Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

July 9th, 2013

Shady practices of free download servers

Many internet users employ simple tricks when they want to find some interesting software or computer game. They type the desired program’s name into the search bar, add the word “download” and hit enter. In most cases, the first few results from the search engine usually belong to free download servers.

I recently followed some of these links to visit the web pages hidden behind the words “free download” and was amazed at the techniques used to manipulate users. It’s not only the advertising pages you are forced to visit the instant you load the page, but if you are not careful, various sorts of malware or adware are installed to your computer without your notice. Let’s take a closer look at the shady practices you can expect from free download servers.

Download what? They really want you to look at the advertising!

On the screenshot below, you see a standard download page, but if you click anywhere else on the page, a large advertising window will pop up in the background. The big DOWNLOAD button on the top part of page will redirect you to another advertising page. The only way to get close to the actual download you want is to click on the gray button named “Slow Speed Download”. After that you must wait 45 seconds.  The only reason for the delay is to give you time to think about using premium account for a “High Speed Download” and look at banners. How nice of them…

SPoFDS - A

SPoFDS - B

The next screenshot displays a page where you are supposed to write a CAPTCHA code. CAPTCHA is used to verify that the page visitor is human and not a computer bot seeking information, but in this case the only reason for CAPTCHA is to show you yet another advertising popup window. If you click on the input labeled “Your Answer”, a popup will be displayed automatically. Now we are closer to our desired file download, just not using the traditional way. Let me recap:

  • Just ignore the large download button
  • Type the text from the CAPTCHA picture
  • Click the “Send” button

But don’t think you’re done, because the advertising nightmare is not over.

On the last screenshot from this page you see the final download button. There is however another catch. Not surprised, are you? Read the last line beside the checkbox carefully. This means that when you click the download button, it will start a download, just not your file. It will download only their manager, where you will install more adware directly to your computer. Oh goody.

TIP: Every time you start a file download from the internet, check if it has the right name and extension.

When I inspected similar sites to this one, many executable files popped up, even if I was looking for a RAR package. They are disguised as Archivers, Codec packages, or Download managers and had one thing in common – they try to confuse the user with clever sentences and hidden check boxes.

A2a

Everything but the download

I tested several dozen of these fake download buttons and not surprisingly, acquired a few new executable files.  The download buttons redirected me to pages containing a registration for a game, an online casino, all sorts of medical products, and once, a chance to win a free iPhone in exchange for my mobile phone number. I did not gave them my phone number because the only thing I could win would be SMS advertisements or an attack on my privacy from some sort of mobile-oriented malware.

One big download button redirected me to page where an automatic download started. The page stated that this is an installer for a well-known archiver. As this screenshot shows, there is simple tutorial on the page which shows the user how to execute the file without thinking further. But what this tutorial really shows is how to ignore a security warning and let a potentially dangerous application install onto your computer!

SPoFDS – D

This installer had other applications bundled, so when I started to install it, the first screen offered me a toolbar for my internet browser. There are only a few things less useful than a toolbar, because all its functions are already available in every internet browser.

SPoFDS - EOn the next screenshot you can see what happens if you don’t want to install this toolbar. Another dialog designed to discourage you from skipping the installation by implying that this will abort the whole install.

If you think you want a toolbar installed, I suggest you read the license agreement which often offers very amusing content. In section 4. it states that the toolbar is not considered secure, and I can tell you why! Because the only thing that matters to the author of applications like this one is profit.

 

SPoFDS - F

At the end of the installation, where I choose only to install the packer and nothing else, all the files listed in the last screenshot were downloaded to my computer and executed. None of these files were removed after installation and some of them are set to start automatically after the computer starts.

SPoFDS - GThere is also a proxy server enabled and updated in my windows registry and program which I did not agree to install. Except for 7z and sweetim, there was not even a notice about the other programs. I don’t think this is the way a normal application installer should work.

Many free download servers are active on the internet today, but none of them give you anything actually for free. You will pay for them with your personal data or computing time when malware attacks. You should always bear in mind that there are just a few really free things on the internet, fortunately avast! Free Antivirus is one you can count on.

The application I just described can be found on Virus Total under the following SHA256:

[1] 0761c6f550259b9317df0773be4d6e5559baecc034105bfaa5f990eb4cf3a343
[2] 0d38183bcf13e025a77cf197e14014ab8c32654e7b7d3585a6d7b374070871ba
[3] bb298b8e6975127b50e9a388b588f97329d13efc932c9797667ec879042f2133

Categories: Uncategorized Tags:
  1. No comments yet.
Comments are closed.