Setup bundled - warning?

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
hemmer
500 Command not understood
Posts: 2
Joined: 2017-12-13 00:41
First name: Thiago
Last name: Hemmer

Setup bundled - warning?

#1 Post by hemmer » 2017-12-13 00:48

Hello,

Today I downloaded the file "FileZilla_3.29.0_win64-setup_bundled.exe" through the official website. My firewall found something in the file. I checked on the virustotal site (https://www.virustotal.com/en/file/d93f ... /analysis/) and the "virus" sequencing was found.
Attachments
filezilla help.png
virustotal site
filezilla help.png (51.96 KiB) Viewed 127585 times

User avatar
botg
Site Admin
Posts: 31379
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Setup bundled - warning?

#2 Post by botg » 2017-12-13 07:43

It's a false-positive, there's no malware in the installer.

hemmer
500 Command not understood
Posts: 2
Joined: 2017-12-13 00:41
First name: Thiago
Last name: Hemmer

Re: Setup bundled - warning?

#3 Post by hemmer » 2017-12-13 09:26

Thanks for the feedback!

jasoncollege24
500 Command not understood
Posts: 2
Joined: 2015-07-01 07:00
First name: Jay

Re: Setup bundled - warning?

#4 Post by jasoncollege24 » 2017-12-29 22:39

quick note here. I did the same check, and found that 7 engines flagged this same file. Comodo also flags it as malware. it's SHA-512 hash also does not match what is displayed on your download page. you might want to check the file again.
##Begin Sig Block##
The name is Jay
Simple guy, with simple needs
##End Sig Block##

User avatar
botg
Site Admin
Posts: 31379
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Setup bundled - warning?

#5 Post by botg » 2017-12-29 22:42

The hash doesn't match because the filename doesn't match.

TigheW
500 Command not understood
Posts: 4
Joined: 2018-01-04 20:30

Re: Setup bundled - warning?

#6 Post by TigheW » 2018-01-04 21:58

I'm seeing hits on this file as well from advanced security tools in an enterprise environment. This appears to be a bit more than just a few false hits on VirusTotal. The installation of filezilla_3.29.0_win64-setup_bundled.exe file with MD5 of 9f405c266c883305537c11246bdb1d42 shows signs of malicious activity in the form of IDS/IPS bypass techniques to copy and append .dat files behind the scenes. This activity can sometimes be a false positive, but this does not appear to be a false hit.

The most suspicious part of the install we see is the spawning of an unsigned, unidentified process called tofufeti.exe which then spawns dozens of cmd.exe prompts to append these .dat files together after itself being put together by .dat file copy and appends.

See attached screenshot for the process chain we see spawning off of filezilla_3.29.0_win64-setup_bundled.exe. Each cmd.exe process expands into another chain of cmd.exe and conhost.exe processes to perform cleanup of the temp .dat files. None of this seems necessary for a simple FileZilla installation.

Can you comment on what exactly tofufeti.exe is and why this unique unsigned process is seen connecting to multiple IP's with no real content when installing the "clean" version of this software downloaded directly from the source?

The IP's and domains we see tofufeti.exe connecting to are:
  • 54.225.173.220 on tcp/80 (goquc.com)
    52.84.25.26 on tcp/80 (d39ievd5spb5kl.cloudfront.net)
    34.208.177.52 on tcp/80 (gubuh.com)
Random unsigned processes reaching out to random sites with no content over port 80 is typically a sign of malware beaconing.

Running the install without choosing any of the bundled adware shows no signs of this activity and is a simple and clean install that one would expect for a lightweight tool like FileZilla. So i don't think this is FileZilla's doing exactly, more that the bundled software in this bundle download appears to be typical adware garbage, but with a serious risk of turning into something far more severe via the ability to download other malicious files in small chunks and put them together after bypassing perimeter defenses. This technique is discussed in depth here: (https://www.carbonblack.com/2016/09/23/ ... e-attacks/)

I'd appreciate any comments that could shed light on what we're seeing as this does not appear to be a misunderstanding of VirusTotal scanners, but an actual advanced attack by the bundled adware in this install package, although I'd love to be proven wrong.

User avatar
botg
Site Admin
Posts: 31379
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Setup bundled - warning?

#7 Post by botg » 2018-01-04 23:39

Two reasons for this kind of behavior: Fraud prevention and side-stepping false-positives.

The reason for the former is simple, preventing malicious customers from fraudulently generating fake clicks.

The reason for the latter is also simple if you consider that AV products compete in the market of installer monetization. It's an open secret that AV companies purposefully block offers from or for competing companies.



All that being said, the choice is with the end-user. If you do not wish to use the offer-enabled installer, have a look at the additional download options page. Even if you do use the offer-enabled installers, nothing unwanted is being installed without your consent.

TigheW
500 Command not understood
Posts: 4
Joined: 2018-01-04 20:30

Re: Setup bundled - warning?

#8 Post by TigheW » 2018-01-05 00:53

You didn't really answer any of my questions. I'm specifically wondering what this process tofufeti.exe is, why it's spawning from your installer and what these IP connections are. If the existence and behavior of these processes is a mystery even to you, why does your primary hosted download include them? That's incredibly dangerous.

This isn't really a question of whether we can opt out of deceptive malware bundles to use your software or some random segue into shadowy AV vendor practices. This question was due to one of the industry's leading advanced security tools detecting actual process behavior from your hosted bundle installer, not just a signature based AV flagging it a PUP, that very clearly looks like an advanced malware attack downloading and executing unknown binaries and making network connections to unidentified IP's. Perhaps I should have created a new thread instead of piggybacking on this one so as to not have my intentions confused. I was hoping for a more thorough explanation of what your software bundle is doing in the above screenshot.

I'd really appreciate it if you could provide some actual details as it pertains to the behavior I described above. You seem very active on these forums and I thought talking directly to the developer could provide some valuable insight into this process behavior.

User avatar
botg
Site Admin
Posts: 31379
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Setup bundled - warning?

#9 Post by botg » 2018-01-05 09:11

The connections are for fetching offers and, if the user accepts the offer, the offered file. What the file is for is written in the offer text. The network requests to fetch offers are done only after the user has agreed to it by accepting the privacy policy.

TigheW
500 Command not understood
Posts: 4
Joined: 2018-01-04 20:30

Re: Setup bundled - warning?

#10 Post by TigheW » 2018-01-05 16:55

Sorry man, this isn't "bundled software that people want" and no amount of repeating it will make it true. This is a malware downloader bundled with your software and hosted on your page and you're intentionally misleading the users who are here directly asking you if it's safe to run this bundle on their machines. For those reading this, it is not safe to run. Do not run this malware-infested bundle on your PC if you value your private information. You have no idea what else is being downloaded when you run it and apparently neither does Tim.

No legitimate or reputable software is pulling down mysterious .dat files from multiple IP's with no registered owners and combining them well out of the view of the average PC user into unique and unclassified processes that are rapidly deleted after execution. That's just not how software is delivered unless you're trying to defeat perimeter defenses and bypass signature based AV scanners and then remove traces of the payload before forensics can be performed. There's no code signing on these processes at all.

Thank you for your time in confirming that this practice is both intentional on your part and as malicious as I first suspected. I wish you would be a little more honest with users like hemmer who are performing their due diligence and trying to practice safe computing. Most folks aren't going to have access to advanced security tools to see what is really going on here.

Be safe out there folks.

User avatar
botg
Site Admin
Posts: 31379
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Setup bundled - warning?

#11 Post by botg » 2018-01-05 20:09

Please stay with the facts and read and _understand_ my previous replies. You get AV flags for business reasons on the AV vendor's behalf, not because of malware.

TigheW
500 Command not understood
Posts: 4
Joined: 2018-01-04 20:30

Re: Setup bundled - warning?

#12 Post by TigheW » 2018-01-06 00:28

The facts are that when performing a process behavior analysis on the software hosted on your site, it behaves exactly like malware and flags multiple advanced threat activity watchlists specifically designed to identify malicious behavior. This software bundle unpacks unsigned processes that beacon unknown web servers with no official registrants, it downloads additional unknown, unsigned files in small .dat batches and appends them together before executing and quickly deleting them. I won't even get into what this is doing to the registry, but suffice it to say there's no legitimate need for this bundle software to make 100+ modifications to the registry. Show me one piece of reputable software that has these characteristics.... What i'm telling you has literally nothing to do with AV vendor hits on your software bundle. I don't know why you keep bringing that up.

Please learn the difference between the capabilities of near-obsolete signature based antivirus and cutting edge security tools and how IOC's are identified in today's world. We're far past relying on PUP warnings from malwarebytes to identify and combat malware like this. These items I've mentioned aren't AV flags on behalf of AV vendors (whatever that means). These are behaviors being analyzed in real time as they unfold. Nothing more, nothing less. There's no ulterior motive here other than protecting PC users from predatory and malicious actors. I'm not here to antagonize you or to entertain tin foil hat ideas about the shadowy underbelly of AV vendors. I was hoping I might learn something interesting about these processes directly from the one hosting this bundle. Perhaps learn a novel new trick that legitimate software is using that might further my understanding. Instead i get this bizarrely antagonistic and overly defensive back and forth.

My final parting question for you: Would you run this bundled installer on your personal computer with all bundled options intact? Would you feel that your machine was safe and secure enough to hold your personal information after seeing this behavior unfold on your own machine? Can you honestly say that you're fine with unique, unsigned executables being pieced together from random IP's, running, deleting itself, calling another 36 cmd.exe prompts to continue downloading additional fragmented payloads. You trust unsigned code executing on your machine and modifying your registry and creating persistent run keys?

Of course you wouldn't. No user would ever choose to have this kind of malware installed on their machine if they understood what it was and what the capabilities of tools like this are once on a system. Hint: Phase 2 downloads are where the fun really begins.

Anyways, I believe I have the answer I came here for and this is quite far from the fruitful discussion I was hoping to have with you. Have a good day.

User avatar
botg
Site Admin
Posts: 31379
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Setup bundled - warning?

#13 Post by botg » 2018-01-06 01:24

Taking it apart piece by piece.
This software bundle
Which one? You still didn't answer my earlier question which offer you did accept.
unpacks unsigned processes
While not ideal, it's pretty normal behavior. Even many of Windows' very own executable files are unsigned. Would you classify the Windows installer as malware because of this? Or Windows Update?
that beacon unknown web servers with no official registrants
"anonymous" domains are quite normal these days, even the default with some domain registrars. Speaking of which, why does a whois on the domain part of your email address not list the complete registrant information?
it downloads additional unknown, unsigned files
Nothing wrong with that. There are ways to ascertain authenticity other than signatures attached to a file.
in small .dat batches and appends them together before executing
Segmented downloads, a legitimate though misguided feature some uninformed people request to be implemented in FileZilla.
and quickly deleting them.
Quality software doesn't leave temporary files around longer than needed.
I won't even get into what this is doing to the registry, but suffice it to say there's no legitimate need for this bundle software to make 100+ modifications to the registry.
]Take registry snapshot. Install Microsoft Office. Take another snapshot. Compare snapshots. How many differences do you count?

hackdefendr
500 Command not understood
Posts: 1
Joined: 2018-06-12 18:09
First name: Jeff
Last name: Singleton

Re: Setup bundled - warning?

#14 Post by hackdefendr » 2018-06-12 18:30

Tim,

First...do you even know what software applications or advertisement software you are bundling with the bundled version of FileZilla? How do you know without a doubt that the software you are bundling is not malicious or not able to lead to anything malicious? If you can honestly say you know for sure, then you are complacent in the delivery of malvertising applications to people. Not to mention your use of Click Baiting (Social Engineering) by using a big green download button...hiding the alternative download link at the bottom with small text so that nobody pays attention.

Second...Carbon Black is not an AV. Carbon Black literally can replay an installation from click to finish, showing every single process spawned, the communication performed by each spawned process and much more. TigheW is absolutely correct with his analysis, its the exact same analysis I ran and the exact same results I received. There is simply no reason for an installer to spawn an unsigned, randomly named executable which then spawns numerous hidden cmd windows to install who knows what and then clean up after itself.

Needless to say...we have blocked the bundled version in our firm and are instructing our users to use WinSCP instead.

flagpole
550 Permission denied
Posts: 26
Joined: 2013-07-30 14:45
First name: nigel
Last name: coldwell

Re: Setup bundled - warning?

#15 Post by flagpole » 2018-06-13 12:36

botg wrote:
2017-12-29 22:42
The hash doesn't match because the filename doesn't match.
Image1.png
Image1.png (47.45 KiB) Viewed 125645 times
I'm not sure if if you meant that how i read it. but the hash does not include the filename.

Locked