Downloading from SourceForge? Official links deliver fakes also

Downloading from SourceForge? Official links deliver fakes also

SourceForge was once considered a trustworthy provider of open source software, but has gradually turned into a shady resource where it tries tricking users into installing Adware. In recent years it has presented advertising with fake download buttons and recently caused major open source products such as GIMP, VLC and NotePad++ to abandon SourceForge for wrapping installers with unwanted adware.

To get an idea of how SourceForge sneakily delivers its Adware, we attempted to download the popular FTP client FileZilla. Sure enough, the default download link on FileZilla’s website delivered its Adware-infected installer, confirmed by VirusTotal. One thing that caught us by surprise was that VirusTotal showed the downloaded file as being not scanned before. So I downloaded it again and did a byte-for-byte comparison using the command line binary compare utility ‘fc /b’.

Each time I attempted to download FileZilla, it gave us a file that was four bytes different. It’s not clear whether this is to try defeating Antivirus products or if the bytes specify what third party products the installer should install. However, regardless of how we tried downloading FileZilla from SourceForge in Firefox, it always delivered the same executable file apart from the following mismatched bytes:

SourceForge fake installer comparisons

The following video is a demonstration of some of our attempts to download FileZilla from SourceForge:

From further testing, we discovered that when SourceForge is accessed using the Chrome browser, it consistently delivers the proper file whether we let it automatically download or manually choose a file. However, when we use either Internet Explorer or Firefox, it nearly always delivers the Adware-wrapped installer, at least for FileZilla.

So if there is a need to download a product that is only available on SourceForge, try downloading it using the Chrome browser if possible and be sure to scan it with VirusTotal. Another tip is to download the Zip version and check the file size. If it delivers an executable file or a file with a noticeably different file size, it is probably that Adware wrapped installer.

If still uncertain about whether the downloaded executable file is the genuine product, consider running it in a Sandbox such as Sandboxie. Many Adware wrapped installers will download the official installer after trying to install their potentially unwanted products first, in which case it should be possible to extract the official installer from the Sandbox and destroy the sandbox’s content along with any dodgy software the unofficial installer tried silently installing.

Finally, check what is says for the Publisher in the Security Warning dialogue. The Adware-wrapped installer SourceForge kept delivering to us has the publisher “FlashFunnel (Fried Cookie Ltd)”:

FileZilla security warning