[badware] Bundled software on lots of inofficial sites

[stonecrusher]

Inspired by
https://twitter.com/JusticeRage/status/1021815597972291591

All from the same scammer:

URL(s) where the issue occurs

http://7zip.fr
http://appdownloads.co
http://audacity.es
http://audacity.fr
http://azureus.es
http://bluestacksdownloads.com
http://celestia.es
http://celestia.fr
http://clonezilla.es
http://clonezilla.fr
http://cloudwayapps.com
http://garagebandforpc.org
http://gimp.es
http://gparted.fr
http://greenshot.fr
http://handbrake.es
http://inkscape.es
http://inkscape.fr
http://keepass.com
http://keepass.fr
http://nc3354.nexylan.net
http://notepad2.com
http://paintnet.es
http://paintnet.fr
http://scribus.fr
http://stellarium.fr
http://thunderbird.es
http://unetbootin.net
http://unetbootin.org

Describe the issue

The old trick:

• Grab a good domain
• Make it look official
• Offer a PUP downloadmanager instead of the clean installer

Notes

I checked every single one manually with at least one download (Windows x64 installer) and it always points to the same downloadmanager (just with different filenames but same hash):

http://7zip.fr
http://appdownloads.co
http://azureus.es
http://bluestacksdownloads.com
http://celestia.es
http://celestia.fr
http://clonezilla.es
http://clonezilla.fr
http://garagebandforpc.org
http://gimp.es
http://gparted.fr
http://greenshot.fr
http://handbrake.es
http://inkscape.es
http://inkscape.fr
http://keepass.com
http://keepass.fr
http://notepad2.com
http://paintnet.es
http://paintnet.fr
http://scribus.fr
http://stellarium.fr
http://thunderbird.es
http://unetbootin.net
http://unetbootin.org

https://www.virustotal.com/#/file/a5616985e92ca7c1df3b132d2da2ef33c64f38ba2dca40445017037473d7d014/detection

===============
Remaining items from the list:

http://nc3354.nexylan.net
Nothing

http://cloudwayapps.com
Clothes shop, no downloads

http://audacity.es
http://audacity.fr
downloaded files look clean, but not latest version

Downloadserver mostly is http://www.femmfa-gis.com/ so maybe block that too.
https://www.virustotal.com/#/url/b5a4709f12b139aa77ac3a34ee6d4a7f6c107f0f3c5b811fc9a77a6d780ae616/detection

[Hrxn]

Hmm.. and what do you propose?

Adding every single domain out there serving malware into the list?

[stonecrusher]

That's the purpose of the badware risks list, isn't it?
The domains are not random but clearly deceiving.
It's not very different from the attempt to block "every single ad out there", just that ads aren't as bad as scam sites.

[Hrxn]

Yes and No. These domains are used for deception, true, but that is not my point. Because if you want to go gotta block 'em all here, you are in for an endless game of whack-a-mole.
So far uBO's Badware list has been put to good use in combating something else, and far more problematic, if you'd ask me: Abusive or scam-like behaviour ("PUP", etc.) done by major sites like Sourceforge with their side-loading installers, and CNET's Download.com and so on. Because those are big names, and the hypothetical unsuspecting user might come to the conclusion that big names also means reputable names, which is obviously not true, unfortunately.

[..] the attempt to block "every single ad out there" [..]

If you think that's what happening, you've clearly not been paying attention. Because this very repository here, on which we are exchanging our commentary, is testament to the fact that this is a never-ending effort, only made possible by the work of numerous volunteers. Without this circumstance pretty much nothing would be blocked at all. The only thing that can be done (until some fundamental change happens to the underlying standards and technology that make the Web) is resorting to a bit more radical measures like blocking third-party JS in general, which has the unfortunate consequence of risking site breakage. But you have to take some bullet here, either one way or the other.

I know, the WWW was a mistake. Not really. Although it has more than just a kernel of truth.

[stonecrusher]

you are in for an endless game of whack-a-mole [...] never-ending effort

That's what we do and all the other filter lists that have specific filters. I'm one of the volunteers you called out, no?

far more problematic

I get the idea that you think it's another category because of the difference between collective downloadsites and single scam sites. As those domains imho are still worth blocking, should I open a request for a new filterlist?

I'd just add it to "badware risks". What's the downside of adding those?

It can help ruining and spreading those sites by not making them successful and protecting users.
And actually I didn't come across too many of those sites so far and I don't think it's as endless and dynamic as you think. I'm here for maintenance if you fear that.

[uBlock-user]

As long as they're not random domains and display a webpage when browsed to, they should get added.

[stonecrusher]

My proposal:

! https://github.com/uBlockOrigin/uAssets/issues/3060
! https://www.virustotal.com/#/file/a5616985e92ca7c1df3b132d2da2ef33c64f38ba2dca40445017037473d7d014/detection
||7zip.fr^$document
||appdownloads.co^$document
||azureus.es^$document
||bluestacksdownloads.com^$document
||celestia.es^$document
||celestia.fr^$document
||clonezilla.es^$document
||clonezilla.fr^$document
||garagebandforpc.org^$document
||gimp.es^$document
||gparted.fr^$document
||greenshot.fr^$document
||handbrake.es^$document
||inkscape.es^$document
||inkscape.fr^$document
||keepass.com^$document
||keepass.fr^$document
||notepad2.com^$document
||paintnet.es^$document
||paintnet.fr^$document
||scribus.fr^$document
||stellarium.fr^$document
||thunderbird.es^$document
||unetbootin.net^$document
||unetbootin.org^$document

By the way, I think using # or ! for comments should be consistent, but that's another discussion (similarity of ! and | but lines beginning with # used for cosmetic filters)

[okiehsch]

collective downloadsites and single scam sites. As those domains imho are still worth blocking, should I open a request for a new filterlist?

The badware-list already includes websites that use legitimately-looking domain names to trick victims into downloading popular software and by doing so possibly "infecting" the user with adware.

[krystian3w]

adwcleaner.pl - fan mirror; We don't know if he'll ever stick something to an EXE file.

[AlainRnet]

Hi.
How to remove http://scribus.fr from uBlock filters – Badware risks please ?

[stonecrusher]

@AlainRnet It's an inofficial site that served malware / PUPs in the past. However they changed the shipping of the files to go through cdndownloadpr.com which is also known for spreading PUPs.

Go to the official site https://www.scribus.net/downloads/

[krystian3w]

@AlainRnet

try:

||scribus.fr^$document,badfilter

---

https://github.com/gorhill/uBlock/wiki/Dashboard:-My-filters

[AlainRnet]

@stonecrusher :Thank you very much for that clarification. Since Scribus is already installed on my system, I had not noticed the passage by cdndownloadpr.com but I had however seen the clear mention that this is not the official site and the legal mentions appeared to me also sufficiently developed.
Thank you again.

@krystian3w : No need, I just clicked Disable strict domain blocking permanently
Thank you.