Corrupted Downloads and Questionable Sources

Always get your program directly from the source.

Recently, Home PC Patrol has performed virus & spyware removal on several of our client's PCs who have been tricked by 'look-alike' websites. In all instances, the clients wanted to download a legitimate program (Google Desktop, Google Chrome or Avast Antivirus) and were tricked into downloading an altered version from a counterfeit website or questionable download portal.

These altered versions all contain the legitimate program as well as Trojan downloaders, droppers and rootkit components. These components connect to the internet and install virus and spyware packages. Most commonly, they include malware from the Conduit, Mindspark, and MyWebSearch families that fill your PC with scareware, and trial programs that run in the background and eventually slow your PC down to a crawl.

In some cases our clients arrived at the counterfeit websites by clicking the first link that came up under the search terms they had entered into a search engine. Quite frequently, these days, search engines will list a paid advertisement for a website or product ahead of the legitimate site. These paid listings are labeled 'sponsored results' or something similar; however, that is easy to overlook if you aren't aware of the practice. In most cases, these sponsored results are sites that are too new or that lack the reputation to achieve top-level search results listings without paying for the sponsor slot.

In other cases, our clients got their downloads from ‘poorly monitored or maintained’ download portals such as softpedia.com, soft32.com, or softronic.com. These sites are not inherently malicious, and they certainly don’t (to my knowledge) encourage downloads that contain viruses; however, they lack the resources to properly screen all of the downloads they are hosting for viruses.

Let’s look at the top three comments from Norton Safe Web (http://safeweb.norton.com) users for each of these portals:

  • Softpedia:
  • "Got a virus from this one Computer wouldn't even allow me to run the file (thankfully)"

    "Bad Do not trust this website! It is full of misinformation and viruses! (Why did Norton rate it safe?)"

    "virus risk malicious download for simplepass this site says this is a safe download and it isn't. Ran virus scan with Vipe rescue and found it to be a threat."

  • Soft32.com:
  • "A little confused here. Downloaded Libreoffice from this site and Norton found a medium threat – Adware.popuppers; yet, Norton rated this site safe."

    "virus site almost all downloads are infected. examples one download had Trojan win 32 another had adware blaster"

    "soft32.com it try to damage my Pc stay off"

  • Softonic.com:
  • “i am LIVID at Norton!! I trusted you, until NOW. this website took control of my search, home page, & GOD knows what else!! I uninstalled what I could...but i CAN NOT remove the damn search option: whitesmoke!!”

    "DO NOT USE THIS SITE! Tried to download Microsoft Flight Simulator. The download failed and then I received two messages telling me that Norton had blocked two high risk attacks on my computer. Then I find I have PC Optimiser Pro installed and my browser has been hijacked by Dale Search with lots of adware."

    "takeover your browser installs unwanted programs This looks like a good option but beware of tailgate program installs."

    Things get even trickier if your web browser’s default search engine has already been hijacked by an unwanted search provider. Once your preferred search provider has been hijacked, many or all of the search results you see will link to malicious websites and sources that are far from reputable. Home PC Patrol will be addressing these search provider hijacks, how to detect if they have occurred and how to reset your default search provider, and steps that can be taken to reduce the risk of hijack in an upcoming article… check back soon!

    Basically, to be safe, you should always get the download from the parent site.
    For Google Chrome that is https://www.google.com/intl/en/chrome/browser/ (Notice the link starts with www.google.com)
    For Avast Antivirus it is http://www.avast.com/en-us/download-software (Again, we see that the link starts with www.avast.com)
    As for Google Desktop, it is discontinued, and any link you find to this program is likely to be infected. I was never a huge fan of this program personally as some users reported high CPU load while it was indexing. Others worried that it’s ambiguous terms of use could have been interpreted that by agreeing to use the program, Google had the right to collect every word that the program indexed. Whatever the case, the program is no longer offered by Google and in my opinion should not be downloaded from any sites hosting old versions of the program.