file version.: v2.0.2.108
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
packers (F-Prot): UPX
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x101660
timedatestamp....: 0x2A425E19 (Fri Jun 19 22:22:17 1992)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
UPX0, 0x1000, 0x9B000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
UPX1, 0x9C000, 0x66000, 0x65A00, 7.92, 8550735f959374969c140f5eeb2b7574
.rsrc, 0x102000, 0xB000, 0xA400, 6.05, 032aad5249eb912d6d8d14dfbf315641

[[ 12 import(s) ]]
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
advapi32.dll: EqualSid
comctl32.dll: ImageList_Add
comdlg32.dll: GetOpenFileNameA
gdi32.dll: SaveDC
ole32.dll: OleDraw
oleaut32.dll: VarNot
shell32.dll: DragFinish
URLMON.DLL: CoInternetCreateZoneManager
user32.dll: GetDC
version.dll: VerQueryValueA
wininet.dll: FindNextUrlCacheEntryA
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 417792
CompanyName: CNET Download.com
EntryPoint: 0x101660
FileDescription: CNET Download.com Install
FileFlagsMask: 0x003f
FileOS: Win32
FileSize: 452 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: v2.0.2.108
FileVersionNumber: 0.0.2.108
ImageVersion: 0.0
InitializedDataSize: 45056
InternalName: CNET Download.com Installer
LanguageCode: Neutral
LegalCopyright: CBS Interactive
LinkerVersion: 2.25
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Dynamic link library
PEType: PE32
ProductName: CNET Download.com Installer
ProductVersion: v2.0.2.108
ProductVersionNumber: 0.0.2.108
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 1992:06:20 00:22:17+02:00
UninitializedDataSize: 634880
Warning: Possibly corrupt Version resource
ler: D