Downloading genuine software

Downloading genuine software

Published September 13, 2011

Summary:Recently during a verbal conversation I was asked what can be done about helping a Windows 7 computer that is slowing down to a crawl. At the time the computer in question wasn't around so I mentioned to download, install, and run Malwarebytes to check for any potential spyware/malware on the system.

Recently during a verbal conversation I was asked what can be done about helping a Windows 7 computer that is slowing down to a crawl. At the time the computer in question wasn't around so I mentioned to download, install, and run Malwarebytes to check for any potential spyware/malware on the system.

After our discussion it occurred on me, that whenever I recommend a certain software title, they would go home, search for it, download and install it. But what if there are fake versions of that software title out there, that would actually harm a system rather than help it? How could I ensure that they only download the genuine copy of it? At the time of our discussion, I didn't have the website on-hand, so I couldn't refer them to a direct URL. And even if I did, they would have to write it down or attempt to remember it. In fact on some titles, I would have to look up the URL myself or refer to a bookmark if I had one already.

If you do a search for a software title, the first set of results is usually contains the real website that releases the title. But there are usually other results below that are additional distribution points for the software title as well. So, what would prevent somebody from posting an infected installer and make users think that it is genuine? I am sure that there are legal actions that can force removal of fake or malicious versions of known software titles, but this requires constant policing of products and sites where they are posted. Some has to slip through the cracks.

First, I should probably only email URLs to people, and not verbally tell them to go and download a certain software title. Second, I should only send recognized URLs from reliable download sources. For instance, I would put my trust in the CNet Download Center, where a lot of Windows software can be found. Maybe I'm being paranoid, but I would quite feel bad if I recommended a software title and the user downloaded a fake version and loaded their system with malware instead.

And for those that use a copy of a major GNU/Linux distribution, validating software is generally not a problem because all software installed from a distribution is channeled through that distribution's repository. So, adding a software title to a GNU/Linux PC usually involves installing it with the software installer that comes with the distribution itself. Rarely does a user need to go outside of the distribution (if the larger ones are used, like Fedora, Red Hat, Ubuntu, etc.) to obtain an outside package. If they did, the similar problem could occur where they would need a way to verify that the package is genuine. With open source software, typically I've been able to find it on Sourceforge.

I would be glad to hear about methods that others use for verifying software in Windows, to ensure it is genuine.

Comments:

Chris_Clay Sep 14, 2011

adamjarvis : Actually the whole VLC situation is what prompted me to think more about this issue, and post this in the first place. I am sure there must be many other software titles that have similar issues to this. Especially open source products (mostly for Windows since it's the main target of attack), because they may not have the legal foundation to try and get the fake software removed from sites. It's amazing how people are very trusting (or possibly unaware of the security risks) when it comes to downloading and installing software, even ROMS like you mentioned.

adamjarvis Sep 14, 2011

@apexwm Its certainly the case you have to be careful searching Google for legitimate free software. A case in point is VLC Player for Windows, if you search Google for 'vlc', the top result returns an ad for Vlcplayer / vlcplayer.downloadster.org. (NB.don't download from here!) The second result is for the genuine 'VLC Player' www.videolan.org/vlc/ - Official page for VLC media player, the Open Source video framework!. The first result, is an ad which contains a download to a modified version of 'Vlcplayer', which states it contains adware, beneath the download button. As a novice, it would be very difficult to distinguish the real from the fake - most would opt for the top result. Google really needs to police/distinguish their ads better. What I find incredible is the number of people that have downloaded Android roms for their mobile, to upgrade to Android 2.2 or Android 2.3, with little regard for the source of the Android software they are installing, where the security consequences of using such software are far more dangerous, if you were to use this as your business phone etc.It seems common to buy an Orange San Francisco, and flash the rom, it's even recommended by theregister.

AndyPagin-3879e Sep 14, 2011

"I'm not sure if there's a direct mechanism in place there to prevent it."Yeah, you need to apply a bit of common sense, I only install from sources that seem reasonably safe such as recognisable UK based university IT departments.

Chris_Clay Sep 14, 2011

AndyPagin : Thanks for the additional info.That site is a tremendous help for locating RPM packages, and for looking at package dependencies. But since this site contains 3rd party packages, I am guessing that there is a potential issue of packages being submitted that could contain malicious code, even though it seems that the packager/submitter is tracked, but I'm not sure if there's a direct mechanism in place there to prevent it. Hmm.

AndyPagin-3879e Sep 14, 2011

rpm.pbone.net is another good source for Linux apps.