Over the weekend a fire storm was unleashed after users started posting on Reddit about how the installer for the popular FileZilla FTP software was being tagged as adware by VirusTotal. These detections are caused by the installer, which is monetized to display offers to users as they install the software.
When downloading installers for FileZilla, the web site contains two different downloads. The main promoted download is the one that pushes offers and is named in a format similar to FileZilla_3.34.0_win64-setup_bundled.exe. FileZilla also offers a download that does not provide offers at this page and will be named similar to FileZilla_3.34.0_win64-setup.exe.
The key word that indicates whether the installer will display offers is the word "bundled". If you download FileZilla from the main site and it includes the word "bundled" then you will be presented with offers.
There is also a stark contrast between the installers in terms of how they are detected by antivirus vendors. For example, the bundled installer has a 8/68 detections on VirusTotal, with most detecting it as an adware installer. The clean version, on the other hand, has 0/68 detections.
According to FileZilla author Tim Kosse, these monetized installers have been in use for five years.
"In order to support the continuous development of FileZilla, we started to bundle third party offer in the installer about five years ago," FileZilla author Tim Kosse told BleepingComputer. "It has allowed us to boost the development process so that we can now release a new version bringing bugfixes and new features almost every month."
"We do not hide the fact that offers are shown during the installation. This is mentioned on both the website and in the installer as well, before any offers are shown," Kosse further told BleepingComputer. "While the offer-enabled installer is our primary download link, we at the same place also link to a page containing all installers without offers.
So what really happens when you install the bundled version of FileZilla?
When the bundled version of the FileZilla installer is executed it will connect to the http://rp.tourtodaylaboratory.com/ web site and download a list of offers to show the user. The downloaded information will include the offer text, links to files that should be downloaded, and images that should be displayed as part of the offer.
During the installation process, the installer will then display an offer and ask if the user would like to install it. When the offers are displayed they are automatically configured to be opted into, which could lead to people installing the offer as they quickly go through the installation steps.
If the user opts into the offer, which means they don't actively uncheck it, the installer will download and install the program from a remote site such as opera.com or avast's web site.
When testing the installer, I saw offers from Avast, a search offer, and Opera. When questioning Kosse about whether they or their monetization partner IronSource has control over the offers, I was told that FileZilla has full control.
"Back when we started with bundling, while we were able to influence how the install flow was supposed to work, we had limited ability to influence which offers were presented and we occasionally had to face some issues," Kosse explained. "In 2016 however we took full control on how and which offers are presented: * We redesigned the installation flow in order to make it compliant withthe guidelines of the CSA (http://cleansoftware.net/services/) and * we also decide which offers are displayed."
"We are proud to present only premium offers like Avast, McAfee WebAdvisor, Opera, Firefox, both for Win and Mac," Kosse further told BleepingComputer. "In any case, even if a user has accidentally agreed to an offer, we test that each offered product can easily and fully be uninstalled."
Not all offers are created equal.
While the Opera and Avast offers that I encountered were easily uninstalled and what I would considered more "legitimate" programs, there was one offer that I felt was more like adware. This offer is called "Search Offer powered by Bing" and was displayed on every bundle install I performed of FileZilla.
This offer is downloaded as individual .dat files into the %Temp% folder. A command is then executed to stitch these .dat files into a random looking executable, which is then executed. This use of partial files almost makes it feel like they are doing it to avoid detecting by web protection components of security software.
You can see a live demonstration of the bundled installer installing the search offer in this Any.Run session.
cmd.exe /d /c TIMEOUT 1 & cmd /d /c copy /B /Y "C:\Users\admin\AppData\Local\Temp\D90614~1.DAT"+"C:\Users\admin\AppData\Local\Temp\D90614~2.DAT" "C:\Users\admin\AppData\Local\Temp\tmp8866772\gefada.exe" & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\D90614~1.DAT" & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\D90614~2.DAT"
According to the offer's description, it will install the Search Manager extension in Chrome and make Bing the default search, homepage, and new tab provider in Firefox and Internet Explorer. In my tests, it only affected Firefox and no extensions were installed into Chrome.
The gefada.exe file that installs this offer, though, has a whopping 37/65 on VirusTotal and the mentioned Search Manager is a known extension that is commonly installed by Adware bundlers.
Furthermore, this offer does not provide an uninstall routine from the Uninstall Programs control panel and thus users need to figure out how to remove the search provider and change their home page.
BleepingComputer has asked for further comment from Kosse regarding this offer, but had not heard back by the time of this publication.
Security professionals advise against using FileZilla
While the current offers being displayed by FileZilla do not appear to be currently malicious in nature, adware bundles are known to cross the line in the past. We have reported on numerous cases of other adware bundles installing miners, rootkits, password-stealing Trojans, or downloading more unwanted programs at a later time.
Due to this, the fact that some of the offers are using unsigned executables from unknown companies, and the developer's replies in a FileZilla support topic, security researchers have stated that users should avoid using FileZilla.
After reading this thread, I would strongly suggest removing FileZilla from enterprise systems: https://t.co/ui5V61Neum
— Andrew Case (@attrc) June 23, 2018
Just in case if you are using Filezilla --> Filezilla Malware : https://t.co/NLcmFpFKEi
— Binni Shah (@binitamshah) June 23, 2018
Never use FileZilla. Tell all your SysAdmin friends too. https://t.co/QUd75kWiSt
— n00py (@n00py1) June 23, 2018
In closing, FileZilla author Tim Kosse wanted to share the following statement about their program and their use of a monetized installer.
"1. It's safe to use the offer-enabled installer, nothing is installed the user doesn't agree to. In case an offer has been accidentally accepted, it can easily be uninstalled again. Alternatively our users can also download an unbundled installer from the FileZilla website.
2. In order to sustain our project, which is a full-time job for several people, we have started selling a Pro version that goes beyond FTP/SFTP, offering access to cloud services like Amazon S3, Google Cloud Storage, Microsoft Azure, OpenStack Swift and WebDAV. While this is not sufficient to fund all our effort, we kept an hard line to avoid trying to upsell our own community and we do not push our users to buy it. The free version is still fully supported, receiving regular updates with new features.
3. We understand advertising is rarely welcome, for this very reason we adopted a strict rule of conduct on how we promote other products and services, please check our "Ethical Ads" page (https://filezilla-project.org/ethical_ads.php), and when it comes to bundled offers we do our best to choose meaningful offers, check them and work only with primary players like ironSource who can manage to run a professional testing and security environment. In this respect please note ironSource gave a great talk at the recent CSA held at Google explaining how they manage to keep users secure thanks to their lab, see the agenda https://sites.google.com/site/cssummit18/summit-agenda and feel free to contact them to know more."
Update 6/26/18: Tim Kosse of FileZilla told us that their monetization provider would be checking the search offer.
Comments
sandwiched - 5 years ago
Such a shame that the Filezilla dev took this route. I remember when he was such a stickler for doing things the right way that Filezilla was having problems connecting to FTP servers that weren't strictly compliant with some obscure FTP protocol thing. I always thought he'd be above such shady bundled installer crap. Ah well... I converted to using WinSCP ages ago precisely because of the protocol thing. #shrugEmoji
the_moss_666 - 5 years ago
Having to uncheck box to NOT install crapware is malware behaviour. I wonder why there are only 8/68 detections. This practice is dangerous and should be rooted out.
Pointless_noise - 5 years ago
Pre ticked privacy policy box aren't exactly GDPR compliant. I wonder if it would be FileZilla or the advertised product that's liable.
itsjudd - 5 years ago
Now what about those of us that install it via ninite?
Lawrence Abrams - 5 years ago
Need to confirm with ninite what installer they are using.
theshiv - 5 years ago
This isn't even a new thing, it's been bundled for a while O.o
Throwdown - 5 years ago
I agree this practice is largely frowned upon these days, although as the author said, the website is very transparent about the bundling. I've known about the bundled and non-bundled installers for as long as I can remember. If people would take the time to read things this is a non issue. It's getting blown up because virus total detected adware installers and when filezilla was asked about it, it wasn't handled properly.
itsjustmenow - 5 years ago
I want to say something about this. The other day i went to update my filezilla and saw this.
1st my app itself downloaded a none bundled installer meanwhile the website itself is pushing a bundled installer. I know alot of companys like to pull this and you need to always be alert and on the look out.
now the reason i wanted to comment on this is because filezilla them self says they added that bundle to make money to keep the cost of the server and what not low. well here is just a thought. I just updated winscp and during the install at the end it has a RELEASE SPONSOR page with a link to the sponsor maybe this should be what filezilla does instead of trying to be a sneaky company and installing crap when people just CLICK CLICK CLICK.
I just think there is always a better way then the current way some of these companys build the installer. the ones like filezilla using the CLICK CLICK CLICK you installed some malware or software you did not want is just a trick because they know people are just CLICK CLICK CLICK INSTALL. If your a real company and making FREEWARE then maybe treat the users with respect and not try to install other stuff on some ones computer.
I been a filezilla user for a bit now since moving away from flashfxp but due to all this i might be switching back to flashfxp now.
ARSK - 5 years ago
That's Adware Dealply/Trojanized Chromium/Fake Yahoo Toolbar/Installcore PUP. Am dealing with this day in day out. Advanced Persistent Adware.AVs are unable to catch up with the variants. It's not just filezilla,many more are bundled this way.
More here-https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/ & here - https://www.boozallen.com/s/insight/blog/advanced-persistent-adware.html
Nothing changed till this moment.They continue to bundle crap.
Non bundled versions here- https://filezilla-project.org/download.php?show_all=1 and ofcourse on Sourceforge.