Has MacUpdate fallen to the adware plague?

Imitation Softpedia Site Offers Up A PUP

You may well be familiar with Softpedia, which is a huge library of downloadable software and breaking news stories. We recently noticed a Softpedia mention on a Facebook post, except something didn’t look quite right with the URL:

Hawker pictures

The URL in question is

s0ftpedia(dot)pw

and they’ve replaced the letter “o” with a zero (just in case it isn’t clear from the formatting).

The site has a dead frontpage and an “under construction” message:

Under construction

Elsewhere, however, things are a little more interesting:

Downloads...and shoes

Many of the links on the page redirect to 403: forbidden messages on another URL. The main download offered in the above screenshot is live at time of writing, though:

The file is a PUP (potentially unwanted program) currently pegged at 11 / 53 on VirusTotal, and users of Malwarebytes Anti-Malware will find we detect it as PUP.Optional.Amonetize. The VirusTotal page lists some of the names the file has gone by:

CSGO Multihack September 14.exe__3038_i1336425480_il907688.exe pumps theory design and applications__3516_i1336463687_il915800.exe file-7497235_exe csieda 5.4 crack__3038_i1336278996_il877527.exe Launcher.exe felix the cat desktop buddy__3515_i1336603348_il943112.exe setup.exe c exe decompiler__3515_i1336154130_il849859.exe sysprep windows 2003__3516_i1336521661_il927032.exe

Running the file opens up a EULA for InstallPath File Manager, which leads to various yes / no install options for IstartSurf, OffersWizard and Plus HD (if you’re in “expert mode” – otherwise it’ll just assume you want everything by default). There’s also one final screen for Wajam.

 

In testing, it gave an “install complete” message but no trace of the above programs could be found. It’s possible that the installer is broken or somebody already switched off the download / distribution channel.

According to Whois data, the site – which is privacy protected – was created on the 12th of September 2014. Unfortunately for whoever made it, Softpedia has just had a major redesign and so the imitation is already looking outdated.

This won’t help everybody who may visit, but at the very least people familiar with Softpedia and the new look will hear alarm bells ringing sooner rather than later. Although the site creator hit typo paydirt by switching the letter o for the number zero – look how close together they are on the keyboard! – it might be tricky to sell .pw instead of .com as the “real” Softpedia URL.

Another one for the “May help to catch an unsuspecting newcomer but probably won’t work on a Softpedia fan” pile, then. We have of course notified Softpedia about the site in question, and they’re already aware of it.

Always remember that one misplaced letter in a URL bar can have unforeseen consequences, and be particularly careful when asked to enter personal information or download executable files. You don’t always get a second chance, and there are worse things lurking at the other end of a fingers / keyboard failure than a PUP. Kaspersky talked about typo Malware back in March, and here’s our own Jovi Umawing highlighting what can go wrong when trying to reach your bank online.

Safe typing!

Christopher Boyd

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.