Avast_Threat_ Research: Can you spot a deceptive installer?

[harlan4096]

If a program costs something on a trusted site but is free somewhere else, there’s something suspicious going on

Have you ever downloaded a program you needed, only to realize that it’s actually something else? And then had your antivirus software flag it? It can be confusing and upsetting to fall for a deceptive installer — and the Avast Threat Labs can help you learn how to avoid them.

When you fall for a deceptive installer, you get malware or software you didn’t expect, instead of what you thought you were getting. Fortunately, in addition to the protections that Avast provides you, there are ways you can spot deceptive installers and prevent this from happening altogether. Here are tips from our researchers based on what we’ve seen.

Let’s walk through the process with this example of a game that’s available on a well-known, global gaming site for three Euro (a little over three dollars).

However, if you go to an unofficial download site, they’re offering you that same game for free, as shown below.This should be your first clue that there is something fishy on this download portal: As a rule if a game or program costs something on a well-known, trusted site but is free somewhere else, it’s likely not really free. There’s something suspicious going on.

In this example, if you click on the download button you’re taken to a download page, like below, with the game in question (along with other games) available for “free” download.

Here comes another clue to help you spot fakes: the file names of the downloads follow a pattern of: <name_of_the_program>_number.exe.

It’s highly unusual for legitimate games or programs to use filenames like this. Specifically, most legitimate games or programs won’t have “_number” in their file names.

In fact, when we looked at all the files on this page: 

DeathSpank_03761.exe
Death Inc._20157.exe
Pimp My Car GTA San Andreas_86021.exe
GTA IV Parche_30429.exe
Death and the Fly_72819.exe
Death From Above_52193.exe

We found that they were all actually the same file by using a tool to digitally check the actual file contents. This tool generates a “hash” which is essentially a fingerprint of the file and, as you can see below, all of these files have the same hash. The only thing different is the file name.

d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *DeathSpank_03761.exe
d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *Death Inc._25601.exe
d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *Death Inc._20157.exe
d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *Pimp My Car GTA San Andreas_86021.exe
d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *GTA IV Parche_30429.exe
d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *Death and the Fly_72819.exe
d1d6ae7b9db5d9981f47f089bf4f1faeddf9a9777847adfcd3f7de4f86067c48 *Death From Above_52193.exe

The files that claim to be the game that you’re interested in is actually only a small part of the installer. When you run the installer it:

1. Looks at its filename like DeathSpank_03761.exe.
   
   
2. Extracts the last number (03761) and sends it to the server along with some information about the computer
   
   
3. The server then looks up the number in its database and sends back a download link to you along with offers to install more software
   
   
4. The installer runs using various techniques to convince you to install additional software (that you didn’t know you’d be getting) 
   
   
5. In the end, the installer only shows a link to a questionable site. And will not install what you expected.
   

Here’s what you see as that process unfolds.

Step 1: The installer starts to run and shows a generic message because it doesn’t have information yet on what it’s going to install. Also note that this was a Spanish-language download page, but the installer is in English. This is another tip that something suspicious is going on, since the installer doesn’t match the language of the page.
...

Continue Reading