I have been warned about a potentially malicious website which was distributing AdwCleaner in a archive, along with other software. I was quite intrigued so I decided to take a look.
The website is Russian, with a pretty nice interface (using the Joomla! CMS):
Below the catchphrases, some explanations and screenshots seem to be copied from BleepingComputer quite a long time ago.
A quick look at the Whois records gives additional details about the domain registration:
domain: <redacted>.RU nserver: ns1.first-ns.de. nserver: robotns2.second-ns.de. nserver: robotns3.second-ns.com. state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: REGTIME-RU admin-contact: https://whois.webnames.ru created: 2015.01.03 paid-till: 2017.01.03 free-date: 2017.02.03 source: TCI
The associated IP is hosted by Hetzner.de.
According to AlexaRank, the website popularity has nearly doubled since July 2016 (although the domain exists since 2015), especially within Russia, Ukraine and Belarus.
The server seems to be a running on CentOS with Apache/2.2.15 with more than a dozen of services are publicly exposed including a MySQL server, a FTP, and a unauthenticated SMTP (which really likes to speak Telnet on the port 25...). Finally, the web content is only reachable in HTTP.
Nothing really unexpected for now, so let's take a look to the hosted archive adwcleaner.zip.
- adwcleaner.zip: Zip archive data, at least v2.0 to extract
- Weights 3,7M
- Contains three files:
- adguardInstaller.exe: PE32 executable (GUI) Intel 80386, for MS Windows
- adwcleaner_v6.010.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
- Порядок установки.txt: ISO-8859 text, with CRLF line terminators
The text file Порядок установки.txt ("Installation procedure" in English) contains the following simple instructions (in Russian in the original file):
1) Before starting adwcleaner mandatory set adguardInstaller.exe (antibanner, anti-phishing, parental control, web filter software to block ads, surf the Internet without advertising)
2) Launch the adwcleaner
- adwcleaner_v6.010.exe is digitally signed by Digicert for ToolsLib as it is on the official download page. A VirusTotal analysis confirms it. The SHA256 checksum is the same as the one on ToolsLib.
- adguardInstaller.exe is also digitally signed by Verisign for Performix LLC but with a expired certificate SHA1 certificate since 09/02/2016 (60536A58CEE12B00FF2A147B3117C59F8640FB26).
The Installer seems buggy and asks to download the updated setup from a legit website. Nothing else is changed in the system. VirusTotal doesn't show any detections on this file.
The website itself uses AdwCleaner name to provide a zip archive containing two software, AdGuard and AdwCleaner. Hopefully, both of them are digitally signed and they do not appear to be modified compared to the legit download sources. The website serves its content through HTTP only, and doesn't provide any way to check the downloaded archive integrity and authenticity. Thus, it doesn't serve the user seeking to get AdwCleaner from trustworthy sources.
As a remind, to be sure you get the original AdwCleaner:
- Check if it is digitally signed,
- Check for the SHA256 checksum from the download page on ToolsLib,
- Be sure to download the file while browsing with HTTPS.
We've used the fake website email to fix the situation and we hope to get an answer soon. This blogpost may be updated depending on the answer we'll receive.