Downloading genuine software
Published September 13, 2011
Summary:Recently during a verbal conversation I was asked what can be done about helping a Windows 7 computer that is slowing down to a crawl. At the time the computer in question wasn't around so I mentioned to download, install, and run Malwarebytes to check for any potential spyware/malware on the system.
Recently during a verbal conversation I was asked what can be done about helping a Windows 7 computer that is slowing down to a crawl. At the time the computer in question wasn't around so I mentioned to download, install, and run Malwarebytes to check for any potential spyware/malware on the system.
After our discussion it occurred on me, that whenever I recommend a certain software title, they would go home, search for it, download and install it. But what if there are fake versions of that software title out there, that would actually harm a system rather than help it? How could I ensure that they only download the genuine copy of it? At the time of our discussion, I didn't have the website on-hand, so I couldn't refer them to a direct URL. And even if I did, they would have to write it down or attempt to remember it. In fact on some titles, I would have to look up the URL myself or refer to a bookmark if I had one already.
If you do a search for a software title, the first set of results is usually contains the real website that releases the title. But there are usually other results below that are additional distribution points for the software title as well. So, what would prevent somebody from posting an infected installer and make users think that it is genuine? I am sure that there are legal actions that can force removal of fake or malicious versions of known software titles, but this requires constant policing of products and sites where they are posted. Some has to slip through the cracks.
First, I should probably only email URLs to people, and not verbally tell them to go and download a certain software title. Second, I should only send recognized URLs from reliable download sources. For instance, I would put my trust in the CNet Download Center, where a lot of Windows software can be found. Maybe I'm being paranoid, but I would quite feel bad if I recommended a software title and the user downloaded a fake version and loaded their system with malware instead.
And for those that use a copy of a major GNU/Linux distribution, validating software is generally not a problem because all software installed from a distribution is channeled through that distribution's repository. So, adding a software title to a GNU/Linux PC usually involves installing it with the software installer that comes with the distribution itself. Rarely does a user need to go outside of the distribution (if the larger ones are used, like Fedora, Red Hat, Ubuntu, etc.) to obtain an outside package. If they did, the similar problem could occur where they would need a way to verify that the package is genuine. With open source software, typically I've been able to find it on Sourceforge.
I would be glad to hear about methods that others use for verifying software in Windows, to ensure it is genuine.
Comments:
Chris_Clay Sep 14, 2011
adamjarvis : Actually the whole VLC situation is what prompted me to think
more about this issue, and post this in the first place. I am sure there must
be many other software titles that have similar issues to this. Especially open
source products (mostly for Windows since it's the main target of attack), because
they may not have the legal foundation to try and get the fake software removed
from sites. It's amazing how people are very trusting (or possibly unaware of
the security risks) when it comes to downloading and installing software, even
ROMS like you mentioned.
adamjarvis Sep 14, 2011
@apexwm Its certainly the case you have to be careful searching Google for
legitimate free software. A case in point is VLC Player for Windows, if you
search Google for 'vlc', the top result returns an ad for Vlcplayer / vlcplayer.downloadster.org.
(NB.don't download from here!) The second result is for the genuine 'VLC Player'
www.videolan.org/vlc/ - Official page for VLC media player, the Open Source
video framework!. The first result, is an ad which contains a download to a
modified version of 'Vlcplayer', which states it contains adware, beneath the
download button. As a novice, it would be very difficult to distinguish the
real from the fake - most would opt for the top result. Google really needs
to police/distinguish their ads better. What I find incredible is the number
of people that have downloaded Android roms for their mobile, to upgrade to
Android 2.2 or Android 2.3, with little regard for the source of the Android
software they are installing, where the security consequences of using such
software are far more dangerous, if you were to use this as your business phone
etc.It seems common to buy an Orange San Francisco, and flash the rom, it's
even recommended by theregister.
AndyPagin-3879e Sep 14, 2011
"I'm not sure if there's a direct mechanism in place there to prevent
it."Yeah, you need to apply a bit of common sense, I only install from
sources that seem reasonably safe such as recognisable UK based university IT
departments.
Chris_Clay Sep 14, 2011
AndyPagin : Thanks for the additional info.That site is a tremendous help for
locating RPM packages, and for looking at package dependencies. But since this
site contains 3rd party packages, I am guessing that there is a potential issue
of packages being submitted that could contain malicious code, even though it
seems that the packager/submitter is tracked, but I'm not sure if there's a
direct mechanism in place there to prevent it. Hmm.
AndyPagin-3879e Sep 14, 2011
rpm.pbone.net is another good source for Linux apps.