Jump to content

Beware Addons with Malware!


Recommended Posts

Hi:

I don't know if this is the right forum but then again I'm talking about malware so it should be.

Just yesterday I downloaded some addons from ryanvm's site. The addons consisted of the following: Ad-aware95, Teamviewer, Firefox 6.02 & Firefox 7.0b6

I didn't think there were any problems because they got a good rating by Norton (no pop ups telling me that was a hidden virus etc or other concerns). So, of course I thought that everything was okay. Let me clarify I sometimes use a Sandboxed browser when I download and surf when I'm unsure about various websites or downloads. Some might say don't go to those bad websites and you don't have to worry about any viruses etc. right? Wrong. The problem is that some of the websites that you would never think have viruses do. Think back about those times you downloaded something from or visited a favorite and trusted website and the next thing you know and out of the blue your computer is acting up and you discover that you have a virus.

Well, as I said earlier I was very happy to find those addons on ryanvm's website and was looking forward to adding them to my new slipstreamed Windows XP Pro disc compilation. However, after dealing with a recent infection I tend to be cautious and so I decided to test my new addons via a Sandboxed environment. It's a good thing I did otherwise I could have had some problems down the road.

All of the above mentioned were flagged by Ad-aware as being infected with something called Trojan.win32.Generic.pak!cobra. I don't know what that is but I wasn't willing to take chances. Well, needless to say I was totally disgusted, I mean just imagine if I had integrated those addons into my slipstreamed Windows XP Pro disc. I would have been wondering why I kept getting infections although I was being super careful and then maybe reformating and have the same issue happen again and again. Thus, never realizing that the culprit was the slipstreamed OS disc itself.

I am in no way trying to defame ryanvm.com or any of the other persons that contribute to that site. As a matter of fact I think the culprit as far as the infected addons is due to the website were the addons were created which is http://www.isoft-online.com/ which is an SFX online creation site. That website has a very bad reputation from WOT and maybe from Norton too but unfortunately since upgrading to the new Firefox browser my Norton tools don't work within the browser.

I just want people to be VERY cautious and test their downloads in a controlled environment like Sandboxie etc. otherwise you could live to regret it over and over and over again. I for one will continue to test any and all addons that I haven't made myself. As for everyone else please use your own judgement.

P.S. The Firefox addon v716 maker had something called a Trojan dropper so now I'm back at the drawing board.(don't have pics as I was so digusted yet again that I deleted everything).

Just in case someone is interested in using SFXMaker 1.2 I found this

My link

Firefox70b6_elite_Addon1.jpg

firefox70b6_elite_Addon2.jpg

Firefox602F_elite_Addon1.jpg

Firefox602F_elite_Addon2.jpg

isoft-onlinecom-Virus2.jpg

isoft-online-virus_userratings3.jpg

isoft-online-virus_userratings4.jpg

Edited by lapetite66
Link to comment
Share on other sites


I stopped as soon as I saw Norton. Uninstall it, run SymNRT, and install a real antivirus like Microsoft Security Essentials.

Also, did you try VirusTotal and see what it had to say?

Hi Tarun:

Norton is not the anti-virus software that notified me of the problem it was Ad-aware Internet security. See my Posted 24 September 2011 - 02:32 PM.

Today I used Virus Total here are the resultsVirus Total Results

I will guess that Ad-aware was wrong and that this was a false positive. As I said before I wasn't trying to defame anyone I was just going by what results that I got from Ad-aware. I still feel that it's better to be safe than sorry as well as using your own judgement.

Thanks,

Edited by lapetite66
Link to comment
Share on other sites

[

Today I used Virus Total here are the results Virus Total Results

I will guess that Ad-aware was wrong and that this was a false positive. As I said before I wasn't trying to defame anyone I was just going by what results that I got from Ad-aware. I still feel that it's better to be safe than sorry as well as using your own judgement.

Thanks,

And WHAT if Vipre :w00t: is actually right? :ph34r:

jaclaz

Link to comment
Share on other sites

[

Today I used Virus Total here are the results Virus Total Results

I will guess that Ad-aware was wrong and that this was a false positive. As I said before I wasn't trying to defame anyone I was just going by what results that I got from Ad-aware. I still feel that it's better to be safe than sorry as well as using your own judgement.

Thanks,

And WHAT if Vipre :w00t: is actually right? :ph34r:

jaclaz

Hey jaclaz:

Are you playing Devil's advocate? :)

Well, then it's a good then I did test those files Sandboxed. Honestly, after getting the message from Ad-ware I deleted all of the files tout-de-suite. The file I tested today was something I just downloaded for that specific purpose and have since deleted.

Link to comment
Share on other sites

Hey jaclaz:

Are you playing Devil's advocate? :)

Yep :), just kidding. ;)

jaclaz

Hey jaclaz:

Well, I got the same alert again from Ad-aware with that file I downloaded for testing....so I just stick to making my own CAB files of software I like and want. I've had some success and some failures and those software files that I can't figure out how to make CAB files successfully for, I will just have to install the old fashioned way.

Later, :)

Link to comment
Share on other sites

  • 2 months later...

Hello there,

I see this topic a little too late, but i have a word to say here too, as i am the developer of SFXMaker and www.isoft-online.com.

First of all, SFXMaker is developed using AutoIt. Some crappy "protection" applications (Ad-Aware is one of them) always see au3 compiled executables as "malicious software". Secondly, the executable and some plugins that SFXMaker use are UPXed, which is also known to cause some false positives, again, for this crappy protection apps. Isn't it weird that top rated protection application (BitDefender, Kaspersky, Nod32, etc) didn't find anything ? Think again.

Also, there were users that reported the sfx module (the old one) that SFXMaker is using for creating the self-extracting executables was the cause of this findings. I'm 110% sure that there's nothing wrong with it and i' not blaming anyone, only these crappy protection apps.

You're showing us screenshots with the *.ini entries of an nLite addon created by SFXMaker, but do you know by any chance what that means and how it works ? Presuming that something is bad is not enough.

You know, i feel like a bastard right now. I'm creating an application and share it with you (for free) to make things easier for the community and then people like you come and blame my work, with no apparent strong arguments and no pre-documentation. But what can we do, things aren't always fair in life.

I wish you a nice day, apologizes are accepted in advance, just in case :)

Link to comment
Share on other sites

You know, i feel like a bastard right now. I'm creating an application and share it with you (for free) to make things easier for the community and then people like you come and blame my work, with no apparent strong arguments and no pre-documentation. But what can we do, things aren't always fair in life.

Comeon, don't take this too seriously :).

Things like this happen every other day, I don't think there is any malice in the OP "general warning", some peeps tend to trust this kind of apps more than they are worth or - if you prefer are a little over-sensitive to these false alarms/overcautious, just as examples ;):

http://www.911cd.net/forums//index.php?showtopic=23931&st=361

I think it is part of the game (being suspected of hiding heaven only knows which malicious code within a freeware app), nothing to become upset for.

Continue the good work... :thumbup

jaclaz

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...